In 2022, children’s online privacy and safety has been top of mind in many state legislatures and interest groups, and the California legislature successfully passed legislation focused on children’s privacy. California’s new bipartisan law (AB-2273), the California Age-Appropriate Design Code Act (“CAADCA”), which targets privacy and safety protections for children and teens on online platforms such as TikTok, Instagram, and YouTube, was signed by Governor Gavin Newsom on September 15, 2022, and goes into effect July 1, 2024.

Continue Reading California’s New Children’s Privacy Law is Set to Come into Effect in 2024

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.

Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:

Continue Reading Recent Activity from the California Privacy Protection Agency

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.

Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote

The Future of US Federal and State Regulation of Data Privacy

During the November 3rd session of Ropes & Gray’s conference, “The Future of Global Data Protection: Conflict or Coherence?” Ropes & Gray partner Chong Park moderated a discussion with Ropes & Gray’s data protection partner Fran Faircloth and Minh Ta, Vice President of Global Governmental Affairs at the Carlyle Group regarding the future of federal and state regulation of data privacy in the United States.

The group all agreed that there should be a comprehensive, US federal data privacy law, but expressed opposing views on the likelihood of such a federal law being implemented in the near future. Minh analogized it to the infrastructure bill debate in the United States, noting that there is bipartisan consensus to address the issue on some level, but the problem lies in the details—i.e., what specifically should be regulated is where people disagree. Fran, on the other hand, expressed a bit more optimism that a federal law on privacy would be passed in the future, but agreed the likelihood of imminent passage is unlikely. She noted that as more states pass their own versions of privacy laws, that eventually as a result a federal law would be passed.

Continue Reading The Future of US Federal and State Regulation of Data Privacy

Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:

  • The state of complexity and inconsistency in the international privacy law landscape
  • The inherent flaws in the models on which privacy laws are currently based
  • The risks of moving toward a regulatory model
  • Theories of harm in data breach cases
  • The role of the courts in adjudicating privacy laws

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.

Continue Reading How Data Breaches Are Shaping the Global Data Protection Debate

BillBuilding on the momentum of the California Consumer Privacy Act (“CCPA”)California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach.  In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing  an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Continue Reading Minnesota Debates New Privacy Bills

BillFlorida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action.  As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action. 
Continue Reading Florida House and Senate Privacy Legislation Fails to Pass

The California Attorney General’s Office of Administrative Law has approved additional amendments to the California Consumer Privacy Act (CCPA) regulations, which went into effect March 15, 2021. A preliminary version of these new regulations were initially to be submitted as part of the CCPA regulations that went into effect on August 14, 2020, but were ultimately removed from that set of regulations. Instead these four new regulations were pulled from the proposal last minute and were not submitted for review, only to be reintroduced in October 2020 (see article here).
Continue Reading Yet Another Round of CCPA Regulations