Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company
With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.
A couple of overarching points are worth keeping in mind. First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties. Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.
Continue Reading Preparing for Expanded Consumer Rights Requests Under the CPRA
Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)…
The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.
The increasing number of states enacting privacy laws means more privacy litigation. On this webinar, partners Lauri Mazzuchetti and Becca Wahlquist highlighted emerging trends across the docket of privacy litigation cases, provided an update on key cases involving consumer…
The replay for our April 28, 2022 Privacy Priorities for 2022: Tracking State Law Developments webinar is available here.
In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices,…
In the first formal written opinion interpreting CCPA compliance obligations, California Attorney General Rob Bonta concludes that the CCPA grants consumers the right to know and access internally generated inferences that businesses generate about them, but that the CCPA does not require businesses to disclose trade secrets.
The 15-page opinion, issued on March 10, responds to a question posed by Sacramento area Assemblyman Kevin Kiley (R): “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?”
OAG’s response, in a nutshell, is “yes.” Giving consumers access to inferences is important, according to OAG, because “inferences are one of the key mechanisms by which information becomes valuable to businesses, making it possible to target advertising and solicitations, and to find markets for goods and services.” OAG further notes that nothing in the Consumer Privacy Rights Act (CPRA) changes its analysis. The opinion also suggests that the OAG will refer to the CCPA’s broad purposes, such as giving “consumers greater control over the privacy of their personal information,” to support its interpretations.
Continue Reading California AG’s First CCPA Opinion Takes a Broad View of the Right to Access Inferences
You’ve probably seen a lot of privacy forecasts for 2022 during the past few weeks. Here’s one that reflects the collective thoughts of our diverse privacy team, which includes former high level officials from the FTC and State AG offices, and practitioners who have been advising clients about privacy for over 30 years.
The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website. Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.
Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation. In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties. In January 2023, however, the right to cure will sunset when the CPRA takes effect.…
The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Colorado Governor Jared Polis signed the bill (SB 21-190) into law on July 7, and ColoPA will go into effect on July 1, 2023.
How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..
Continue Reading Privacy Law Update: Colorado Privacy Bill Becomes Law: How Does it Stack Up Against California and Virginia?