At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules

Last week, Delaware Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”), the state’s new consumer privacy law that will become effective January 1, 2025. The First State is now the 12th state to fully enact a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Our previous posts on laws in those states can be found here. Though the DPDPA generally tracks consumer privacy laws in other states—particularly those in Colorado, Connecticut, and Oregon—it does contain nuances that organizations should note, particularly a lack of general exclusions for nonprofits and higher education institutions as well as a lower threshold for applicability.

Continue Reading Delaware Becomes Twelfth State to Pass Consumer Privacy Law

With the onslaught of state privacy laws passed earlier this spring and summer, the Texas Data Privacy and Security Act (the “TDPSA”) signed into law on June 18, 2023, may not have received its due.  Although largely following the template set in other states, the Texas law is unique among the non-California comprehensive privacy laws in tying its scoping criteria to the size of a business rather than to a threshold number of data subjects whose information a business processes annually—typically 100,000 state residents.  The company must also (1) conduct business in Texas or produce a product or service consumed in the state and (2) process or “sell” personal data (more on the definition of “sell” below, which would include many disclosures made through online advertising).  As a result, many mid-market businesses that process smaller amounts of data (falling under the 100,000-resident threshold applicable in many states) could still be required to comply.

Continue Reading Texas Data Privacy and Security Act Could Impact More Businesses

Just before the July 4th holiday, the California Superior Court in Sacramento gave businesses struggling to comply with the California Privacy Rights Act (“CPRA”) a small gift by delaying enforcement of the CPRA’s regulations until March of 2024 at the earliest. While helpful in some respects, discussed below, the ruling does not expressly prohibit the California Privacy Protection Agency (“Agency”) from enforcing the underlying text of the CPRA where implementing regulations are not required. Ashkan Soltani, the executive director of the Agency, has been quoted as stating that “significant portions” of the law can still be enforced immediately. 

In short, businesses should not assume the Agency will remain idle. CPRA compliance remains a priority, though the Agency has indicated that enforcement is likely to proceed slowly at first—given staffing shortages at the Agency—with an initial emphasis on voluntary compliance. Further clarity on the Agency’s enforcement plans may be forthcoming on July 14, when the Agency is scheduled to hold a board meeting featuring Michael Macko, the Agency’s Deputy Director of Enforcement, who will provide an update on the Agency’s enforcement priorities.

Continue Reading Enforcement of CPRA Regulations Delayed, but CPRA Compliance Still a Priority

On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.

Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act

Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  

Continue Reading When It Rains, It Pours (State Privacy Laws)

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.

Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.

The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.

Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law