CPRA

On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).Continue Reading California Delete Act Imposes New Obligations on Data Brokers

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates.
Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ad Industry Group Modifies Its Compliance Program to Address 2023 US State Privacy Laws | Consumer Privacy World

Online

The Federal Trade Commission (FTC) has released a staff reportBringing Dark Patterns to Light, which discusses misleading and manipulative design practices—dark patterns—in web and mobile apps. These design choices take advantage of users’ cognitive biases to influence their behavior and prevent them from making fully informed decisions about their data and purchases. Dark patterns are employed to get users to surrender their personal information, unwittingly sign up for services, and purchase products they do not intend to purchase. The consequences of dark patterns have been increasingly noticed in the regulatory and legislative sphere, both in the United States and Europe
Continue Reading Dark Patterns under the Regulatory Spotlight Again

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.
Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

Welcome to the 2022 Q2 edition of the SPB Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team. 

Q2 did not disappoint in the AI and biometric privacy space, with a number of noteworthy litigation, legislative, and regulatory developments having taken place in these two rapidly developing areas of law. Read on to see what has transpired over the last quarter and what you should keep your eyes on as we head into the second half of 2022.Continue Reading SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Earlier this month CPW’s Kristin Bryan and Kyle Fath presented a webinar on “AI and Biometrics Privacy: Trends and Developments” with the International Association of Privacy Professionals (“IAPP”), the largest global community of privacy professionals.  A recording of that webinar is available to all IAPP members and available (for CPE credit) here.

As summarized

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

OOPS! And Other Takeaways from the First Draft of CPRA Regulations

Start Vetting Your Data Processors! Key Takeaways From

In an unexpected move, the California Privacy Protection Agency (the “Agency”) issued draft regulations (“Regs”) mandated by the California Privacy Rights Act (“CPRA”), on Friday May 27 (a day before the Memorial Day weekend, and a day after a public stakeholder meeting in which it gave no indication that the Regs would be issued the