At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs. The proposed regulations would also impose broad rules
Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately.
In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.
Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority
On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.
Tune in to the second episode of Ropes & Gray’s podcast series The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the
Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries. The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information. The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports. Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.
In the new year, comprehensive privacy laws go into operation in five states: California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31). Subsequent blog posts will cover each of these laws in detail. In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth.
The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States. As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business. It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes. It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.
At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:
Continue Reading Recent Activity from the California Privacy Protection Agency
As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.
Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote
Building on the momentum of the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach. In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Continue Reading Minnesota Debates New Privacy Bills