As we pass the half-way mark of 2022, many are reflecting on their privacy compliance progress. One area that seems to be a constant battle is training. How much is needed? What kind of training? What are expectations from regulators around training?
Continue Reading Privacy and Cybersecurity Training: Addressing Regulatory Concerns
In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)
Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts
In this second post in our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on issues surrounding consumer choice:
Continue Reading What Should We Do About the Draft CPRA Regulations?: Choice
The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be
Continue Reading What Should We Do About the Draft CPRA Regulations?: Collection and Notice
The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice
Continue Reading FTC Weighs In On Data Breach Notification
In April, Kentucky (HB 474) and Maryland (SB 207) adopted insurance data security legislation based on the National Association of Insurance Commissioners (NAIC) model law.
Continue Reading Kentucky and Maryland Enact Insurance Data Security Laws
Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The
Continue Reading What’s the Big Deal About Dark Patterns?
Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law
The Colorado AG’s office recently released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The office is seeking informal public feedback on a series of topics. While the AG listed eight specific topics for feedback, the public can offer input on any aspect of the upcoming rulemaking. The AG’s office is interested in comments about the universal opt-out, the requirements around consent, and “dark patterns.” The AG is also interested in circumstances triggering data protection assessments and the requirements around profiling. Questions were also posed about “offline” collection of data. Lastly, the office seeks feedback to the rules around opinion letters and about how CPA compares or contrasts to privacy laws in other jurisdictions.
Continue Reading Colorado AG Seeks Input on Key Aspects of Upcoming Privacy Act
The Virginia privacy law going into effect January 2023 received some minor tweaks this month. In particular, provisions around deletion requests. As originally enacted, the Virginia law mirrored similar provisions in California and Europe, giving individuals the ability to ask for their information to be deleted. As amended, if information that the individual asks to be deleted was obtained “from a source other than the consumer” then the business can treat that deletion request as a request to opt out of targeted advertising, sale, and profiling. The business can also delete the information.
Continue Reading Virginia Tweaks Its Upcoming Privacy Law