This year, the blossoming of spring is accompanied by a pair of noteworthy California Privacy Protection Agency (CPPA) updates. First, on March 8, the CPPA and staff convened to discuss new draft regulations related to automated decision-making technology (ADMT) and risk assessments, as well as updates to existing California Consumer Privacy Act (CCPA) regulations. Second, on April 2, the Enforcement Division of the CPPA released its first-ever “Enforcement Advisory,” which “share[s] observations from the [CPPA’s] Enforcement Division to educate and encourage businesses to comply with the law.”Continue Reading CPPA Board Updates Timing for Regulations, and Enforcement Division Releases Enforcement Advisory: Focus on Data Minimization!
CCPA
CCPA Enforcement Surprise: Regulations Effective Immediately
By James G. Snell & Peter Hegel on
On Friday, February 9, as the country collectively packed up and prepared to head home for Super Bowl weekend, the Third Appellate District of the California Appellate Court issued an Order granting the California Privacy Protection Agency the ability to immediately enforce regulations implementing the California Privacy Rights Act, which were finalized in March 2023.
California Announces Sweep on Streaming Services and More Enforcement To Come
By Peter Hegel, Rohan Andresen & Francys Guevara on
Posted in CCPA, Regulatory Enforcement
California Attorney General Rob Bonta announced an investigatory sweep into popular streaming apps and devices, timed to coincide with Data Privacy Day on January 28. The California Attorney General’s Office explained that it is sending letters to such streaming services alleging a failure to comply with the requirement to offer an easy mechanism to opt out of the sale or sharing of personal information under the California Consumer Privacy Act (CCPA).Continue Reading California Announces Sweep on Streaming Services and More Enforcement To Come
Full Steam Ahead: Updates in Enforcement of California Privacy Law
By April Goff, Samantha Ettari & Peter Hegel on
Posted in CCPA, Privacy Litigation
A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law
Ten Takeaways From the 2023 IAPP Global Privacy Summit
International, federal, and state privacy regulators highlighted their ambitious agendas at the 2023 IAPP Global Privacy Summit in Washington, D.C. They, along with speakers from an array of private organizations, underscored the following takeaways that should be top of mind for businesses:Continue Reading Ten Takeaways From the 2023 IAPP Global Privacy Summit
Crossing the Finish Line: California Regulations Effective Immediately
By Peter Hegel, Samantha Ettari & James G. Snell on
Posted in CCPA
The California Privacy Protection Agency (CPPA) released a statement on March 30, 2023, announcing that the California Office of Administrative Law (OAL) had approved the first substantive rulemaking package for the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA). As a result of this, the CCPA regulations in this rulemaking package are finalized and, according to their terms, effective immediately.Continue Reading Crossing the Finish Line: California Regulations Effective Immediately
Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two
By Meredith Halama, James G. Snell, Stephanie Duchesneau, Peter Hegel, Madeline McFee & Oviett Wargula on
Posted in CCPA
The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.Continue Reading Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two
California Attorney General Targets Popular Mobile Apps in CCPA Enforcement Sweep
Posted in CCPA
As it did last year, the California Attorney General’s Office recognized Data Privacy Day by announcing its latest investigative sweep under the California Consumer Privacy Act (CCPA). This time, the Attorney General focused on companies that operate mobile apps allegedly without offering CCPA-compliant opt-out mechanisms.Continue Reading California Attorney General Targets Popular Mobile Apps in CCPA Enforcement Sweep
One Step Closer: California Privacy Protection Agency Reviews Comments for CCPA Regulations
By Miriam Farhi, Ellie Chapman & Charlotte Kress on
Posted in CCPA, Privacy Compliance
Last week, the period for comments closed on the California Privacy Protection Agency’s (CPPA) latest version of the draft implementing regulations for the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) (Revised Regs). The Revised Regs were first released with modifications and an Explanation of Modified Text of Proposed Regulations at the end of October. Shortly thereafter, the CPPA released the current version of the Revised Regs, which, compared to the initial draft regulations (Initial Draft Regs), include many substantive modifications to key compliance areas.Continue Reading One Step Closer: California Privacy Protection Agency Reviews Comments for CCPA Regulations
Data Privacy Day Surprise Enforcement for Loyalty Programs
By Peter Hegel & Akua Asare-Konadu on
Posted in CCPA, Regulatory Enforcement
On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement [1], the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.” [2] Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts.
Continue Reading Data Privacy Day Surprise Enforcement for Loyalty Programs