United States

Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect.  As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing of personal information for cross-context behavioral advertising and the use of “sensitive” personal information, as well as creating a new correction right.  It also establishes a new agency to enforce California privacy law.  The key provisions of the bill will not go into effect until January 1, 2023, providing much-needed time to clarify the details and for businesses to adjust their CCPA compliance approaches to account for the additional requirements.

Continue Reading Californians Approve Ballot Initiative Modifying the California Consumer Privacy Act

On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California.

In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for

The California legislature has approved a contingency plan to ensure that certain California Consumer Privacy Act (“CCPA”) exemptions will be extended beyond December 2020.  Regardless of what happens with the November ballot initiative, businesses will have at least another year before they must comply with all of the CCPA’s provisions when collecting or using certain

On May 5th, 2020, the California Assembly Committee on Privacy and Consumer Protection held a hearing and considered AB 2811, a bill that would amend existing California law governing automatic renewals.  As currently drafted, AB 2811 would:

  • require businesses to provide 3-7 days’ notice explaining how to cancel an automatic renewal offer or continuous service offer if the consumer accepted (1) a free gift or trial that lasts for a predetermined period of time as part of an automatic renewal or continuous service offer, or (2) the consumer accepted an automatic renewal or continuous service offer at a discounted price, and the applicability of that price was limited to a predetermined amount of time; and
  • require businesses that permit consumers to accept automatic renewal or continuous service offers online to immediately terminate that service online.


Continue Reading AB 2811: The Future of Automatic Renewals in California

 On May 4th, 2020, Californians for Consumer Privacy confirmed that they had submitted hundreds of thousands more signatures than required to qualify for a ballot initiative. It is still yet unknown whether the Attorney General will qualify the ballot for the November 2020 election, let alone whether it would pass. If the initiative passes, it will be noteworthy for a number of reasons.
Continue Reading CCPA 2.0 And Where We Go From Here

In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:
Continue Reading California AG Releases Draft CCPA Regulations: Round 3

While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680.  The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here).  It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights (or opt-into-sale rights for minor consumers) with respect to their personal information.

Notably, NH HB 1680 does not reflect several of the amendments which partially mitigated the constitutional and operational concerns raised by the CCPA.  For example, it regulates as personal information all information  “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household.  The NH legislation retains limitations on the scope of publicly available information that is excluded from the definition of personal information.  By way of other examples, NH HB 1680 does not provide exceptions for employment or business-to-business related data.
Continue Reading State Legislatures Are Off to the Privacy Races, With New Hampshire in the Lead

On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill.  The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy.  Rep. Cathy McMorris-Rodgers (R-Wash.) and Rep. Jan Schakowsky (D-Ill.) have been particularly involved in working on the bill.

“We welcome input from all interested stakeholders and look forward to working with them going forward,” an Energy and Commerce spokesperson told The Hill.  “This draft seeks to protect consumers while also giving data collectors clear rules of the road.  It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”

The draft bill echoes many of the provisions in the Consumer Online Privacy Rights Act (COPRA) introduced last month by Democratic senators.  However, unlike COPRA, the bill is silent on two notable issues: whether individuals have a private right of action to assert violations and whether the bill would preempt state laws. 
Continue Reading House Energy and Commerce Committee Circulates Draft Privacy Bill Expanding FTC Authority

The Virginia Supreme Court held that license plate images taken by law enforcement agencies constitute “personal information,” reviving a challenge to the police storage of license plate data.

Automatic license plate readers (“ALPRs”) are used by police departments across the country to take thousands of photos of license plates per hour.  Officers check these numbers against lists of stolen or wanted vehicles.  Because ALPRs also record the date, time and location of the license plate image, groups such as the American Civil Liberties Union have argued that this collection is an invasion of privacy that allows police to track a person’s movements.

The Virginia Supreme Court’s ruling marks a significant development in a case challenging the mass collection of license plate images and location data by ALPRs.  In 2015, the ACLU sued the Fairfax County Police Department (“FCPD”) on behalf of Harrison Neal, a motorist whose license plate had been captured twice and stored pursuant to a FCPD policy for one year.  Neal alleged that FCPD’s collection and storage of ALPR data violates Virginia’s Data Act, a statute designed to prevent the unnecessary collection and storage of personal information by government agencies.  However, the circuit court rejected Neal’s claim.  The court ruled that a license plate number is not “personal information” under the Data Act because the number refers to a vehicle rather than an individual.
Continue Reading Virginia Supreme Court Holds that Police License Plate Readers Collect Personal Information

Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.  This framework provides private entities a series of steps to establish a formal program