California Consumer Privacy Act (CCPA)

On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA).  This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply

With Colorado joining California as the only other state with rules implementing a comprehensive privacy law, businesses and practitioners have been anxiously watching to see whether a California-compliant privacy policy would also be compliant with the Colorado Privacy Act (“CPA”).  And, as the Colorado Attorney General has made clear, interoperability is an important guiding

On October 17, the California Privacy Protection Agency (“CPPA”) published the first revisions to the CPRA regulations. This draft includes an extensive list of proposed changes in advance of the CPPA Board public hearing, scheduled to begin on October 21st. In addition to the newest draft regulations, the CPPA published a

On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA).  This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such

The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception.  As a result, when the the California Privacy Rights Act (CPRA) goes into effect

The California Privacy Protection Agency announced today that it began the formal rulemaking process to adopt the proposed regulations implementing the Consumer Privacy Rights Act of 2020 (“CPRA”).  As part of this announcement, the Agency released the following link to the Proposed Regulations and supporting documents.

The Agency will hold a public hearing for

In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently.  The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting.  The proposed amendments—which in effect are the draft CPRA regulations—were

The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations.  To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft

The California AG recently released its first Opinion interpreting the California Consumer Privacy Act (CCPA), highlighting a brewing conflict over the inferences that businesses generate about their consumers. This Opinion addresses the question of whether Right to Know requests extend to these inferences.  It states that businesses are obligated to disclose inferences (1) derived from either public or private personal information (2) that are used by the business for the purpose of creating a profile about the consumer. While the Office of the Attorney General acknowledged that the CCPA does not require businesses to reveal trade secrets, the Opinion raised serious questions as to whether inferences may qualify as trade secrets and, if so, the scope of a business’s compliance obligations.
Continue Reading  Are Inferences Trade Secrets Under the CCPA?

2021 proved to be a momentous year for privacy and data security law.  The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety.  Two more U.S. states passed comprehensive data privacy laws in 2021.  The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions.  The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded.  The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.
Continue Reading  Predictions for Privacy & Data Security in 2022