As we previously discussed, the California Privacy Protection Agency (“CPPA”) recently released updated rules implementing the California Privacy Rights Act (“CPRA”). Here are some of the key changes from those rules. While the changes are modest, they are directionally helpful in addressing some of the concerns industry raised during the rulemaking process.
Continue Reading Some Key Takeaways from The Updated CPRA Rules
On October 10, 2022 the draft rules implementing the Colorado Privacy Act (“CPA”) were officially published in the Colorado Register. Written comments on the draft rules are due by November 7, 2022. The CPA draft rules share some similarities with the draft rules set forth by the California Privacy Protection Agency (“CPPA”) interpreting the California Privacy Rights Act (“CPRA”). Both sets of draft rules address requirements for privacy policy disclosures, consumer rights requests, and providing opt-out mechanisms. However, there are a number of key differences between the two drafts. We highlight some of these below.
Continue Reading Colorado Attorney General Releases Draft CPA Rules
The Colorado Department of Law issued draft rules implementing the Colorado Privacy Act. The proposed draft rules will be published in the Colorado Register and available for comment on October 10, 2022.
Last week, the FTC announced its release of a staff report discussing key topics from the April 29, 2021 workshop addressing dark patterns. The report states that the FTC will take action when companies employ dark patterns that violate existing laws, including the FTC Act, ROSCA, the TSR, TILA, CAN-SPAM, COPPA, ECOA, or other statutes and regulations enforced by the FTC. The report highlights examples of cases in which the FTC used its authority under these laws and regulations to bring enforcement actions against companies that allegedly used dark patterns. Accordingly, the report builds upon the FTC’s historical approach of using its existing authority to bring enforcement actions in this context.
The California Privacy Protection Agency (“CPPA”) held two public hearings last week on its proposed regulations.
Continue Reading California Privacy Protection Agency Holds Public Hearings on Proposed Regulations
On August 24, 2022, the California Office of Attorney General (OAG) published a summary of 13 CCPA investigations, “illustrative” of situations in which notices of alleged noncompliance were sent and remedial measures were implemented. Note that the CCPA’s mandatory notice-and-cure period will expire on January 1, 2023. Following that, the California Privacy Protection Agency will have the discretion to grant cure periods.
Continue Reading California’s Office of the Attorney General Posts 13 New CCPA Investigations
Today, the California Attorney General announced the first settlement agreement under the California Consumer Privacy Act (“CCPA”). The Attorney General alleged that online retailer Sephora, Inc. failed to disclose to consumers that it was selling their information and failed to process user requests to opt out of sale via user-enabled global privacy controls. The Attorney General also alleged that Sephora did not cure these violations within the cure period.
Continue Reading California Attorney General Announces First CCPA Settlement
The California Privacy Protection Agency (“CPPA”) held a board meeting on May 26th, 2022. At the meeting, Executive Director Ashkan Soltani, Acting General Counsel Brian Soublet, and members of the Board offered insight into the following key topics:
In advance of the June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) staff has posted draft rules implementing the California Privacy Rights Act (CPRA). The draft regulations keep much of the pre-existing California Consumer Privacy Act (CCPA) regulations intact, but modify certain provisions and propose new regulations. A copy of the proposed
The Connecticut legislature passed Connecticut SB 6 on April 28, 2022. If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.
The bill closely resembles the Colorado Privacy Act, with a few notable additions. Like the Colorado Privacy Act, the bill adopts “controller” and “processor” terminology, provides consumers with rights to access, correct, delete, obtain a copy, and opt-out of certain types of processing of their personal data, and requires consent for certain activities.
Continue Reading Connecticut Legislature Passes Comprehensive Privacy Bill