Photo of Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.Continue Reading California Attorney General Announces First Public CCPA Enforcement Action

Keypoint: As currently drafted, the ADPPA’s private right of action provides U.S. citizens with the opportunity to enforce their privacy rights but limits lawsuits to federal court and provides covered entities and service providers with mechanisms to mitigate the risk of such claims, including through the use of arbitration provisions and class action waivers.

As we previously reported, the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) is eligible for a full House vote after the House Committee on Commerce & Energy (House Committee) reported out an amended version on July 20, 2022. Prior to reporting out the ADPPA, the House Committee adopted an Amendment in the Nature of a Substitute (AINS) that made numerous changes to the bill, including modifications to the bill’s private right of action (PRA).

The contours of the ADPPA’s PRA are crucial.

Privacy advocates point to the inclusion of the PRA as one way in which the ADPPA is stronger than the California Consumer Privacy Act. However, Senator Maria Cantwell (D-Wash.) – whose support is necessary to pass the bill because she chairs the relevant Senate committee – stated that the ADPPA contains “major enforcement holes” and does not have her support. Recently, Senator Cantwell stated that “she couldn’t support the bipartisan framework unless House lawmakers add tougher enforcement measures, including limits on forced arbitration and a broad right for individuals to sue companies that violate the law.” According to Cantwell, “The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like.” “If you’re charitable, you call it ignorance. If you think that it’s purposeful, it literally won’t pass the House because they just won’t meet the test of what a strong federal bill looks like.” Meanwhile, business advocates such as the U.S. Chamber of Commerce are adamantly opposed to any bill “that creates a blanket private right of action.”

Given how important this issue is to passing a federal privacy bill, the below article contains a detailed analysis of the ADPPA’s current PRA as the House Committee passed it on July 20. The article then outlines the PRA contained in Senator Cantwell’s 2019 bill, the Consumer Online Privacy Right Act for comparison purposes.

If you are interested in learning more about the ADPPA, we are hosting a webinar on it on August 18, 2022. Click here for more information and to register. We also would like to thank the Future of Privacy Forum and the IAPP’s Cobun Zweifel-Keegan whose redline of the latest version of the ADPPA was instrumental in the drafting of this article.Continue Reading Analyzing the American Data Privacy and Protection Act’s Private Right of Action

Keypoint: The comments focus on identifying areas in which the Attorney General’s Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the Colorado Privacy Act with state and international privacy laws.

The Colorado Attorney General’s Office is currently accepting pre-rulemaking input on the Colorado Privacy Act (CPA). It also will host public listening sessions on June 22  and June 28 for those interested in providing oral comments.

Given the importance of these forthcoming regulations to the development of U.S. privacy law, members of Husch Blackwell’s data privacy practice submitted extensive comments to the Office. The purpose of the comments is to identify areas in which the Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the CPA with other state privacy laws enacted in California, Connecticut, Utah, and Virginia and international privacy laws such as GDPR.Continue Reading Husch Blackwell Submits Comments on Colorado Privacy Act Pre-Rulemaking

Keypoint: Last week, the FTC signaled an increased focus on COPPA enforcement, targeting education technology companies while California and federal lawmakers consider enacting new laws to regulate the processing of children’s data.

Over the past few months there has been a growing bipartisan consensus among lawmakers and regulators of the need for increased regulation around the processing of children’s data. In a sign of the significance of the issue, President Biden specifically addressed children’s data privacy in his State of the Union Address. As discussed below, recent actions by the Federal Trade Commission (the “Commission”) and lawmakers signal that companies processing children’s data should expect to see increased scrutiny.Continue Reading U.S. Children’s Privacy Law Update

Keypoint: Organizations that collect personal data from children under 16 will need to ensure compliance with additional requirements once the laws go into effect.

This is the ninth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat children’s personal data. The CPRA divides children into two groups, children under 13 and children the ages of 13-15. While both groups require consent to sell or share information, the latter may do so without a parent or guardian. In comparison, the VCDPA and CPA handle children’s data similar to each other by both defining a child as under 13 years old and including personal data of a child under the definition of sensitive data (for which consent is required to process). The VCDPA and CPA do not address the treatment of data for children ages 13-15.

In addition to these three state laws, California recently introduced a bill that would further regulate children’s personal data by creating additional obligations for companies collecting data of consumers under the age of 18. Momentum is also gathering for federal legislation that further regulates children’s online personal data, with several bills aiming to update the Children’s Online Privacy Protection Act (COPPA). In March, President Joe Biden addressed the importance of protecting children’s data in his State of the Union address. We provide an overview of these new bills in this article as well.Continue Reading How do the CPRA, VCDPA & CPA treat children’s data?

Keypoint: In its first CCPA interpretive opinion, the Attorney General’s office confirmed that businesses responding to requests to know must disclose internally generated inferences they hold about a consumer from either internal or external information sources.

On March 10, 2022, the California Attorney General’s office issued a first-of-its-kind interpretive opinion on the California Consumer Privacy Act’s (CCPA) application.

The Opinion states that, unless an exception applies, a consumer “has the right to know internally generated inferences about that consumer” held by the business from either external or internal sources. The Office reached this Opinion based on a plain reading of the CCPA’s text. A few questions result, including whether inferences based on otherwise exempt information must be disclosed.

Below is a further analysis of the Opinion.Continue Reading CCPA Update: California Attorney General Issues Opinion on Disclosure of Inferences

Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.

This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.

In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.Continue Reading How do the CPRA, CPA & VCDPA treat sales?

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.Continue Reading How do the CPRA, CPA & VCDPA approach data protection assessments?

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.Continue Reading Analyzing the CCPA’s Notice of Financial Incentive Requirement in the Wake of the Attorney General’s Issuance of Violation Notices for Loyalty Programs

Keypoint: In the next few months, the Colorado Attorney General’s office will start CPA rulemaking on numerous topics with the goal of publishing draft rules by this fall and adopting final rules by next winter.

On January 28, the Colorado Attorney General’s office hosted a Data Privacy Day event centered on the Colorado Privacy Act (CPA). In prepared remarks, Colorado Attorney General Phil Weiser issued his first public comments on the upcoming CPA rulemaking process. In the coming months, the office will engage in a substantial rulemaking process on a number of topics, including dark patterns and consumer requests. The Attorney General anticipates that they will be in a position around this time next year to adopt final rules, which will be approximately six months before the CPA goes into effect on July 1, 2023.

In this post, we first provide a brief overview of the CPA statutory authority for rulemaking. We then discuss Attorney General Weiser’s prepared remarks discussing the office’s plans.Continue Reading Colorado AG to Engage in Robust Colorado Privacy Act Rulemaking