In 2022, children’s online privacy and safety has been top of mind in many state legislatures and interest groups, and the California legislature successfully passed legislation focused on children’s privacy. California’s new bipartisan law (AB-2273), the California Age-Appropriate Design Code Act (“CAADCA”), which targets privacy and safety protections for children and teens on online platforms such as TikTok, Instagram, and YouTube, was signed by Governor Gavin Newsom on September 15, 2022, and goes into effect July 1, 2024.

Continue Reading California’s New Children’s Privacy Law is Set to Come into Effect in 2024

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.

Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

In the wake of the Supreme Court’s 2021 decision in Facebook v. Duguid—which held that most smartphones and similar modern technology do not qualify as “automated telephone dialing systems,” under the Telephone Consumer Privacy Act (TCPA)—there has been a spike in state legislative activity aimed at strengthening local telemarketing laws. Florida’s Telephone Solicitation Act (FTSA) became the first state telemarketing law of its kind on July 1, 2021. The FTSA, which does not clearly define the types of automated technology covered by the statute, creates room for a broader interpretation of the types of devices that can qualify as regulated dialing technology. Oklahoma has now become the next state to enact such legislation, the Oklahoma Telephone Solicitation Act (OTSA), which largely mimics the FTSA and came into effect on November 1, 2022.

Continue Reading Oklahoma’s New Restrictive Telemarketing Law: Could Other States Be Next?

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.

Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules

Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.

Continue Reading First-Ever BIPA Trial – Jury Awards Staggering $228M in Damages

At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:

Continue Reading Recent Activity from the California Privacy Protection Agency

On April 28, 2022, the Connecticut General Assembly passed SB 6, the Act Concerning Personal Data Privacy And Online Monitoring (the “Connecticut Privacy Act”) by a vote of 144-5, which puts Connecticut on course to become the fifth state to enact a comprehensive data privacy law, following California, Virginia, Colorado, and Utah. The bill, which passed the state senate 35-0, now awaits the signature of Governor Ned Lamont. If it becomes law, the bulk of the statute is set to take effect July 1, 2023.

The bill passed by Connecticut legislature closely follows the structure of similar laws enacted in other states, giving support to the Colorado legislature’s claim, that “states across the United States are looking to [the Colorado Privacy Act, enacted in 2021] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.” One of the Connecticut bill’s sponsors and its key proponent in the state senate, Sen. James Maroney, compared the legislation to Colorado’s statute, saying that both SB 6 and the Colorado law are less aggressive than the California Consumer Privacy Act (“CCPA”) but provide more privacy protections that similar bills passed by other states.

Continue Reading Connecticut Becomes the Fifth State to Pass a Comprehensive Data Privacy Law

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.

The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.

Continue Reading Utah Passes Comprehensive Privacy Law

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law