Chapter 22.8 of the California Business and Professions Code imposes requirements on social media companies with annual gross revenues of $100 million or more to submit “terms of service reports” to the California Attorney General, with the first report due by January 1, 2024. The statute is currently the subject of a constitutional challenge, but covered companies should not delay preparing reports in case the lawsuit drags on or is unsuccessful. The law applies to…
In brief On October 8, 2023, California Governor Gavin Newsom signed two bills into law amending the California Consumer Privacy Act (CCPA). AB 947 classifies citizenship and immigration status as “sensitive personal information” subject to special protections under the CCPA, while AB 1194 strengthens reproductive privacy rights. Both bills carried the unanimous endorsement of the California Privacy Protection Agency. Details for each bill are described below followed by actionable guidance businesses can take to prepare…
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law will be significantly changed under the California Delete Act On October 10, 2023, California Governor, Gavin Newsom, signed Senate Bill 362, referred to as the Delete Act, into law. The Delete Act amends existing data broker laws to subject all data brokers to new registration and disclosure requirements…
As we previously covered in a post earlier this month, the California Privacy Protection Agency (“CPPA”) has published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). On September 8, the CPPA held a public board meeting that included discussion of select portions of the regulations. Prior to the meeting, the board circulated copies of the draft regulations for…
On August 29, 2023, the California Privacy Protection Agency (“CPPA”) published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPPA will discuss the draft regulations at the upcoming public meeting on September 8, 2023. The draft regulations make clear that the CPPA has not yet begun formal rulemaking, and that the draft regulations are “intended to facilitate…
If you are a data broker or a business that relies on data brokers for targeted advertising, you should be aware that the California Data Broker Law may be significantly changed under a proposed bill. Under Senate Bill 362, the California Privacy Protection Agency (CPPA) would be required to set up, by January 1, 2026, an accessible deletion mechanism where consumers could request deletion via the CPPA that all data brokers then have to honor.…
Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, today the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” In…
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA,…
On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024. In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and…
The Colorado Privacy Act is enforceable since July 1, 2023. Just as the California Attorney General has done through several sweeps (see here and here), the Colorado Attorney General, Phil Weiser, has announced through letters sent to business that enforcement of the Colorado Privacy Act has begun. The initial round of letters are meant to educate businesses on their new obligations, with particular emphasis on the collection and use of sensitive data and related prior…