How To Protect Employee/HR Data and Comply with Data Privacy Laws
Wednesday, July 20

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor

With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.

A couple of overarching points are worth keeping in mind.  First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties.  Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.
Continue Reading Preparing for Expanded Consumer Rights Requests Under the CPRA

As discussed in State Attorneys General 101, State Attorneys General are the primary enforcers of consumer protection laws within their state and hold sweeping powers to protect the public they serve by launching investigations and litigation alone or in multi-state actions involving numerous states and territories across the country.

The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Robert Cunningham and Rod Ghaemmaghami provided observations on the

On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday.  (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations

On Friday June 3, a bipartisan group of leaders from key House and Senate committees released a new  “discussion draft” bill to establish nationwide standards for consumer privacy. The proposal (the American Data Privacy and Protection Act) builds on prior bills put forth by both Democrats and Republicans, as well as principles and provisions contained in the GDPR and State privacy laws. Of significance, the bill reflects bipartisan compromise on two thorny issues that have divided the parties for years – whether to preempt state privacy laws and/or include a private right of action. While the bill has been hailed as a “breakthrough,” the prospects for passage are uncertain, particularly in this busy election year.

Why is this bill significant? 

As most of our readers know, the US has no overarching federal privacy law – only sector-specific laws such as GLBA and COPPA. This patchy, confusing scheme has become even more complex with passage of the GDPR (which applies to US multinational companies) and five comprehensive State laws. While many federal bills have come and gone over the years, none reflect the high-level bipartisan compromise evident here – both on longstanding privacy concepts (notice, choice, access, security) as well as more specific concerns about discrimination, algorithms, platforms, data brokers, targeted ads, and corporate accountability. If passed, the bill would apply to virtually all companies doing business in the US.

Why is this happening now?

While many observers wish a bipartisan bill had been proposed earlier, the forces driving this bill forward have never been stronger. Passage of State laws is accelerating, the EU is exerting greater influence over privacy worldwide, and the FTC is planning to launch wide-ranging privacy rulemakings. In addition, Senator Wicker, one of the bill’s authors and a longtime leader on privacy, may soon vacate his slot as Commerce’s top Republican, motivating him to cement his legacy now. To cap it all off, while election year is indeed a difficult year to pass a bill like this, it’s also creating pressure to make one last effort on privacy.
Continue Reading New Bipartisan Federal Privacy Bill – Breakthrough, Too Late, or Both?

We like to occasionally use this space to let you know about upcoming events that you may not have heard about:

June 8

State Attorneys General 101
Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

The replay for our May 19, 2022 Teen Privacy Law Update webinar is available here.

Protecting the privacy and safety of kids and teens online is receiving enormous attention lately from Congress, the States, the FTC, and even the White House.  Further, just last month, BBB National Programs unveiled a Teenage Privacy Program Roadmap

There’s a “request for investigation” pending at the FTC that some of our readers might have missed.  The April 12 complaint, filed by Georgetown Law professor Laura Moy on behalf of the Council on American-Islamic Relations, urges the FTC to conduct a wide-ranging investigation of the location data industry.

The complaint focuses in particular on alleged abuses harming the Muslim community, including the government’s purchase of location data from popular Muslim prayer apps to conduct “warrantless surveillance” on Muslim individuals.  According to the complaint, these practices have led to a “sense of constant surveillance” that has chilled Muslims’ practice of religion, freedom of assembly, and use of technology to communicate. The allegations have broader implications, too, as they describe the “unfettered” and “surreptitious” data collection across many contexts by multiple industry actors, including the operating systems, app and SDK developers, data brokers, and participants in digital advertising’s real time bidding (RTB) process.

As I write this blogpost, the complaint does not appear to have been posted on the FTC’s website.  Although the FTC seeks public comment on petitions for rulemaking, this complaint may not fall within that process since it chiefly seeks investigations, citing rulemaking as a “longer term” goal.  (Of course, stakeholders may want to consider providing input to the FTC anyway to assist in its consideration of the issues.)       
Continue Reading Complaint Urges FTC to Investigate the Location Data Industry