Privacy and Information Security

Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)

Even as states continue to pass comprehensive privacy laws, Attorneys General remain active enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space.  Just last week, 46 State AGs signed on to a settlement, which took the form of an Assurance of Voluntary Compliance, with international cruise corporation Carnival

For those not following every detail regarding the progress of the “three corners” federal privacy bill, here’s a summary of where things stand.

In brief, on June 23, the House E&C Consumer Protection Subcommittee held a markup during which it considered a substitute version of the bill (HR 8152), approved it by voice

As discussed in State Attorneys General 101, State Attorneys General are the primary enforcers of consumer protection laws within their state and hold sweeping powers to protect the public they serve by launching investigations and litigation alone or in multi-state actions involving numerous states and territories across the country.

On June 14, the House E&C Subcommittee on Consumer Protection and Commerce held a hearing to consider issues and concerns raised by the “three corners” privacy “discussion draft” released to the public June 3. As we blogged last week, the American Data Privacy and Protection Act (ADPPA) is an historic bipartisan compromise among three key committee leaders in the House and Senate (Sen. Wicker and Reps. Pallone and McMorris Rodgers). So far, it lacks the backing of the fourth, Senator Cantwell.

The hearing came together quickly, reflecting the limited time and challenges in this election year to pass a bill of this significance. The 3+ hour event showcased myriad issues and concerns that the witnesses and other stakeholders have raised with respect to the draft. Still, Subcommittee leaders pledged to keep working on the bill and expressed optimism that they might be able to pass comprehensive federal privacy legislation this year. As of this writing, we understand that there will be subcommittee markup next Thursday and a full-committee markup sometime after the July 4th recess.
Continue Reading Readout on House Privacy Hearing: Wide Attendance, Lots of Issues, Full Steam Ahead

The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Robert Cunningham and Rod Ghaemmaghami provided observations on the

On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday.  (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations

On Friday June 3, a bipartisan group of leaders from key House and Senate committees released a new  “discussion draft” bill to establish nationwide standards for consumer privacy. The proposal (the American Data Privacy and Protection Act) builds on prior bills put forth by both Democrats and Republicans, as well as principles and provisions contained in the GDPR and State privacy laws. Of significance, the bill reflects bipartisan compromise on two thorny issues that have divided the parties for years – whether to preempt state privacy laws and/or include a private right of action. While the bill has been hailed as a “breakthrough,” the prospects for passage are uncertain, particularly in this busy election year.

Why is this bill significant? 

As most of our readers know, the US has no overarching federal privacy law – only sector-specific laws such as GLBA and COPPA. This patchy, confusing scheme has become even more complex with passage of the GDPR (which applies to US multinational companies) and five comprehensive State laws. While many federal bills have come and gone over the years, none reflect the high-level bipartisan compromise evident here – both on longstanding privacy concepts (notice, choice, access, security) as well as more specific concerns about discrimination, algorithms, platforms, data brokers, targeted ads, and corporate accountability. If passed, the bill would apply to virtually all companies doing business in the US.

Why is this happening now?

While many observers wish a bipartisan bill had been proposed earlier, the forces driving this bill forward have never been stronger. Passage of State laws is accelerating, the EU is exerting greater influence over privacy worldwide, and the FTC is planning to launch wide-ranging privacy rulemakings. In addition, Senator Wicker, one of the bill’s authors and a longtime leader on privacy, may soon vacate his slot as Commerce’s top Republican, motivating him to cement his legacy now. To cap it all off, while election year is indeed a difficult year to pass a bill like this, it’s also creating pressure to make one last effort on privacy.
Continue Reading New Bipartisan Federal Privacy Bill – Breakthrough, Too Late, or Both?

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

June 8

State Attorneys General 101
Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk