Privacy Rights

Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority

By May Yang on July 13, 2023

Just before the July 4^th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately.

In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority

UK Data Protection & Digital Information Bill: Key Proposals for Reform of the UK’s Data Protection Framework

By Rohan Massey, Christopher Foo & Edward Machin on November 21, 2022

On July 18, 2022, the UK Government introduced into Parliament the Data Protection and Digital Information Bill (the Data Reform Bill), which proposes legislation to reform the UK data protection regime. A recent article in Entertainment Law Review by Ropes & Gray attorneys Rohan Massey, Christopher Foo & Edward Machin analyzes the Data Reform Bill’s…

California Attorney General’s Office Releases First Formal CCPA Opinion

By Steve Meil & Fran Faircloth on April 1, 2022

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.
Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

Increased EU Scrutiny of US Data Transfers Through Cookie Use

By Christopher Foo on February 7, 2022

Global,Communication,Network,Around,Planet,Earth,In,Space,,Worldwide,Exchange

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use

State Privacy Law Developments: The New York Privacy Act

By Fran Faircloth & Briana Fasone on February 3, 2022

Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many states have proposed sweeping data protection legislation, but only two others, Colorado and Virginia, have so far succeeded in passing such laws. That may soon change. In 2021, several states came close to enacting comprehensive privacy legislation and that momentum has continued into this year, with data protection bills being carried over, introduced, and reintroduced in state legislatures across the country. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Throughout the year, Ropes & Gray will monitor and analyze these developments in state privacy laws, beginning with a discussion of the latest iteration of the proposed New York Privacy Act.
Continue Reading State Privacy Law Developments: The New York Privacy Act

What Florida’s DNA Privacy Law Means For Health Care Providers

By David Peloquin & Elana Bengualid Harary on October 11, 2021

Law360 (October 4, 2021, 5:30 PM EDT) —
On June 29, Florida Gov. Ron DeSantis signed into law H.B. 833, known as the Protecting DNA Privacy Act.

The act took effect on Oct. 1, and applies to the collection, use, retention, maintenance and disclosure of a DNA sample collected from an individual in Florida as well as the results of any subsequent DNA analysis. The act is self-executing and took effect without the need for creation of implementing regulations.

The act clarifies the extent to which individuals own their genetic information, and it creates new crimes for the unlawful collection, retention, analysis, disclosure or sale of an individual’s DNA sample and the results of a DNA analysis, subject to certain limited exemptions, such as use for specified clinical or research purposes.

The act also has important implications for secondary uses of data by health care providers and others that perform genetic testing and analyze genetic information.Continue Reading What Florida’s DNA Privacy Law Means For Health Care Providers

China Passes Personal Information Protection Law

By Katherine Wang & David Chen on September 17, 2021

On August 20, 2021, the Standing Committee of the National People’s Congress promulgated the Personal Information Protection Law (PIPL), which will become effective on November 1, 2021. The PIPL is the first comprehensive national level personal information protection law in China, which systematically regulates the processing of personal information by entities and individuals. The PIPL, together with the Cybersecurity Law, which was promulgated in 2017, and the Data Security Law, which was promulgated earlier this year, form the three pillars of China’s comprehensive data protection legal regime.

This Alert provides a summary of the highlights of the PIPL, discusses the implications on domestic and foreign businesses operating in China, and compares the PIPL with the European Union (EU) General Data Protection Regulation (GDPR), which has greatly influenced many of the concepts included in the PIPL.
Continue Reading China Passes Personal Information Protection Law

Colorado Privacy Law Signed Into Law

By Edward McNicholas, Fran Faircloth & Nameir Abbas on July 9, 2021

Bill On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (the “Colorado Law”), a comprehensive privacy law that will take effect on July 1, 2023, into law. Colorado is the third U.S. state to pass a comprehensive privacy law, following California (the CCPA, as modified by the CPRA) and Virginia (the CDPA).

The Colorado Law generally resembles both the California and Virginia privacy laws, but more closely tracks the Virginia CDPA in terms of structure, approach, and language. The Colorado Law also contains some notable deviations from either law, including novel provisions regarding a mandatory universal opt-out mechanism for targeted advertising or sales of personal data.
Continue Reading Colorado Privacy Law Signed Into Law

COVID-19 Vaccination Booking Site May Reveal Vaccination Status

By Clare Sellars on May 17, 2021

In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.

The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes). The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both.
Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status

EU Proposals May Limit the Use of Artificial Intelligence

By Clare Sellars on May 14, 2021

The European Commission (EC) may be set to propose extensive new legislation – potentially later this week – which, among other things, would ban the use of facial recognition technology for surveillance purposes and the use of algorithms that influence human behavior, according to recently leaked draft documents. The proposals would also introduce new rules regarding high-risk artificial intelligence (AI).

Although the use of AI systems is regarded as beneficial in many areas of society, use of AI in some contexts can be controversial. For example, the use of algorithms in the context of employment-related decision-making, allegedly based solely on automated personal data processing, including profiling, has recently been challenged under the GDPR in the Dutch courts, although this decision is likely to be contested.
Continue Reading EU Proposals May Limit the Use of Artificial Intelligence

MENU

RopesDataPhiles