Photo of Alysa Z. Hutnik

Email
(202) 342-8603
Bio  LinkedIn

Just two months before the effective date (January 1, 2023) of the California Privacy Rights Act (“CPRA”), the California Privacy Protection Agency (“CPPA”) Board met on October 28 and 29 to discuss revisions to the agency’s initial draft CPRA regulations.  Board members discussed a range of proposed changes that could significantly impact businesses but also reserved discussion on important topics, such as employee and business-to-business data, for future proceedings.

This post provides further details about the rulemaking process, as well as takeaways from the Board’s discussion of key substantive topics, such as restrictions on the collection of personal information and opt-out preference signals.  The Board directed CPPA staff to consider and include specific modifications, as discussed below; and on November 3, the CPPA released a further revision of its proposed rules for a 15-day public comment period (the “November 3 Draft Regulations”).  The deadline to submit comments is 8:00 am on Monday, November 21.
Continue Reading CPRA Rule Revisions Unlikely to be Finalized in 2022

Most people would generally agree that discriminating on the basis of race, color, religion, disability, or similar factors is a bad thing to do – indeed, that it’s “unfair” within the common meaning of the word.  It’s also illegal in various circumstances – e.g., the Equal Credit Opportunity Act prohibits certain forms of discrimination in

No, we’re not talking about sinister sewing guides, but rather practices or formats that may manipulate or mislead consumers into taking actions they would not otherwise take.

We untangled the topic of so-called “dark patterns” in two in-depth blogs earlier this year, available here and here. At that time, we noted there was a

Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company

On August 11, the FTC finally launched its “commercial surveillance and data security” rulemaking after many months of hype and speculation about the FTC’s ability to address consumer privacy through its “Mag-Moss” rulemaking authority. It did so by releasing (by 3/2 vote) an Advanced Notice of Proposed Rulemaking (ANPR) – the first step in a Mag-Moss rulemaking – and holding a press conference featuring Chair Khan, Commissioners Slaughter and Bedoya, and senior FTC staff.

People familiar with the many hurdles in Mag-Moss were watching to see whether the ANPR would be broad and far-reaching (thus guaranteeing a lengthy, complex process) or more narrowly tailored. The answer? The ANPR is remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions about factual and legal issues of all kinds, and raising issues that reach beyond the FTC’s legal authority. Indeed, in reading the ANPR, we couldn’t help but wonder whether this is a serious effort to develop a rule or simply a show of activity to address over-hyped expectations. (See more on this topic below.)

Not surprisingly, Commissioners Phillips and Wilson issued strong dissents. Among other things, they raised concerns about agency overreach and the potential to derail the bipartisan privacy bill currently pending in Congress (the ADPPA). Here are more details and takeaways from the FTC’s announcement:
Continue Reading The FTC’s Privacy Rulemaking: Broad and Far-Reaching, but Unlikely to Lead to a Rule Anytime Soon

On August 4, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a report entitled, “The Convergence of Payments and Commerce: Implications for Consumers,” in which it examines the challenges and risks to consumers inherent in the rapidly evolving payment ecosystem and emergence of product offerings that blur the traditional lines of banking and commerce.

The

On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday.  (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

On Tuesday, Connecticut became the fifth state to pass comprehensive privacy legislation when Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” into law.  Connecticut joins California, Virginia, Colorado, and Utah in enacting new privacy laws that take effect in 2023. Out of fifty states in the U.S., ten percent have now passed a comprehensive privacy law.

Effective July 1, 2023, the Connecticut law adopts a general framework of definitions, consumer rights, and compliance obligations based on concepts of data controller and data processor from the EU’s General Data Protection Regulation (GDPR), and the right to opt out of the “sale” of personal data as first articulated in the California Consumer Privacy Act (CCPA).  Overall, the Connecticut law mirrors Colorado’s privacy law but then borrows select concepts from the California, Virginia, and Utah laws.  The result is a hybrid of the pre-existing state laws, but not a law that introduces significant contradictions or unique compliance challenges.
Continue Reading Ten Percent and Rising: Connecticut Becomes Fifth U.S. State to Enact Privacy Law

ICYMI: Momentum Continues with the Colorado Privacy ActLast week, the Attorney General Alliance hosted a seminar to address the Colorado Privacy Act (CPA)—what it does and how to prepare for its July 1, 2023 effective date. The seminar featured a discussion with the bill’s sponsors, legal experts, practitioners, and the Attorneys General for Colorado and Wyoming. As the third state to enact