The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations.  To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft

Connecticut is the next in a growing list of states to pass comprehensive data privacy legislation.  Last Friday, the Connecticut legislature passed, by large margins, Senate Bill 6 — which we are referring to as the Connecticut Data Privacy Act (CTDPA).  The law now awaits the Governor’s signature.

The CTDPA follows the form and content of other privacy laws passed in the prior year, including the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Privacy Act (UPA).  California, of course, passed the California Consumer Privacy Rights Act (CPRA) via ballot initiative in 2020.  All of these laws will become effective in 2023.
Continue Reading  Connecticut Poised To Become Fifth State to Enact a Privacy Law

In a series of recent statements and releases, Lina Khan, the Chair of the FTC, made clear the Commission’s intention to revamp its oversight of consumer data privacy and establish more substantive limits on commercial data collection and processing activities. This plan is motivated in part by the increased adoption of workplace surveillance technologies as well as the “growing recognition that the ‘notice-and-consent’ framework” traditionally used by U.S. businesses may not be sufficient to protect consumer and employee rights. Chairperson Khan hopes to obtain additional funding to help recruit the talent required to develop this new framework, which is designed to bring the FTC “in line with similar agencies internationally.” However, the FTC plans to update its approach to “keep pace with new learning and technological shifts” regardless of whether funding is ultimately obtained. 
Continue Reading  FTC Chair Announces New Privacy Approach

The California AG recently released its first Opinion interpreting the California Consumer Privacy Act (CCPA), highlighting a brewing conflict over the inferences that businesses generate about their consumers. This Opinion addresses the question of whether Right to Know requests extend to these inferences.  It states that businesses are obligated to disclose inferences (1) derived from either public or private personal information (2) that are used by the business for the purpose of creating a profile about the consumer. While the Office of the Attorney General acknowledged that the CCPA does not require businesses to reveal trade secrets, the Opinion raised serious questions as to whether inferences may qualify as trade secrets and, if so, the scope of a business’s compliance obligations.
Continue Reading  Are Inferences Trade Secrets Under the CCPA?

On March 9, 2022, the SEC proposed a new rule to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. If approved, public companies subject to the reporting requirements of the Securities and Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) Cybersecurity Incidents, and (2) Cybersecurity Risk Management, Strategy, and Governance.
Continue Reading  SEC Proposes New Disclosure Rules for Cyber Incidents