Governor Newsom recently signed two amendments to the CCPA strengthening protections for certain data types. The changes go into effect January 1, 2024.Continue Reading CCPA Amendments Extend Protections to Reproductive Health and Citizenship Status
California’s “Delete Act” Significantly Expands Requirements for Data Brokers
California recently passed a groundbreaking new law aimed at further regulating the data broker industry. California is already one of only three states (along with Oregon and Vermont) that require data brokers—businesses that collect and sell personal information from consumers with whom the business does not have a direct relationship—to meet certain registration requirements.Continue Reading California’s “Delete Act” Significantly Expands Requirements for Data Brokers
The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs
California Judge Enjoins California Age-Appropriate Design Code Act
A California judge recently entered a temporary injunction delaying the California Age-Appropriate Design Code Act. The trade association, NetChoice, requested the injunction.Continue Reading California Judge Enjoins California Age-Appropriate Design Code Act
What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?
California Regulator Drives Inquiry into Vehicle Data
The enforcement division of the California Privacy Protection Agency (CPPA) recently announced it intends to review the privacy practices of connected vehicles. The driving force behind the review is the technologies in connected cars that raise privacy concerns. These include location sharing and smartphone integration. Connected cars often also have cameras and web-based entertainment systems. These cars—and the technologies in them—may monitor people both in the car and outside of it. For many Californians, the car is part of their daily routines. Connected vehicles can effectively becoming a constant data generator.Continue Reading California Regulator Drives Inquiry into Vehicle Data
Impact of the Last Minute CCPA-Enforcement Delay
A California court recently issued a ruling delaying the CPPA’s ability to enforce the most recent CCPA regulations until March 29, 2024. This does not delay enforcement of the CCPA statute or existing regulations.Continue Reading Impact of the Last Minute CCPA-Enforcement Delay
The Comprehensive Privacy Law Deluge: Approaching Notice Obligations
When thinking about privacy notice obligations, companies often -incorrectly- leap to the wording in their privacy policies. The new comprehensive state privacy laws are a reminder that notice obligations are a bit broader than mere privacy policies. To the extent that these laws apply to your organization (see our prior applicability post) there are some notice-related obligations to keep in mind.Continue Reading The Comprehensive Privacy Law Deluge: Approaching Notice Obligations
The Comprehensive Privacy Law Deluge: Updating Vendor Contracts
Of the many worries on privacy compliance teams’ lists as we face the onslaught of state “general” privacy laws are the impacts they have on vendor contracts. Fortunately for those who have already had to deal with contracts with vendors (service providers, processors) in California or EU’s GDPR, the impact should be fairly minimal.Continue Reading The Comprehensive Privacy Law Deluge: Updating Vendor Contracts
The Comprehensive Privacy Law Deluge: What to Do About “Profiling”
With a little less than a week before the next US state “comprehensive” privacy laws (Colorado and Connecticut) go into effect, many are reviewing existing practices. One that keeps coming up is the concept of “profiling.” As a reminder, we now have 11 states with comprehensive privacy laws: California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia.Continue Reading The Comprehensive Privacy Law Deluge: What to Do About “Profiling”
CPRA Update: Moving Toward Finalization
The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods. Continue Reading CPRA Update: Moving Toward Finalization