Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

Keypoint: This week the Utah Governor signed the Utah Consumer Privacy Act, the Oklahoma House passed a bill, and a committee hearing was held in Rhode Island.

Below is our eleventh weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: As it did last year, the Oklahoma House passed a consumer data privacy bill.

On March 23, 2022, the Oklahoma House voted 74-15 (with 11 excused) to pass Representative Collin Walke’s HB2969 – the Oklahoma Computer Data Privacy Act. The bill now moves to the Senate. Last year, the Oklahoma House also passed a version of this bill, only to see it stall in the Senate Judiciary Committee. The bill is generally based on the California Consumer Privacy Act (CCPA) although it contains notable differences.

Below is a brief summary.

State Privacy Guide_widget_300x196-08

Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.

This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.

In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.

Keypoint: This week the Iowa House passed a bill, but it appears to have stalled in the Senate; Connecticut’s bill passed out of committee; Maryland advanced a work group bill out of the Senate and a biometric privacy bill out of the House; and hearings were held on bills in Alaska, Tennessee, and Vermont.

Below is our tenth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: The CPRA and CPA introduce the concept of dark patterns into state consumer data privacy laws although this area has come under increased attention recently with FTC enforcement actions and guidance, state attorneys general lawsuits, and class action litigation.

This is the seventh post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treats dark patterns. The CPRA and CPA both prohibit use of dark patterns to obtain consumer consent. The basic distinction between the CPRA and CPA is when they require consumer consent. The CPRA generally allows businesses to obtain consumer consent to circumvent certain consumer rights that have already been exercised. In comparison, the CPA requires consumer consent for the processing of sensitive data. The legal landscape will also likely continue to change and develop, as both laws may see additional rulemaking on this issue.

In contrast, the VCDPA does not directly address dark patterns although, in theory, the state Attorney General could still regulate dark patterns through the law’s definition of consent.

Finally, while the concept of dark patterns is new for the CPRA and CPA, it must be understood in the context of Federal Trade Commission (FTC) enforcement and guidance, state attorneys general lawsuits, and class action litigation.

In the below article, we first consider what constitutes a dark pattern and ongoing multi-layered enforcement regarding them. We then analyze the role of dark patterns in each of the three state privacy laws.

Keypoint: In its first CCPA interpretive opinion, the Attorney General’s office confirmed that businesses responding to requests to know must disclose internally generated inferences they hold about a consumer from either internal or external information sources.

On March 10, 2022, the California Attorney General’s office issued a first-of-its-kind interpretive opinion on the California Consumer Privacy Act’s (CCPA) application.

The Opinion states that, unless an exception applies, a consumer “has the right to know internally generated inferences about that consumer” held by the business from either external or internal sources. The Office reached this Opinion based on a plain reading of the CCPA’s text. A few questions result, including whether inferences based on otherwise exempt information must be disclosed.

Below is a further analysis of the Opinion.

Keypoint: Iowa moves one step closer to enacting consumer data privacy legislation with a bill generally modeled off the Utah Consumer Privacy Act.

On March 14, 2022, the Utah House voted 91-2 to pass House File 2506. Prior to passing the bill, the House adopted Amendment H-8157, which generally aligns the Iowa bill with the recently passed Utah Consumer Privacy Act (UCPA), with a few exceptions.

As we discussed with the UCPA, the Iowa bill would use the same general terminology and framework as the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) but is far more business friendly.

Below is a brief summary.

Keypoint: This week legislatures in Florida, Washington, West Virginia and Wisconsin closed without passing bills while Maryland’s bill was converted into a one-year study.

Below is our ninth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

In February 2022, the Massachusetts legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity voted unanimously to advance the Massachusetts Information Privacy and Security Act (S.2687). Shortly after the vote, we sat down with Representatives Dave Rogers and Andy Vargas, two of the bill’s co-sponsors, to discuss the bill.

During our

State Privacy Guide_widget_300x196-06

Keypoint: The requirements for recognizing opt-out preference signals for certain types of processing vary widely depending on which state laws apply.

This is the sixth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat opt-out preference signals. The California Consumer Privacy Act (CCPA), through its regulations, requires businesses to recognize such signals. However, the CPRA makes this an optional requirement. In contrast, Colorado will require controllers to recognize these signals as of July 1, 2024, whereas Virginia sits on the other end of the spectrum and does not require controllers to recognize them.

In the below article, we first discuss how California currently addresses this issue under the CCPA and how the CPRA will change those requirements. We then discuss Colorado’s approach.