Search results for: california consumer privacy act

Washington’s My Health My Data Act (“MHMDA”) and Nevada’s SB 370 (“NV CHD Law”) (collectively, “CHD Laws”) went into effect at the end of last month, on March 31, 2024 (as many know, MHMDA’s geofencing prohibition went into effect last summer). Unlike the Health Insurance Portability and Accountability Act (“HIPAA”), a federal law which governs privacy and security in traditional healthcare settings, CHD Laws regulate “consumer health data” or “CHD”– a very broadly defined term as we discuss below and in a prior post – collected by companies in a broad swath of health and non-health related industries alike. Even ancillary purposes like providing accessibility accommodations and defending personal injury claims are enough to trigger the laws. CHD Laws impose restrictions and obligations on regulated entities far more burdensome than state consumer privacy laws, many of which already regulate some of the same health data, and unlike those general consumer privacy laws are not proposed to be preempted by the potential federal America Privacy Rights Act.

As such, compliance programs that businesses may have developed to comply with state consumer privacy laws, such as the California Privacy Protection Act (“CCPA”), will not be sufficient to address the requirements of the CHD Laws, though they can be leveraged such as for consumer rights request and processor management. There are some material differences beyond the scope of the data regulated. For example, businesses must add another website footer link (and potentially elsewhere, such as in mobile apps) and post a separate privacy policy applicable to the processing of CHD. The facilitation of consumer rights must be CHD-specific, for example providing the right to delete just CHD, rather than all personal information. Moreover, businesses that have CHD use cases not within narrow exceptions (e.g., as necessary to provide a requested product or service), which differ somewhat as between the two laws, will have to grapple with the foreboding consent and authorization requirements which, in some cases, could result in subjecting visitors or customers to a litany of notices and pop-ups in an environment already plagued by what some dub as “consent fatigue.”

Continue Reading Are you Ready for Washington and Nevada’s Consumer Health Data Laws?

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.

Continue Reading US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.

Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

On March 8, 2024, the California Privacy Protection Agency (“CPPA” or “Agency”) Board (“Board”) will consider draft regulations that set forth how automated decisionmaking technology (“ADMT”) and profiling will be regulated under the California Consumer Privacy Act (“CCPA”).  The proposal includes the regulation of a new concept of “behavioral advertising” that is deemed “extensive profiling” and thus a form of “automated decisionmaking” that has a significant impact on consumers, justifying both a complex, advanced notice and ability for consumers to opt-out.  These would overlap with similar notice and opt-out requirements already in place for “sharing” of personal information for “cross-context behavioral advertising”, which involves use of personal information from more than one party (e.g., cross-site/app/service browsing information, or combinations of first- and third-party data).  The proposal would make cross-context behavioral advertising a subset of the newly defined behavioral advertising, and bring within the scope of these proposed regulations any practice that involves the use of personal information, even exclusively first-party data, for advertising or marketing communications (with limited exceptions, such as where the communication is based solely on a current interaction).  So, presenting a contextual ad or other content about cigars when a site user is reading an article about cigars would seemingly not be behavioral advertising, but remembering that the user is interested in cigars, to later recommend cigar-related products (think e-commerce site recommendations), would be. 

In an op ed article published by Law360, we break down how this diverges from the approach of 12 newer state privacy laws, conflicts with current CCPA provisions (e.g., the current exception from “share” restrictions when the data is made available pursuant to a consumer’s direction) and creates CA-specific burdens for businesses that do not create offsetting benefits for California consumers that would justify the approach.

We will keep you informed on the Agency’s and the Board’s ongoing consideration of this issue and their other CCPA rulemaking activities.  For more information, contact the authors.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

Protection for minors online continues to top the list of U.S. regulatory and legislative priorities in 2024. So far in 2024, legislators in California introduced several bills focused on minors; Congress held hearings and advanced federal legislation protecting minors online; and constitutional challenges to 2023 state laws focused on minors’ social networking accounts advanced in the Courts. Congress and the Federal Trade Commission (FTC) are looking to update the Children’s Online Privacy Protection Act and corresponding Rule, as detailed in another post. However, the proposals explained in this post extend far beyond online privacy concerns, and we believe more focus on minors’ online safety is on the way.

Continue Reading Protecting Kids Online: Changes in California, Connecticut and Congress – Part I

Online privacy and safety of children and teens are hot legislative topics this year. In a companion post we provide an update of federal and state legislative efforts to fundamentally change how online content and advertising are delivered to children and teens. We have previously discussed legislation in California and Connecticut to require assessments of online privacy impacts on minors. In this post we focus on proposed regulatory and legislative changes to the 1998 Children’s Online Privacy Protection Act (COPPA) (effective in 2000) and its corresponding regulations (COPPA Rule), which were last updated in 2013.

Continue Reading Federal Children’s Privacy Requirements to Be Updated and Expanded

The Digital Services Act (DSA) entered into full force on 17 February 2024. This is a monumental EU regulation, containing 93 articles and 156 recitals, which is intended to impose:

  • A framework for the conditional exemption from liability of providers of online intermediary services (i.e. companies that are conduits for, cache or host third-party online content)
  • Rules on specific due diligence obligations tailored to certain specific categories of providers of intermediary services
  • Rules on implementation and enforcement, including as regards the cooperation between the competent authorities

It is applicable across the whole EU and EEA, and has extraterritorial reach.

