On May 21, 2024, with a vote of 25-12, the California Senate passed SB-1446, a bill that would significantly restrict grocery and retail drug stores from providing self-checkout services and adopting new technologies. The bill, introduced on February 16 by Sen. Smallwood-Cuevas, rapidly moved through the California Senate Committee process and now has been sent over to the California Assembly for consideration. Retailers who provide self-checkout for their consumers or are looking to adopt new technologies should review the strict requirements in this bill and prepare to adjust their policies accordingly if the bill moves as swiftly through the California Assembly.Continue Reading California Legislature Looks to Restrict Self-Checkout Technology
California
DoorDash and California Attorney General Reach Settlement Over Privacy Allegations
Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations
Jingle All the Algorithms: Automated Decisionmaking Amidst a Blizzard of State Privacy Laws
Decisions, decisions. We are deluged by decisions. What present should I buy? Is the small cheese plate enough for my party guests, or should I go with the large? How much of my bonus should I set aside for retirement this year, or should I up my charitable giving?
Wouldn’t it be nice if we could all get a little technological assistance in making choices this holiday season?Continue Reading Jingle All the Algorithms: Automated Decisionmaking Amidst a Blizzard of State Privacy Laws
California Adopts “Delete Act”: New Requirements for Data Brokers
On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data. The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous. Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously. As a result, data brokers will see a significant increase in the volume of such requests they are required to process. Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits. Continue Reading California Adopts “Delete Act”: New Requirements for Data Brokers
In Law360, Data, Privacy & Cybersecurity Attorneys Discuss New Draft CPPA Regulations around Cybersecurity Audits and Artificial Intelligence
At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs. The proposed regulations would also impose broad rules…
Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority
Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately.
In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority
California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023
On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023
The Data Day: A Deeper Look Into the California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
Tune in to the second episode of Ropes & Gray’s podcast series The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the…
California AG Announces New CCPA Sweep
Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries. The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information. The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports. Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.Continue Reading California AG Announces New CCPA Sweep
Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board
On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.Continue Reading Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board