California Privacy Rights Act (CPRA)

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations

Decisions, decisions.  We are deluged by decisions.  What present should I buy?  Is the small cheese plate enough for my party guests, or should I go with the large?  How much of my bonus should I set aside for retirement this year, or should I up my charitable giving? 

Wouldn’t it be nice if we could all get a little technological assistance in making choices this holiday season?Continue Reading Jingle All the Algorithms: Automated Decisionmaking Amidst a Blizzard of State Privacy Laws

On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data.  The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous.  Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously.  As a result, data brokers will see a significant increase in the volume of such requests they are required to process.  Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits. Continue Reading California Adopts “Delete Act”:  New Requirements for Data Brokers

At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules

Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately. 

In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:Continue Reading Recent Activity from the California Privacy Protection Agency