Photo of Alan Friel

Alan Friel

The California Privacy Protection Agency (“CPPA” or “Agency”) hosted its first public meeting yesterday following publication of the first draft of proposed regulations (“Regs”) (on May 27) and the initial statement of reasons (“ISOR”) on June 3. Immediately below, we summarize highlights of the meeting held by the CPPA, including taking a further step towards

Legislatures, regulators, and enforcement agencies across the United States and in Germany have turned up the heat on subscription plans within the past year by updating their automatic renewal law (ARL). California and Germany have new ARL requirements starting July 1, 2022. Generally, an automatic renewal or negative option is a paid subscription plan that

Even for companies that are currently California Consumer Privacy Act (CCPA) compliant, the California Privacy Rights Act (CPRA) will present significant new challenges. This is due, in part, to the CPRA’s regulation of the collection, use and disclosure of employee, applicant, independent contractor and other “HR Data” that is currently largely exempt from the CCPA.

In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the

Last week, the Federal Trade Commission (“FTC”) held an open meeting focused on issues related to children’s privacy and those pertaining to the use of endorsements and testimonials in advertising. In the meeting, the FTC adopted a new policy statement targeting data collection practices in educational technology. Further, the FTC proposed amendments to the Guides Concerning the Use of Endorsements and Testimonials in Advertising (“Endorsement Guides”) which would target child-directed marketing. Of note, one of the amendments would recognize that children may react to advertising practices differently than adults and thus advertising practices directed towards children may be treated differently by the FTC compared to those practices directed towards adults.
Continue Reading FTC Targets Children’s Privacy and Stealth Advertising Directed at Children

Google announced it will be rolling out a “Data Safety” section for apps listed on its app marketplace, Google Play, similar to Apple’s Privacy Nutrition Labels. The Data Safety section will provide consumers with a summary of an app’s privacy and security practices, including but not limited to what user data an app “collects” or “shares”. App developers (“Developers”) must complete the Data Safety form by July 20, 2022. Notably, Google has not implemented a tracking opt-in, like Apple Tracking Transparency, in association with the Data Safety initiative. As your app’s Data Safety disclosure will serve as a de facto additional privacy notice of your organization, development and product teams should consult with the legal/privacy counsel as they populate the information. Below, we provide high-level instructions on populating the Data Safety Form (“Form”) and additional Google privacy requirements. If you are interested in further information on this topic, we have detailed guidance on Google Data Safety, as well as Apple’s Privacy Nutrition Labels and App Tracking Transparency requirements, including detailed instructions on how to complete the forms (with screenshots), available for a fixed fee.  
Continue Reading Google to Require Apps to Display “Data Safety” Information by July 20, 2022

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA.
Continue Reading Connecticut General Assembly Passes Comprehensive Privacy Bill

On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice

On March 10, 2022, California Attorney General Rob Bonta (Attorney General) published the first official opinion interpreting the California Consumer Privacy Act (CCPA) and concluded that the CCPA’s right to know includes a business’ internally generated inferences about a consumer from either internal or external information sources.

Importantly, the opinion clarifies that inferences made from