Privacy/Data Protection

At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules

On this episode of the R&G Tech Studio, mergers & acquisitions partner Sarah Young sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how she advises clients on all aspects of corporate strategy, and whether she thinks artificial intelligence and machine learning will impact her clients in the months and years

With the onslaught of state privacy laws passed earlier this spring and summer, the Texas Data Privacy and Security Act (the “TDPSA”) signed into law on June 18, 2023, may not have received its due.  Although largely following the template set in other states, the Texas law is unique among the non-California comprehensive privacy laws in tying its scoping criteria to the size of a business rather than to a threshold number of data subjects whose information a business processes annually—typically 100,000 state residents.  The company must also (1) conduct business in Texas or produce a product or service consumed in the state and (2) process or “sell” personal data (more on the definition of “sell” below, which would include many disclosures made through online advertising).  As a result, many mid-market businesses that process smaller amounts of data (falling under the 100,000-resident threshold applicable in many states) could still be required to comply.

Continue Reading Texas Data Privacy and Security Act Could Impact More Businesses

Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately. 

In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.

Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority

On 22 May 2023, the Irish data protection regulator (DPC) announced that it had issued a record-breaking €1.2 billion fine in a decision relating to non-compliant EU-to-U.S. data transfers under the GDPR. This fine imposed by the DPC substantially overshadows the previous record of €746 million under the GDPR, and raises several concerns for organisations transferring personal data from the EU to the U.S.

Continue Reading From Likes to Strikes: The Implications of the Record-Breaking EU €1.2 Billion GDPR Fine

The debate concerning the UK’s controversial Online Safety Bill (OSB) has continued to rumble on in recent days, with the UK Government reportedly again being warned that there is a real risk that certain messaging apps could be withdrawn from the UK if compromises cannot be reached on a number of issues.  

The OSB, which is currently being debated in the House of Lords, aims to increase the responsibility of social media platforms for their users’ safety.  It is intended to protect both children and adults in various ways.  

Continue Reading Controversy around the UK’s Online Safety Bill continues

Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  

Continue Reading When It Rains, It Pours (State Privacy Laws)

A number of encrypted messaging services have signed an open letter calling on the UK Government to reconsider various aspects of the Online Safety Bill (OSB) pending its final reading in the House of Lords, over concerns that the bill could threaten end-to-end encryption.

End-to-end encryption currently delivers a strong level of security for electronic messages, meaning that messages can only be read on the apps of the sender and intended recipient.  

Continue Reading Messaging Apps Call for Re-evaluation of the Online Safety Bill

On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”).

On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.

Continue Reading Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board