Photo of Alysa Z. Hutnik

Email
(202) 342-8603
Bio  LinkedIn

On August 4, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a report entitled, “The Convergence of Payments and Commerce: Implications for Consumers,” in which it examines the challenges and risks to consumers inherent in the rapidly evolving payment ecosystem and emergence of product offerings that blur the traditional lines of banking and commerce.

The

On Wednesday, June 8, the California Privacy Protection Agency (CPPA) Board voted 4-0 (with one member absent) to initiate the CPRA rulemaking process based on the draft regulations released on May 27th prior to the Memorial Day holiday.  (To learn more, please see New California Draft Privacy Regulations: How They Would Change Business Obligations

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

On Tuesday, Connecticut became the fifth state to pass comprehensive privacy legislation when Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” into law.  Connecticut joins California, Virginia, Colorado, and Utah in enacting new privacy laws that take effect in 2023. Out of fifty states in the U.S., ten percent have now passed a comprehensive privacy law.

Effective July 1, 2023, the Connecticut law adopts a general framework of definitions, consumer rights, and compliance obligations based on concepts of data controller and data processor from the EU’s General Data Protection Regulation (GDPR), and the right to opt out of the “sale” of personal data as first articulated in the California Consumer Privacy Act (CCPA).  Overall, the Connecticut law mirrors Colorado’s privacy law but then borrows select concepts from the California, Virginia, and Utah laws.  The result is a hybrid of the pre-existing state laws, but not a law that introduces significant contradictions or unique compliance challenges.
Continue Reading Ten Percent and Rising: Connecticut Becomes Fifth U.S. State to Enact Privacy Law

ICYMI: Momentum Continues with the Colorado Privacy ActLast week, the Attorney General Alliance hosted a seminar to address the Colorado Privacy Act (CPA)—what it does and how to prepare for its July 1, 2023 effective date. The seminar featured a discussion with the bill’s sponsors, legal experts, practitioners, and the Attorneys General for Colorado and Wyoming. As the third state to enact

Targeted Advertising in the Crosshairs: New Bill Seeks to Ban Many Forms of Targeted AdvertisingBackground

On Tuesday, Congressional Democrats unveiled a new bill to outlaw a wide swath of targeted advertising.  The Banning Surveillance Advertising Act would prohibit ad tech companies from using consumers’ personal information to target ads, with limited exceptions. It also would prohibit advertisers from using third party data, or data about a person’s membership in a protected class, to target ads.  The bill would authorize the FTC, state attorneys general, and private litigants to enforce the law, and the FTC to write rules implementing it.

The effort, led by Senator Cory Booker (D-NJ) and Congresswomen Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), arrives at a time of unprecedented regulatory developments impacting the ad tech industry – most notably, the enactment of new state privacy laws in California, Virginia, and Colorado with provisions regulating the industry. While these privacy laws have focused on giving consumers the opportunity to make choices about data sharing for purposes of targeted advertising, the Banning Surveillance Advertising Act would place blanket prohibitions on such advertising. As we describe here, the FTC has also announced that it is developing a rule targeting “surveillance-based business models,” though the contours of that rule are still unknown.

In a press release, Senator Booker explained his view that “surveillance advertising is a predatory and invasive practice.  The hoarding of people’s personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence.”  Echoing Booker, Rep. Eshoo said that the practice “fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms.” Rep. Schakowsky, who chairs the House Energy and Commerce Consumer Protection Subcommittee, said the practice “exacerbates manipulation, discrimination, misinformation, and extremism.”

Given the dramatic changes that the bill would impose on the marketplace, it is not surprising that industry groups have already criticized it forcefully.  In a press release today, IAB stated that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly,” and that it could “eliminate the commercial internet almost entirely.”
Continue Reading Targeted Advertising in the Crosshairs: New Bill Seeks to Ban Many Forms of Targeted Advertising

In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs.  The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.

Credential stuffing

As we’ve all been following in the news, the House reconciliation bill to fund “human infrastructure” is still mired in negotiations, ever on the verge of either passing to monumental fanfare, or cratering in failure. Tucked away on page 671 of the 1684-page bill is a short provision that, despite scant attention, has the potential

In a much-anticipated announcement last week, the FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and proposed a further amendment requiring certain financial institutions to provide the FTC with notice in the event of certain security events.  Although these changes were announced after FTC Commissioner Chopra left the agency to lead the CFPB, he apparently voted prior to leaving to ensure 3/2 approval of the amendments in a Commission that remains divided.

What is GLBA Safeguards?

For nearly 20 years the Safeguards Rule has required financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information.  Such programs must be appropriate to each entity’s “size and complexity, the nature and scope of [its] activities, and the sensitive of the customer information at issue.” For a generation, the Rule’s requirements have influenced data security standards in other sectors, emphasizing a flexible, process-based approach.  The amended Rule replaces some of that flexibility with more specificity.
Continue Reading GLBA Safeguards Gets a Makeover: Why it Matters for Businesses with Customer Information

Last week, California’s Governor Gavin Newsom signed into law AB 694, which makes a few technical changes to the California Privacy Rights Act (CPRA).  The relevant changes to the CPRA are summarized below.

  • As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a