Colorado is poised to join the growing number of states enacting a comprehensive privacy law. On Monday, June 7, both houses of the legislature passed the Colorado Privacy Act. The bill will now be sent to the Governor for approval.
Continue Reading Colorado Legislature Passes Comprehensive Consumer Privacy Bill
State Legislatures
Florida Legislature Considering Comprehensive Privacy Law
Florida may be next state to join the growing number of states with a consumer privacy law, as both chambers of Florida’s legislature are currently considering comprehensive state privacy legislation. Both HB 969 and SB 1734 resemble the California Consumer Privacy Act (“CCPA”), though they contain some notable differences. Florida Governor Ron DeSantis expressed support of these measures, stating that these proposals “finally check these companies’ unfettered ability to profit off our data and ensure the protection of Floridians’ personal and private information.”
Continue Reading Florida Legislature Considering Comprehensive Privacy Law
Virginia Enacts Comprehensive Privacy Law
On March 2, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state to enact a comprehensive privacy law (Nevada has enacted an online privacy law, albeit with a narrower scope). As we have previously explained, the VCDPA follows the framework established by the Washington Privacy Act. We recently compared Virginia’s law against other key state privacy frameworks.
Continue Reading Virginia Enacts Comprehensive Privacy Law
Virginia Legislature Passes Comprehensive Privacy Law: The Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act (HB 2307 / SB 1392), introduced in the House of Delegates on January 20, passed both houses of Virginia’s state legislature on February 5 with large bipartisan majorities. This comprehensive privacy bill, which would take effect on January 1, 2023, follows a similar framework as the current version of the Washington Privacy Act (“WPA”), though it differs from the WPA in important respects. We have included a high level summary of some of the bill’s provisions below.
The passage of nearly identical legislation by both chambers of the Virginia legislature positions the Virginia Consumer Data Protection Act to become the nation’s next comprehensive state privacy law. Lawmakers must reconcile the two bills before the end of the session on February 27, and, assuming a reconciled bill passes in both houses, it will be sent to Gov. Ralph Northam to sign into law or veto. If Gov. Northam takes no action, the reconciled bill would become law within seven days or, if there are fewer than seven days remaining in the General Assembly session, or if the General Assembly has adjourned, within thirty days.
Continue Reading Virginia Legislature Passes Comprehensive Privacy Law: The Virginia Consumer Data Protection Act
Washington State Hearing on Latest Privacy Bill Highlights Competing Interests For Best Practices and Data Minimization
Washington State Hearing on Latest Privacy Bill Highlights Competing Interests For Best Practices and Data Minimization
On January 14, 2020, Washington’s State Senate Committee on Environment, Energy & Technology received public testimony about Senate Bill 5062, the “Washington Privacy Act.” Representatives from trade associations, the Attorney General’s Office, and civil rights groups offered recommendations to eliminate perceived loopholes and clarify bill provisions.
This post highlights recurring issues from the public hearing.
Continue Reading Washington State Hearing on Latest Privacy Bill Highlights Competing Interests For Best Practices and Data Minimization
Four Key Cyber Takeaways from The CPRA
Last year, Californians passed proposition 24, also known as the California Privacy Rights Act (“CPRA”). That law makes several changes to the California Consumer Privacy Act (“CCPA”), including some that relate to an organization’s cybersecurity practices.
Continue Reading Four Key Cyber Takeaways from The CPRA
California Attorney General Releases Fourth Set of Proposed Modifications to California Consumer Privacy Act Regulations
Yesterday, the California Attorney General (“AG”) proposed a fourth set of modifications to the California Consumer Privacy Act regulations. These modifications build on the third set of proposed regulations released by the AG in October, which we discussed here. Interested parties have until December 28 to submit comments in response.
Continue Reading California Attorney General Releases Fourth Set of Proposed Modifications to California Consumer Privacy Act Regulations
Californians Approve Ballot Initiative Modifying the California Consumer Privacy Act
Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect. As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing of personal information for cross-context behavioral advertising and the use of “sensitive” personal information, as well as creating a new correction right. It also establishes a new agency to enforce California privacy law. The key provisions of the bill will not go into effect until January 1, 2023, providing much-needed time to clarify the details and for businesses to adjust their CCPA compliance approaches to account for the additional requirements.
Continue Reading Californians Approve Ballot Initiative Modifying the California Consumer Privacy Act
California Attorney General Releases New Proposed Modifications to California Consumer Privacy Act Regulations
On Monday, the California Attorney General (“AG”) proposed a third set of modifications to the recently enacted California Consumer Privacy Act (“CCPA”) regulations. Interested parties have until October 28 to file comments in response.
These proposed modifications are the latest effort in an extensive rulemaking process that has lasted more than a year. Most recently, on August 14, the California Office of Administrative Law (“OAL”) formally approved the AG’s initial set of CCPA regulations, which went into effect immediately. In approving the regulations, the OAL deleted five provisions that had been included in the version the AG submitted in June, but indicated that the AG could revise and resubmit those subsections for approval in the future. The latest modifications are largely focused on reviving several of these last-minute removals.
Continue Reading California Attorney General Releases New Proposed Modifications to California Consumer Privacy Act Regulations
California Legislature Advances Privacy Legislation
Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November.
In addition, the Committee will consider two contact tracing measures, AB 660 (Levin) and AB 1782 (Chau). Both bills could impact private employer and business contact tracing efforts:
- AB 660 would prohibit use or disclosure of data collected for purposes of contact tracing for any other purposes. It generally would require deletion of such data within 60 days.
- AB 1782 would require businesses that offer “technology-assisted contact tracing” to satisfy certain requirements, including providing individuals with the opportunity to revoke consent to collection of their personal information and rights to access, correct, and delete personal information. It also requires covered businesses to provide consumers certain disclosures, except where research or other exceptions apply, to delete personal information within 60 days from the time of collection, to maintain security safeguards, and to make available public reporting of the number of individuals whose information has been collected, amongst other content.
Finally, we also are watching SB 980, which passed out of the Senate on June 25, 2020 and is now under consideration by the Assembly. SB 980 was scheduled for hearing before the Assembly’s Privacy and Consumer Protection Committee on July 28, although that hearing was postponed. If enacted, the bill would impose certain additional privacy obligations on direct-to-consumer genetic testing companies that go beyond the CCPA, including requiring:
Continue Reading California Legislature Advances Privacy Legislation