![Photo of David Stauss [Former Attorney]](https://lexblogplatform.com/wp-content/uploads/sites/631/userphoto/7147-1572288796.jpg)
Last week, the Alaska House Labor & Commerce Committee voted HB 159, the Alaska Consumer Data Privacy Act, out of committee. A few days before the committee hearing, we talked with Representative Zack Fields, the primary proponent of the bill.
HB 159 underwent a significant revision over the summer led by the efforts of
Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.
This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.
Below is a further analysis of this topic.
Keypoint: This week the Indiana Senate passed a bill, lawmakers in Alaska, Massachusetts, and Washington passed bills out of committee, new bills were introduced in West Virginia and Wisconsin, and there was movement on many VCDPA amendment bills.
Below is our fourth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide three reminders.
First, we will be hosting a webinar analyzing the proposed CCPA-like privacy bills on February 23, 2022. For more information, and to register, click here.
Second, we will be regularly updating our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.
Finally, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.
Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.
California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.
The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”
For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.
Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.
This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.
Below is an analysis of this issue.
Keypoint: The bill, which is based on Virginia’s Consumer Data Protection Act, now moves to the Indiana House.
As first reported by the IAPP’s Joe Duball, the Indiana Senate unanimously voted to pass SB 358 on February 1, 2022.
Indiana is the first state during the 2022 legislative session to pass a consumer privacy bill
Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.
On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.
In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.
Keypoint: This week lawmakers introduced new bills in Georgia, Hawaii and Oklahoma, the Indiana Senate passed a bill out of committee, and hearings were held on bills in Alaska, Maryland, and Washington.
Below is our third weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.
First, we will be regularly updating our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.
Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.
Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.
In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.
Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.
Below is a comparison of “publicly available information” as defined in each of the three laws.
Keypoint: This week lawmakers introduced new bills in Mississippi, Nebraska, and Pennsylvania, held hearings in Alaska and Washington, and scheduled hearings for the coming week in Alaska, Delaware, Indiana, Maryland, and Washington.
Below is our second weekly update on proposed state privacy laws. As with past updates, we track the status of proposed CCPA-like privacy legislation. In addition, starting this week we have expanded the update to track upcoming hearings, VCDPA amendments, biometric privacy bills, data broker bills, and other bills of note. We even added a table of contents! We hope you enjoy the additional content.
Before we get to our update, we wanted to provide two reminders.
First, we will be regularly updating our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like bills. We encourage you to bookmark the page for easy reference.
Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter. Last week, we provided a mid-week update on a new VCDPA amendment.