Photo of Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Keypoint: The Utah Division of Consumer Protection published proposed rules regulating social media companies under Utah’s Social Media Regulation Act.

On October 15, 2023, the Utah Division of Consumer Protection (the “Agency”) published proposed rules for Utah’s Social Media Regulation Act (“SMRA”). As required by the SMRA, the draft rules outline requirements for age verification and consent methods. These draft rules come just a month following federal district courts in California, Texas, and Arkansas enjoining children’s online laws from going into effect in those states.

In the below post, we first provide background on the SMRA. We then provide a summary of the substantive sections of the proposed rules and lastly outline key takeaways.Continue Reading Utah Proposes Rules for Social Media Regulation Act

Keypoint: A California federal district court granted NetChoice’s motion for preliminary injunction, finding that the California Age-Appropriate Design Code Act likely violates the First Amendment.

On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the California Age-Appropriate Design Code Act (AADC). The ruling comes only weeks after federal district courts in Texas and Arkansas enjoined children’s online laws from going into effect in those states.

In the below post, we provide a brief background on the AADC, analyze the court’s ruling, and provide some context and takeaways on how it could impact privacy laws more generally.Continue Reading Court Enjoins California Age-Appropriate Design Code Act

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.Continue Reading Enforcement of New CCPA Regulations Delayed By Court Ruling

Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.Continue Reading CPPA Board Approves CPRA Regulations

The landscape of U.S. state privacy law is changing once again. In 2022, the California legislature passed The California Age-Appropriate Design Code Act (AB 2273), a first-in-the-nation law based on the United Kingdom’s Age-Appropriate Design Code. In 2023, more states are following California’s lead and introducing bills that seek to regulate private entities’

Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.

As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.

Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.

Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.Continue Reading California Legislature Fails to Extend CCPA Employee and B2B Data Exemptions

Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.Continue Reading CCPA Update: Cal. AG Releases Thirteen New Enforcement Case Examples

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.Continue Reading California Attorney General Announces First Public CCPA Enforcement Action

Keypoint: As currently drafted, the ADPPA’s private right of action provides U.S. citizens with the opportunity to enforce their privacy rights but limits lawsuits to federal court and provides covered entities and service providers with mechanisms to mitigate the risk of such claims, including through the use of arbitration provisions and class action waivers.

As we previously reported, the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) is eligible for a full House vote after the House Committee on Commerce & Energy (House Committee) reported out an amended version on July 20, 2022. Prior to reporting out the ADPPA, the House Committee adopted an Amendment in the Nature of a Substitute (AINS) that made numerous changes to the bill, including modifications to the bill’s private right of action (PRA).

The contours of the ADPPA’s PRA are crucial.

Privacy advocates point to the inclusion of the PRA as one way in which the ADPPA is stronger than the California Consumer Privacy Act. However, Senator Maria Cantwell (D-Wash.) – whose support is necessary to pass the bill because she chairs the relevant Senate committee – stated that the ADPPA contains “major enforcement holes” and does not have her support. Recently, Senator Cantwell stated that “she couldn’t support the bipartisan framework unless House lawmakers add tougher enforcement measures, including limits on forced arbitration and a broad right for individuals to sue companies that violate the law.” According to Cantwell, “The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like.” “If you’re charitable, you call it ignorance. If you think that it’s purposeful, it literally won’t pass the House because they just won’t meet the test of what a strong federal bill looks like.” Meanwhile, business advocates such as the U.S. Chamber of Commerce are adamantly opposed to any bill “that creates a blanket private right of action.”

Given how important this issue is to passing a federal privacy bill, the below article contains a detailed analysis of the ADPPA’s current PRA as the House Committee passed it on July 20. The article then outlines the PRA contained in Senator Cantwell’s 2019 bill, the Consumer Online Privacy Right Act for comparison purposes.

If you are interested in learning more about the ADPPA, we are hosting a webinar on it on August 18, 2022. Click here for more information and to register. We also would like to thank the Future of Privacy Forum and the IAPP’s Cobun Zweifel-Keegan whose redline of the latest version of the ADPPA was instrumental in the drafting of this article.Continue Reading Analyzing the American Data Privacy and Protection Act’s Private Right of Action

Keypoint: The comments focus on identifying areas in which the Attorney General’s Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the Colorado Privacy Act with state and international privacy laws.

The Colorado Attorney General’s Office is currently accepting pre-rulemaking input on the Colorado Privacy Act (CPA). It also will host public listening sessions on June 22  and June 28 for those interested in providing oral comments.

Given the importance of these forthcoming regulations to the development of U.S. privacy law, members of Husch Blackwell’s data privacy practice submitted extensive comments to the Office. The purpose of the comments is to identify areas in which the Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the CPA with other state privacy laws enacted in California, Connecticut, Utah, and Virginia and international privacy laws such as GDPR.Continue Reading Husch Blackwell Submits Comments on Colorado Privacy Act Pre-Rulemaking