Photo of Kevin Angle

Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  Continue Reading When It Rains, It Pours (State Privacy Laws)

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries.  The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information.  The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports.  Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.Continue Reading California AG Announces New CCPA Sweep

On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.Continue Reading Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

Data, privacy & cybersecurity partner Ed McNicholas and counsel Kevin Angle authored the USA chapter in Cybersecurity Laws and Regulations 2023. The chapter provides an overview of common issues in cybersecurity laws and regulations, including cybercrime, applicable statutes, prevention of cyber-attacks, sector-specific guidance, corporate governance, litigation, insurance, and investigatory and police powers.

Click here to

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds

On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

Data, privacy & cybersecurity partners Ed McNicholas and Fran Faircloth and counsel Kevin Angle authored a chapter in Chambers Global Practice Guide Cybersecurity 2022 on “USA Law & Practice and Trends & Developments.” The chapter provides an overview of cybersecurity regulation in the United States and provides insights on the multitude of cybersecurity