Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

data privacyKeypoint: Washington lawmakers will be filing the 2020 version of the Washington Privacy Act on Monday, January 13, 2020.

Those who follow privacy law will remember that last year Washington state came close to becoming the second state (after California) to enact consumer privacy legislation. That legislation – called the Washington Privacy Act (WPA) – overwhelmingly passed the state senate but failed in the house, in part, based on disagreements as to how the statute would be enforced and its facial recognition provisions. (See our prior post here.) The bill’s proponents; however, vowed to push the legislation again in 2020.

On Friday, January 10, 2020, the Washington Senate Democratic Caucus publicly released the 2020 version of the WPA. The release came in advance of the opening of the Washington legislature on Monday, January 13, 2020. The bill’s sponsors also will be holding a press conference on January 13, 2020, to discuss the bill.

Below is our analysis of the 2020 version of the WPA.

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.

Keypoint: Those hoping that the final CCPA regulations will clarify its requirements may be disappointed. 

According to an article in Bloomberg Law, California Attorney General Becerra does not anticipate his office making substantial changes to the regulations as proposed when it issues the final regulations.

The AG’s office published the proposed regulations on October

Keypoint:  The fallout from the 2018 Cambridge Analytica incident continues with the FTC’s issuance of this unanimous opinion and order.

On December 6, the Federal Trade Commission (“FTC”) issued a unanimous opinion (the “Opinion”) finding that political consulting firm Cambridge Analytica, LLC (“Cambridge Analytica”) violated Section 5 of the Federal Trade Commission Act (“FTC Act”) (15 U.S.C. § 45) by engaging in deceptive practices to harvest personal information from tens of millions of Facebook users through a Facebook application called the “GSRApp.”

Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, as discussed below, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.

In addition, on November 13, members of Husch Blackwell’s privacy and cybersecurity practice group will present a webinar to discuss these tasks in greater detail.  For more information or to register, click here.

Keypoint: As of January 1, 2020, manufacturers of IoT devices will need to comply with new laws in California and Oregon.

It may be hard to believe but the California Consumer Privacy Act is not the only new law that will go into effect on January 1, 2020. Rather, new laws in California and Oregon that regulate IoT devices also will go into effect on that date. Below is an overview of those laws.

Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.

On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.

In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations.  Click here to register.

We previously posted that Alastair Mactaggart, one of the co-authors of the California Consumer Privacy Act (CCPA), intended to submit a new ballot initiative to strengthen the privacy rights that already exist in the CCPA. The full text of the ballot measure – which is entitled the California Consumer Privacy Rights and Enforcement Act of 2020 – is now available on the California Attorney General’s website.  There also is an annotated version of the initiative available here.

While Mactaggart’s press release identified a few of the proposed changes, our initial review of the initiative is that it would bring about a substantial rewrite of the CCPA.  While there is a lot to unpack in this initiative, here are our initial highlights:

Alastair Mactaggart, Founder & Chair of Californians for Consumer Privacy, announced that he intends to file a ballot initiative – the California Privacy Enforcement Act – to appear on the November 2020 ballot. According to his press release, the new law would:

  • Create new rights around the use and sale of sensitive personal information, such as

Keypoint: The California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by year end. Although the exact contours of the regulations are yet to be determined, businesses subject to the CCPA will need to understand the regulations and integrate their requirements into their CCPA compliance efforts.

The final piece of the CCPA puzzle should be in place by year end. According to Bloomberg Law, the California Attorney General’s office is on track to publish draft CCPA regulations in October and final regulations by the CCPA’s January 1, 2020, effective date. That report is in line with prior expectations that the AG’s office would publish draft regulations shortly after the California Governor’s October 13 deadline to sign the CCPA amendments that passed the legislature on September 13.

Although the CCPA becomes effective on January 1, 2020, the AG’s office cannot bring an enforcement action “until six months after the publication of final regulations . . . or July 1, 2020, whichever is sooner.” Therefore, it appears the AG’s office could potentially be poised to start enforcement actions prior to July 1, 2020.