Photo of David Stauss

 

David routinely counsels clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Keypoint: The 2022 election may result in new states to watch during the 2023 state legislative session.

Until the federal government passes a preemptive federal privacy law, state legislatures will continue to be the driving force in the development of U.S. privacy law. While others have – appropriately – speculated on how the 2022 election could impact the future of federal legislation, this article analyses state election results to identify potential trends and states to watch in 2023. Although drawing conclusions across fifty states is impossible, as discussed below, a handful of states will be well-positioned to pass privacy legislation in 2023 should they choose to do so.

Continue Reading The Future of State Privacy Legislation After the 2022 Election

Keypoint: On the heels of last week’s Board meeting, Agency staff quickly turned around a modified version of the proposed regulations, triggering a fifteen day comment period and further signaling that the Agency is on track to finalize the regulations in January/February 2023.

On November 3, 2022, the California Privacy Protection Agency (Agency) issued a notice of modifications to the text of proposed California Consumer Privacy Act (CCPA) regulations. The notice follows a two-day meeting held by the Agency Board on October 28 and 29, 2022, during which the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. The notice states that the Agency will accept written comments regarding the proposed changes or materials added to the rulemaking file up to 8:00 a.m. on Monday, November 21, 2022.

In the below post, we first provide a brief overview of the rulemaking process to date and its path forward. We then review some of the substantive modifications the Agency made to the proposed regulations after last week’s Board meeting.

Continue Reading CPRA Proposed Regulations Formally Noticed for 15 Day Comment Period

Keypoint: The Board advanced the modified proposed CPRA regulations with the goal of submitting final regulations to the Office of Administrative Law by year end.

On October 28 and 29, 2022, the California Privacy Protection Agency (Agency) Board held a meeting to review and consider the modified proposed California Consumer Privacy Act (CCPA) regulations. The Agency previously published the modified proposed regulations on September 17, 2022. The modified proposed regulations contain many changes to the initial proposed regulations based on comments the Agency received during the public comment period.

At the conclusion of the meeting, the Board authorized Agency staff to take all steps necessary to prepare and notice modifications to the proposed regulatory amendments. Once noticed, stakeholders will have fifteen days to provide comments. The Board’s General Counsel explained that the Agency hopes to have final rules submitted to the Office of Administrative Law (OAL) for review by the end of the year. If that timeframe holds, the regulations would become effective in late January or early February.

Below is a summary of key takeaways from the meeting.

Continue Reading CPPA Board Advances Proposed CPRA Regulations

Keypoint: The California Privacy Protection Agency’s issuance of significantly modified proposed regulations comes days in advance of four scheduled Board meetings where the proposed regulations will open to debate, modification, and potential adoption.

On Monday, September 17, 2022, the California Privacy Protection Agency (CPPA or Agency) issued modified proposed CPRA regulations as well as an explanation for the changes. The modified proposed regulations follow a 45-day written comment period on the initial proposed regulations that ended on August 23, 2022, and two public hearings that were held on August 24 and 25, 2022. Interested parties submitted over 1,000 pages of written comments during the written comment period.

The issuance of modified proposed regulations was expected based on comments made during the Agency’s prior Board meeting on September 23, 2022. The Agency initially issued the modified proposed regulations in connection with two days of Board meetings scheduled for October 21 and 22, 2022. Later in the day on September 17, the Agency announced that it will hold two more days of Board meetings on October 28 and 29, 2022.

At the meetings, the Board will discuss the proposed regulations, including possible adoption or modification of the text. To that end, the accompanying explanation document identifies twenty-eight (28) items that Agency staff recommend for discussion at the meetings.

In the below post, we first provide high-level takeaways from the modified proposed regulations. We then discuss some of the more notable changes. We do not attempt to summarize all of the changes.

Continue Reading Modified CPRA Proposed Regulations Issued

Keypoint: The CPA draft rules are a complex and lengthy set of regulations that, if adopted without substantial modification, will significantly expand the CPA’s requirements and require controllers to carefully consider their compliance obligations.