Part of the DSA has already been in force since 2023 for some designated providers. However, since 17 February 2024, the remainder of the DSA now applies to all online intermediary services providers that offer their services in the EU/EEA, regardless of whether or not such providers have an establishment in the EU/EEA. A more detailed overview of the DSA is available on our Digital Markets Regulation page.

VLOPs and VLOSEs

The part of the DSA that was already in operation prior to 17 February applied only to designated “very large online platforms” (VLOPs) and “very large online search engines” (VLOSEs). The current VLOP and VLOSE list includes platforms and search engines such as Amazon Store, App Store, LinkedIn, Facebook, Instagram, Pinterest, Snapchat, X, and Google Search, Google Play, Google Maps, Google Shopping and YouTube. Alibaba, TikTok, and Booking.com are also among the listed platforms and search engines.

Intermediary Services

The remainder of the DSA, which entered into force on 17 February, contains broader rules that are applicable to all“online intermediary services providers” defined as providers of “mere conduit”, “caching” or “hosting services”, whether or not they are established in Europe.

While the DSA may, at first blush, seem to cover only Big Tech, many ordinary and smaller online services, including apps and websites that facilitate the sharing of user generated content, may come under the definition of intermediary services. The definition of “intermediary services” spans a wide range of economic activities that take place online and that develop continually to provide for transmission of information that is swift, safe and secure, and to ensure convenience of all participants of the online ecosystem. For example, “mere conduit” intermediary services include generic categories of services, such as internet exchange points; wireless access points; virtual private networks; domain name system (DNS) services and resolvers; top-level domain name registries and registrars; certificate authorities that issue digital certificates; and voice over IP and other interpersonal communication services, while generic examples of “caching” intermediary services include the sole provision of content delivery networks, reverse proxies or content adaptation proxies. Such services are crucial to ensuring the smooth and efficient transmission of information delivered on the internet. Examples of “hosting services” include categories of services such as cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing. Intermediary services may be provided in isolation, as a part of another type of intermediary service, or simultaneously with other intermediary services. Whether a specific service constitutes a “mere conduit”, “caching” or “hosting” service depends solely on its technical functionalities, which might evolve in time, and should be assessed on a case-by-case basis.

Conditional Exemption

The DSA exempts these intermediary services providers from content liability subject to the following conditions:

  • For mere conduit services, the exemption conditions are that the provider “(a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission”.
  • For caching services, the exemption conditions are that the provider “(a) does not modify the information; (b) complies with conditions on access to the information; (c) complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; (d) does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and (e) acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a judicial or an administrative authority has ordered such removal or disablement”.
  • For hosting services, the exemption conditions are that the provider “(a) does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content”.

This is similar to, but materially different from, the immunity offered to intermediaries under Section 230 of the US Communications Decency Act, and companies familiar with that regime should note the differences. One of the most crucial differences is the obligation of hosting services to act upon knowledge, in order to qualify for the exception, which is not necessary under US law.

Due Diligence Obligations

The DSA imposes specific due diligence obligations (including positive information obligations vis-à-vis consumers and business partners) tailored to each specific category of providers of intermediary services. Concerns about insufficient transparency, the nontraceability of online traders, automated machine-based decision-making, content tailoring, and the excessive power of large intermediaries, permeate the DSA and have significantly shaped these obligations. For an overview of these obligations, check our DSA Compliance Tracker.

New Enforcers and Compliance Roles

The DSA also introduces new enforcers and new compliance roles. For example, each EU member state will designate a digital services coordinator and each intermediary service provider without an EU establishment will need to appoint a representative in an EU member state who will need to be able to liaise with the designated digital services coordinators. One of the sticky practical implementation aspects for this requirement, however, is that the appointed representative will have direct liability for DSA noncompliance, without prejudice to the liability and legal actions that could be initiated against the provider of intermediary services.

International Ramifications

The DSA’s “rights-driven” model of internet governance seeks to chart something of a middle way between the US “market-driven” model and China’s “state-driven” model. Some commentators have described the EU model as more proactive and risk averse than the US model but also more mindful of privacy and individual rights than the China’s model. As an analytical framework, this categorisation is compelling, though it has worrisome implications arising from the dangers of a splinternet.

Because it applies to all intermediary services providers that offer their services to recipients located in the EU/EEA, whether they are established inside or outside the EU/EEA, the DSA will affect US and UK intermediaries servicing the EU/EEA market, an application that suggests that, as has been the case with the EU General Data Protection Regulation (GDPR), some spillover from the EU legislation will be felt in the US and UK. As the GDPR has shown, such spillover can result in US and UK intermediaries being targeted by EU enforcement actions, and in US and UK intermediaries adjusting their operations pursuant to the EU legislation, including inside the US and UK. Spillover may also result in US legislators looking at the EU legislation for thoughts about their own legislative actions in the US; the California Consumer Privacy Act is a prime example of GDPR spillover. The UK has already passed its Online Safety Act on content liability for online intermediary services and its regulator, Ofcom, is said to be cooperating with the EU Commission towards a coherent application of the Online Safety Act and the DSA.

Conclusion

The novel framework introduced by the DSA and its international ramifications present both opportunities and risks for online intermediary services providers active in Europe. To check what you need to do to ensure compliance with the DSA rules that are applicable to all online intermediary services, check our DSA Compliance Tracker or contact the authors.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World