US

The California Privacy Protection Agency (CPPA) Board, created by the California Privacy Rights Act (CPRA), has been busy of late. As we recently reported, the CCPA has hired renowned privacy technologist Ashkan Soltani as its new Executive Director to lead the agency. Meanwhile, the agency’s committees have been hard at work. The Regulations Subcommittee has proposed its framework for its rulemaking process. Notably, the subcommittee recommends an immediate start to pre-rulemaking activities such as issuing an invitation for comments, the creation of additional subcommittees, and the identification of informational hearing topics. A pre-rulemaking process gives the agency flexibility to hear from stakeholders outside of the formal and constrained process that will begin once the regulatory process officially commences. The framework also notes that the notice of proposed rulemaking, initial statement of reasons (ISOR), and text of the regulations should be published in winter 2021-2022, with public hearings taking place thereafter. This suggests that stakeholders have a short window of opportunity to take advantage of the pre-regulatory educational period. It will be interesting to see if the agency conducts the kind of “listening tour” the Office of Attorney General (OAG) went on across the Golden State by means of town halls prior to its California Consumer Privacy Act (CCPA) rulemaking process, or elects to spend its time in more intimate and concerted explorations.
Continue Reading California Privacy Agency Moves Forward With Rulemaking Process

NewspaperAs the trend of state laws granting more privacy and greater control over personal information continues in the US, the fate of privacy bills in Washington State, Oklahoma and Florida serve as a reminder that as with any other issue, political compromise is still a necessity in order for legislation to progress. This is an update on our prior post published on April 5th, analyzing the chances that privacy bills introduced in Washington, Oklahoma, Florida and Connecticut will be enacted.
Continue Reading Washington and Oklahoma Privacy Bills Have Officially Died; Florida’s Privacy Bill is Significantly Amended

Correction to the original article: First American Title Insurance Company is not associated or involved with the March 3, 2021 consent decree between Residential Mortgage and New York Department of Financial Services.

In early March, the New York State Department of Financial Services (“DFS”) entered into a consent order requiring Residential Mortgage Company to pay

Data PrivacyAfter advancing steadily in their respective legislatures the first few months of 2021, the Oklahoma Computer Data Privacy Act has seemingly died, and the Washington Privacy Act may run into similar roadblocks it faced in prior years.

After passing the Oklahoma House in early March, the Oklahoma bill grinded to a halt the first week of April after Oklahoma Senate Majority Leader refused to allow the bill to have a hearing, as confirmed in tweets and in a press conference by one of the bill’s sponsors, Rep. Collin Walke. The bill, which would have required businesses to obtain consumers’ consent for any collection of data and included an opt-in requirement for sale of personal information, garnered bi-partisan support in the House but faced significant industry opposition and was opposed by Republicans in the Oklahoma State Senate. Our team’s prior update on the Oklahoma bill can be found here.
Continue Reading Oklahoma’s Privacy Bill Stalls, Washington Privacy Act’s Watered Down PRoA May Cause Its Demise

A new privacy bill is gaining steam in the Oklahoma legislature.

On March 4, the Oklahoma Computer Data Privacy Act (HB 1602) passed the state House of Representatives by a vote of 85-11.  If enacted in its current form, the bill would take effect on January 1, 2023, at the same as the California Privacy Rights Act and the Virginia Consumer Data Protection Act.
Continue Reading Will Oklahoma Be the Next State to Enact a Comprehensive Privacy Bill?

The Florida state legislature is considering a sweeping data privacy bill introduced by Governor Ron DeSantis in February.  House Bill 969 is the latest state provision to follow in the footsteps of the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act and the Virginia Consumer Data Protection Act, in giving consumers greater control over how their personal information is used while imposing greater restrictions on companies’ use of that data.
Continue Reading Florida is the Latest State to Consider Comprehensive Data Privacy Legislation

Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each.  In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.

Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined.
Continue Reading Consumers’ “Right to Delete” under US State Privacy Laws

NewspaperAs expected, today Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law, though the Act will not go into effect until January 1, 2023.  As a result, Virginia becomes the second state in the United States to enact a data privacy law that purports to regulate the collection, use,

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit www.americanbar.org.   

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

Computer securityIn the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.


Continue Reading Virginia Set to Become Second State to Enact Holistic Data Privacy Law

The on-going state competition to enact comprehensive privacy legislation, triggered by the enactment of the 2018 California Consumer Privacy Act, is heating up in 2021. We recently wrote a post on the recent Virginia developments, but the Commonwealth of Virginia is not alone.

New York was closely watched in privacy circles last year, as approximately 30 privacy bills had been introduced and were discussed during the 2019-2020 session. None of the bills were enacted but state legislators clearly are not giving up.

More than 50 privacy bills have already been introduced in New York this year for consideration during the 2021-2022 session. We have already posted on the New York Biometric Bill, which is very similar to the Illinois Biometric Information Privacy Act (“BIPA”) and includes a private right of action.
Continue Reading Off to the Races: Over 50 Privacy Bills Introduced in the State of New York