On Friday, September 30, the Colorado Attorney General’s office published proposed Colorado Privacy Act rules. The Office also announced that it will hold three stakeholder meetings on November 10, 15, and 17, 2022, and a public hearing on February 1, 2023.

The draft rules are long – 38 pages of single-space text (omitting the 20 pages of rulemaking documents that appear at the end). In comparison, the Colorado Privacy Act is 31 pages. The length allows the office to provide clarity (e.g., around consumer requests) but also complexity, in particular around data protection assessments and profiling.

The complexity of the draft rules may come as a surprise to those who have not tracked the Office’s comments about engaging in robust rulemaking. The Office has devoted significant time and effort to drafting the rules, and it is clear that the Office intends to make its mark on U.S. privacy law moving forward.

In the below post, we first provide a list of high-level takeaways. We then provide a brief discussion of the rulemaking process and timeline. Finally, we provide a short summary of some of the more important substantive sections.

Continue Reading Colorado Privacy Act Draft Rules Published

Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.

As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.

Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.

Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.

Continue Reading California Legislature Fails to Extend CCPA Employee and B2B Data Exemptions

Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.

Continue Reading CCPA Update: Cal. AG Releases Thirteen New Enforcement Case Examples

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.

Continue Reading California Attorney General Announces First Public CCPA Enforcement Action

In the sixteenth episode of our Legislating Data Privacy podcast series, we are joined – for the second time – by the International Association of Privacy Professional’s Joseph Duball.

In what has become a yearly conversation, Husch Blackwell’s David Stauss and Joe discuss what happened with proposed privacy legislation during the 2022 session and look

Keypoint: As currently drafted, the ADPPA’s private right of action provides U.S. citizens with the opportunity to enforce their privacy rights but limits lawsuits to federal court and provides covered entities and service providers with mechanisms to mitigate the risk of such claims, including through the use of arbitration provisions and class action waivers.

As we previously reported, the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) is eligible for a full House vote after the House Committee on Commerce & Energy (House Committee) reported out an amended version on July 20, 2022. Prior to reporting out the ADPPA, the House Committee adopted an Amendment in the Nature of a Substitute (AINS) that made numerous changes to the bill, including modifications to the bill’s private right of action (PRA).

The contours of the ADPPA’s PRA are crucial.

Privacy advocates point to the inclusion of the PRA as one way in which the ADPPA is stronger than the California Consumer Privacy Act. However, Senator Maria Cantwell (D-Wash.) – whose support is necessary to pass the bill because she chairs the relevant Senate committee – stated that the ADPPA contains “major enforcement holes” and does not have her support. Recently, Senator Cantwell stated that “she couldn’t support the bipartisan framework unless House lawmakers add tougher enforcement measures, including limits on forced arbitration and a broad right for individuals to sue companies that violate the law.” According to Cantwell, “The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like.” “If you’re charitable, you call it ignorance. If you think that it’s purposeful, it literally won’t pass the House because they just won’t meet the test of what a strong federal bill looks like.” Meanwhile, business advocates such as the U.S. Chamber of Commerce are adamantly opposed to any bill “that creates a blanket private right of action.”

Given how important this issue is to passing a federal privacy bill, the below article contains a detailed analysis of the ADPPA’s current PRA as the House Committee passed it on July 20. The article then outlines the PRA contained in Senator Cantwell’s 2019 bill, the Consumer Online Privacy Right Act for comparison purposes.

If you are interested in learning more about the ADPPA, we are hosting a webinar on it on August 18, 2022. Click here for more information and to register. We also would like to thank the Future of Privacy Forum and the IAPP’s Cobun Zweifel-Keegan whose redline of the latest version of the ADPPA was instrumental in the drafting of this article.

Continue Reading Analyzing the American Data Privacy and Protection Act’s Private Right of Action