Photo of David Stauss

 

David routinely counsels clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Keypoint: The Agency proposed more revisions to the CCPA regulations for consideration at the December 8 board meeting.

On December 1, 2023, the California Privacy Protection Agency (Agency) published proposed revisions to the CCPA regulations as well as a chart explaining the proposed modifications. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft revisions are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

The Board now has six sets of draft regulations to discuss at its December 8 meeting: (1) cybersecurity audits, (2) automated decisionmaking technology, (3) risk assessments, (4) revisions to the CCPA regulations, (5) insurance, and (6) data broker registry fee.

The revisions to the CCPA regulations come even though the Agency cannot yet enforce its first set of revisions to the CCPA regulations. The Agency finalized those regulations on March 29, 2023, but a trial court delayed enforcement until March 29, 2024, finding that the CCPA requires a twelve-month delay in enforcement after finalization.

The below article provides a brief overview of some of the more notable proposed revisions.Continue Reading CPPA Publishes Proposed Revisions to CCPA Regulations

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing draft automated decisionmaking technology regulations although the Agency has yet to initiate the formal rulemaking process.

On November 27, 2023, the California Privacy Protection Agency (Agency) published draft automated decisionmaking technology regulations as well as revised draft risk assessment regulations. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft regulations are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

This article focuses on how the two draft regulations address automated decisionmaking technology (ADMT). The risk assessment regulations contain additional provisions that are not addressed herein. In addition, given that these are only draft regulations, this article only provides a high-level summary and some takeaways. It does not provide an exhaustive analysis of the draft regulations.Continue Reading CPPA Publishes Draft Automated Decisionmaking Technology (AI) Regulations

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.Continue Reading CPPA Publishes Revised Draft Cybersecurity Audit Regulations

Keypoint: A California federal district court granted NetChoice’s motion for preliminary injunction, finding that the California Age-Appropriate Design Code Act likely violates the First Amendment.

On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the California Age-Appropriate Design Code Act (AADC). The ruling comes only weeks after federal district courts in Texas and Arkansas enjoined children’s online laws from going into effect in those states.

In the below post, we provide a brief background on the AADC, analyze the court’s ruling, and provide some context and takeaways on how it could impact privacy laws more generally.Continue Reading Court Enjoins California Age-Appropriate Design Code Act

Keypoint: Pending the Governor’s signature, the California Delete Act requires all data brokers to register with the CPPA next year and comply with a one-stop consumer deletion mechanism by 2026.

Last week, the California legislature passed the Delete Act (SB 362) (the “Act”) which amends California’s existing data broker law to subject all data brokers to new registration and disclosure requirements, and a one-stop mechanism for consumer deletion requests. In the below post, we analyze the Delete Act and the changes it makes to the existing data broker law.Continue Reading California Delete Act Passes Legislature

Keypoint: Although they are only draft regulations and not part of the formal rulemaking process, the drafts demonstrate the Agency’s intent to create extensive obligations for businesses subject to these regulations.

In connection with its September 8, 2023 Board meeting, the California Privacy Protection Agency (“Agency”) published draft regulations on risk assessments and cybersecurity audits. The drafts were provided as meeting materials for a CPRA rules subcommittee update.

The drafts specifically state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” To that end, the drafts identify specific text for the Board to discuss and, in some instances, identify multiple options for Board consideration. The drafts also note that the Agency “has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decisionmaking technology.”

Although these are only drafts, they nonetheless provide an initial insight into the Agency’s thought process for these new and significant rulemaking topics. In short, the drafts indicate the Agency’s intent to create extensive obligations for businesses subject to these regulations. In the below post, we provide a high-level summary and analysis of some of the more notable parts of the drafts.Continue Reading CPPA Releases Draft Regulations on Risk Assessments and Cybersecurity Audits

On July 31, 2023, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle (CV) manufacturers and related CV technologies. According to the Agency, “[t]hese vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically

Keypoint: The Attorney General’s investigatory sweep focuses on how large California employers are handling the expiration of the CCPA’s employee data exemption.

On July 14, 2023, the California Attorney General announced a new CCPA investigatory sweep focused on employee data. The Attorney General’s Office reported that it had sent inquiry letters “to large California employers requesting information on the companies’ compliance with the California Consumer Privacy Act (CCPA) with respect to the personal information of employees and job applicants.”Continue Reading California Attorney General Announces New CCPA Investigative Sweep of Employers

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.Continue Reading Enforcement of New CCPA Regulations Delayed By Court Ruling

Keypoint: Delaware is the twelfth state to pass consumer data privacy legislation with a bill that closely resembles the Connecticut law but with some notable differences.

On June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act (HB 154). Subject to the procedural formalities in the legislature, the bill will move to Delaware Governor John Carney for consideration.

Assuming the bill becomes law, Delaware will become the twelfth state – and seventh this year – to pass a consumer data privacy law. The other states that have passed bills this year are Indiana, Iowa, Montana, Oregon, Tennessee, and Texas.

The Delaware bill closely resembles last year’s Connecticut Data Privacy Act (CTDPA) with some notable differences discussed in the below article.

As with prior bills passed this year, we have added the Delaware bill to our chart providing a detailed comparison of the laws enacted to date.Continue Reading Delaware Legislature Passes Consumer Data Privacy Bill