California Privacy Rights Act (CPRA)

The California Privacy Protection Agency (CPPA) Board, created by the California Privacy Rights Act (CPRA), has been busy of late. As we recently reported, the CCPA has hired renowned privacy technologist Ashka Soltani as its new Executive Director to lead the agency. Meanwhile, the agency’s committees have been hard at work. The Regulations Subcommittee has proposed its framework for its rulemaking process. Notably, the subcommittee recommends an immediate start to pre-rulemaking activities such as issuing an invitation for comments, the creation of additional subcommittees, and the identification of informational hearing topics. A pre-rulemaking process gives the agency flexibility to hear from stakeholders outside of the formal and constrained process that will begin once the regulatory process officially commences. The framework also notes that the notice of proposed rulemaking, initial statement of reasons (ISOR), and text of the regulations should be published in winter 2021-2022, with public hearings taking place thereafter. This suggests that stakeholders have a short window of opportunity to take advantage of the pre-regulatory educational period. It will be interesting to see if the agency conducts the kind of “listening tour” the Office of Attorney General (OAG) went on across the Golden State by means of town halls prior to its California Consumer Privacy Act (CCPA) rulemaking process, or elects to spend its time in more intimate and concerted explorations.
Continue Reading California Privacy Agency Moves Forward With Rulemaking Process

A little noticed provision of new consumer privacy laws in California and Virginia, effective January 2023, is the need for detailed data retention schedules and defensible destruction programs. Partner Alan Friel and Counsel Kyle Fath joined data management professionals on a recent panel at the International Association of Privacy Processional’s annual summit to explain these new requirements and how to prepare for them.  You can watch the recording for free here: Trim Costs, Reduce Risks and Improve Compliance: Data Retention the Right Way

Keep reading for tips on how to develop and implement a data retention program by Kyle Fath and Exterro’s Rebecca Perry.
Continue Reading Robust Data Retention Programs Required By New Laws

We congratulate our friend and colleague Lydia de la Torre on her appointment to the inaugural board for the California Privacy Protection Agency.  “Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal,” said Governor Newsom. “These appointees

Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each.  In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.

Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined.
Continue Reading Consumers’ “Right to Delete” under US State Privacy Laws

Join us on January 21, 2021 at 12pm EST/9am PST for a complimentary webinar – Understand and Prepare for the California Privacy Rights Act.

Panelists Elliot Golding, Glenn Brown and Lydia de la Torre of our Data Privacy & Cybersecurity Practice will provide an overview of the CPRA and its interplay with the

On November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”).  We previously issued alerts on the road to certification of this ballot initiative here. Below, we highlight the main points that businesses facing compliance with this new privacy law should bear in mind. We will provide further updates in the days and months to come, drilling down in detail on the provisions of CPRA and the new regulations when they are released for public comment.
Continue Reading Voters Approve California Privacy Rights Act

Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28th, and the Assembly on Sunday, August 30th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022.
Continue Reading CCPA Business-to-Business and Personnel Carve-Out Extension Clears California Legislature

In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020.
Continue Reading Court Order Means CPRA Likely to Make November Ballot