Photo of Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.

This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.

In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.

Continue Reading How do the CPRA, CPA & VCDPA treat sales?

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

Continue Reading How do the CPRA, CPA & VCDPA approach data protection assessments?

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.

Continue Reading Analyzing the CCPA’s Notice of Financial Incentive Requirement in the Wake of the Attorney General’s Issuance of Violation Notices for Loyalty Programs

Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.

Continue Reading Colorado AG to Engage in Robust Colorado Privacy Act Rulemaking

Which States Will Consider CCPA-Like Consumer Privacy Bills in 2022?Keypoint: At least fifteen state legislatures are poised to consider CCPA-like consumer privacy legislation in 2022 with lawmakers in Arizona, Connecticut, Florida, Minnesota, Mississippi, and Washington confirming they will be introducing bills, a bill already being pre-filed in Maryland, and eight states with bills that will carry over from the 2021 session.

The continuing emergence of proposed state privacy laws will be a dominant story for privacy professionals in 2022.

In 2021, lawmakers in twenty-seven states proposed CCPA-like privacy legislation. We tracked these bills through our weekly updates, State Privacy Law Tracker, and Legislating Data Privacy podcast series.

This year, we contacted lawmakers who proposed bills in 2021 and asked them to share their plans for 2022. We received many responses, which we chronicle below along with updates on bills that we have been tracking over the summer and fall. Of particular note, Representatives Shelley Kloba (Washington), Steve Elkins (Minnesota), and Collin Walke (Oklahoma) provided extensive comments on their 2022 proposals.

Continue Reading Which States Will Consider CCPA-Like Consumer Privacy Bills in 2022?

Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

Continue Reading Behind the Scenes but Not Above the Law: Advertising Platform OpenX To Pay $2 Million FTC Settlement

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).

Continue Reading CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking Process

Oklahoma Privacy BillKeypoint: The 2022 legislative session of proposed state consumer privacy legislation kicks off with the filing of a new bill in Oklahoma.

On September 9, 2021, Rep. Collin Walke (D) and Majority Leader Rep. Josh West (R) filed the Oklahoma Computer Data Privacy Act of 2022. The Oklahoma legislature is not scheduled to convene until February 7, 2022, such that there is ample time for policymakers and lobbyists to study the bill. We spoke with Representative Walke earlier this year about his goal of passing a privacy law in 2022.

In an accompanying press release, Representative Walke stated: “The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.”

In 2021, the Oklahoma House passed another privacy bill but it did not make it out of the Senate Judiciary Committee. According to Rep. Walke, the 2021 version will still be alive when the 2022 legislative session convenes such that Oklahoma lawmakers will have two bills to consider.

Below is an overview of the 2022 bill (as introduced).

In addition, members of Husch Blackwell’s privacy and data security practice will be hosting a webinar on September 28 to discuss developments in U.S. privacy law, including the 2022 Oklahoma bill. Click here to register.

Continue Reading 2022 Oklahoma Computer Data Privacy Act Filed

Keypoint: A detailed analysis of the Attorney General’s twenty-seven published examples of noncompliance notices sent during the first year of CCPA enforcement reveals key learnings for CCPA compliance efforts.

In July, the California Attorney General published twenty-seven “illustrative examples” of noncompliance notices it sent to businesses during its first year of enforcing the CCPA. The examples provide a rare glimpse into the Attorney General’s enforcement priorities.

The office sent enforcement notices to a wide range of businesses spanning a variety of industries. The alleged violations primarily concerned privacy policy disclosures, consumer requests, and opt-out of sale requirements. Other noncompliance topics included service provider contracts and “just in time” notices.

Below is an analysis of the published enforcement examples. The office emphasizes, however, that the information provided “does not include all the facts of each situation and does not constitute legal advice.”

Continue Reading CCPA Update: Analysis and Key Takeaways from AG’s Example Enforcement Cases

Keypoint: The Colorado Senate unanimously passed the Colorado Privacy Act after amending the bill to add back many of the privacy protections previously removed.

On May 26, 2021, the Colorado Senate unanimously passed the Colorado Privacy Act. The bill now moves to the State Assembly. The Colorado legislature is scheduled to close on June 12 so we will know in just a matter of weeks (if not sooner) if Colorado will become the third state to enact broad consumer privacy legislation.

Two House sponsors were added to the bill – Republican Terri Carver and Democrat majority co-whip Monica Dunn. The addition of bipartisan House sponsors perhaps signals that the bill has momentum to pass the House.

Notably, the Senate significantly amended the bill from the version previously passed by the Senate Business, Labor & Technology Committee. As discussed in our May 12 post, the Senate committee had revised many of the bill’s pro-consumer provisions to pro-business provisions. The bill that ultimately passed the Senate (see here) reverted many of those changes. Below is a summary of some of the notable revisions.

Continue Reading Significantly Amended (Again) Colorado Privacy Act Passes Senate