California

Subscribe to California

LockThe FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

BillBuilding on the momentum of the California Consumer Privacy Act (“CCPA”)California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach.  In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing  an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Continue Reading Minnesota Debates New Privacy Bills

BillFlorida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action.  As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action. 
Continue Reading Florida House and Senate Privacy Legislation Fails to Pass

The California Attorney General’s Office of Administrative Law has approved additional amendments to the California Consumer Privacy Act (CCPA) regulations, which went into effect March 15, 2021. A preliminary version of these new regulations were initially to be submitted as part of the CCPA regulations that went into effect on August 14, 2020, but were ultimately removed from that set of regulations. Instead these four new regulations were pulled from the proposal last minute and were not submitted for review, only to be reintroduced in October 2020 (see article here).
Continue Reading Yet Another Round of CCPA Regulations

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.
Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.
Continue Reading Privacy Year in Review: 2020’s Hottest Topics

California State Flag. Close up.

On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA) with a 56% vote.  As discussed earlier, the CPRA significantly expands upon the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020, and whose regulations were approved on August 14, 2020 with  subsequent proposed amendment in October 2020.

Most CPRA provisions will take effect on January 1, 2023, but its new obligations will apply to any personal information collected from California residents on or after January 1, 2022, a little over one year from passage.
Continue Reading California Privacy Rights Acts Approved by California Ballot Vote

CAThe California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations.  This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here).  The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions.  Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly.  Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice:
Continue Reading California AG Proposes Third Amended Regulations to CCPA

CCPA

On August 14, 2020, California Attorney General Xavier Becerra announced the California Office of Administrative Law’s approval of the final California Consumer Privacy Act (CCPA) regulations, and filed them with the California Secretary of State. The AG’s office stated that the regulations are effective immediately.

The OAL made additional revisions to the March 11, 2020 regulations, summarized here, which itself comprised of revised regulations followed several rounds of public forums, hearings, and comment periods. At a high level, the final texts’ noteworthy substantive revisions from the March submission (noted in the OAG’s Addendum to the Final Statement of Reasons) include the following:
Continue Reading CCPA Regulations Approved

CAOn August 13, two California contact tracing bills, AB-660 and AB-1782, were approved by the California Senate Judiciary Committee.  These bills would affect how public agencies can collect, store and disclose personal information that is used to facilitate COVID-19 contact tracing.

  • If enacted, AB-660 would prohibit any use or disclosure of data collected for purposes of contact tracing other than further contact tracing efforts.
  • If enacted, AB-1782 would require businesses using or providing contact tracing technologies to provide individuals with the right to consent, access, correct, and delete personal information about them, and to carry out other measures regarding use, security. and maintenance of the data.

Continue Reading California Contact Tracing Bills Approved by State Judiciary Committee