Photo of Ana Cowan

Ana Cowan

Ana has more than 16 years of experience representing physicians, physician groups, ambulatory surgery centers, and non-profit health organizations in regulatory healthcare matters, corporate and administrative matters.

Contact:Read more about Ana Cowan

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.

Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.

Which States Will Consider CCPA-Like Consumer Privacy Bills in 2022?Keypoint: At least fifteen state legislatures are poised to consider CCPA-like consumer privacy legislation in 2022 with lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington confirming they will be introducing bills, a bill already being pre-filed in Maryland, and eight states with bills that will carry over from the 2021 session.

The continuing emergence of proposed state privacy laws will be a dominant story for privacy professionals in 2022.

In 2021, lawmakers in twenty-seven states proposed CCPA-like privacy legislation. We tracked these bills through our weekly updates, State Privacy Law Tracker, and Legislating Data Privacy podcast series.

This year, we contacted lawmakers who proposed bills in 2021 and asked them to share their plans for 2022. We received many responses, which we chronicle below along with updates on bills that we have been tracking over the summer and fall. Of particular note, Representatives Shelley Kloba (Washington), Steve Elkins (Minnesota), and Collin Walke (Oklahoma) provided extensive comments on their 2022 proposals.

Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).

Oklahoma Privacy BillKeypoint: The 2022 legislative session of proposed state consumer privacy legislation kicks off with the filing of a new bill in Oklahoma.

On September 9, 2021, Rep. Collin Walke (D) and Majority Leader Rep. Josh West (R) filed the Oklahoma Computer Data Privacy Act of 2022. The Oklahoma legislature is not scheduled to convene until February 7, 2022, such that there is ample time for policymakers and lobbyists to study the bill. We spoke with Representative Walke earlier this year about his goal of passing a privacy law in 2022.

In an accompanying press release, Representative Walke stated: “The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.”

In 2021, the Oklahoma House passed another privacy bill but it did not make it out of the Senate Judiciary Committee. According to Rep. Walke, the 2021 version will still be alive when the 2022 legislative session convenes such that Oklahoma lawmakers will have two bills to consider.

Below is an overview of the 2022 bill (as introduced).

In addition, members of Husch Blackwell’s privacy and data security practice will be hosting a webinar on September 28 to discuss developments in U.S. privacy law, including the 2022 Oklahoma bill. Click here to register.

Keypoint: A detailed analysis of the Attorney General’s twenty-seven published examples of noncompliance notices sent during the first year of CCPA enforcement reveals key learnings for CCPA compliance efforts.

In July, the California Attorney General published twenty-seven “illustrative examples” of noncompliance notices it sent to businesses during its first year of enforcing the CCPA. The examples provide a rare glimpse into the Attorney General’s enforcement priorities.

The office sent enforcement notices to a wide range of businesses spanning a variety of industries. The alleged violations primarily concerned privacy policy disclosures, consumer requests, and opt-out of sale requirements. Other noncompliance topics included service provider contracts and “just in time” notices.

Below is an analysis of the published enforcement examples. The office emphasizes, however, that the information provided “does not include all the facts of each situation and does not constitute legal advice.”

Keypoint: The Colorado Senate unanimously passed the Colorado Privacy Act after amending the bill to add back many of the privacy protections previously removed.

On May 26, 2021, the Colorado Senate unanimously passed the Colorado Privacy Act. The bill now moves to the State Assembly. The Colorado legislature is scheduled to close on June 12 so we will know in just a matter of weeks (if not sooner) if Colorado will become the third state to enact broad consumer privacy legislation.

Two House sponsors were added to the bill – Republican Terri Carver and Democrat majority co-whip Monica Dunn. The addition of bipartisan House sponsors perhaps signals that the bill has momentum to pass the House.

Notably, the Senate significantly amended the bill from the version previously passed by the Senate Business, Labor & Technology Committee. As discussed in our May 12 post, the Senate committee had revised many of the bill’s pro-consumer provisions to pro-business provisions. The bill that ultimately passed the Senate (see here) reverted many of those changes. Below is a summary of some of the notable revisions.

Keypoint: Bill would expand COPPA to protect 13 to 15 year olds.

On May 11, Senators Edward J. Markey (D-Mass) and Bill Cassidy (R-La) introduced the Children and Teens’ Online Privacy Protection Act. The legislation seeks to amend the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6505, to “strengthen protections relating to the online collection, use, and disclosure of personal information of children and minors.”

Keypoint: The Colorado Privacy Act passed unanimously out of committee last week but not before lawmakers revised many of its pro-consumer provisions to pro-business.

On May 5, 2021, the Colorado Senate Business, Labor & Technology Committee unanimously passed the Colorado Privacy Act. The bill was sent to the Senate Appropriations Committee where it is scheduled for a May 14 hearing.

Before passing the bill, the Senate Committee accepted a number of amendments that changed many of the bill’s pro-consumer privacy provisions in favor of pro-business provisions. As it stands, the bill appears to be an even more business-friendly version of the Virginia Consumer Data Protection Act (VCDPA). For reference, the VCDPA and Colorado bill are both based on this year’s version of the Washington Privacy Act, which failed to pass the Washington legislature in April.

Below is an analysis of some of the more notable amendments.

For reference, the current version of the bill is available here and the original version of the bill is available here. Our analysis of the original bill is available here.