California Privacy Rights Act

Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.

As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.

Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.

Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.

Continue Reading California Legislature Fails to Extend CCPA Employee and B2B Data Exemptions

Keypoint: While the Agency previously published draft regulations in early June, its filing of a Notice of Proposed Rulemaking officially initiates the rulemaking process and triggers a 45-day comment period.

On July 8, 2022, the California Privacy Protection Agency (Agency) announced that it has initiated the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA). The announcement comes exactly six weeks after the Agency published draft regulations in connection with an Agency Board meeting held on June 8, 2022.

In the below post we identify the rulemaking documents filed by the Agency, discuss the rulemaking timeframe and scope, highlight comments the Agency made regarding other privacy laws, and identify the non-substantive changes made between this version and the prior draft version published in June.

Continue Reading CPPA Commences Formal CPRA Rulemaking

Keypoint: The California Privacy Protection Agency issued a first set of draft regulations that contain a number of notable provisions but do not address all of the CPRA’s rulemaking topics.

On Friday, May 27, 2022, the California Privacy Protection Agency (CPPA or Agency) issued draft regulations in connection with a Board meeting scheduled for June 8, 2022.

In the below post, we provide high-level takeaways from the draft regulations, discuss the rulemaking timeframe, and provide a summary of some of the more notable provisions.

Continue Reading CPRA Draft Regulations Issued

Keypoint: The CPRA is relatively prescriptive in how organizations must receive and respond to consumer requests, while the CPA and VCDPA introduce an appeal process and other nuances that will require adjusting existing CCPA consumer response processes.

This is the tenth and final post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, this series has explored important distinctions between them. Following this series, we will continue to provide updates and insights into these and other state privacy laws, including following the CPRA and CPA rulemaking processes. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article we examine how each of the three state laws approaches consumer requests, including the types of requests consumers may submit, the methods organizations must employ to receive requests, and the timeframes in which to verify and respond to requests. The analysis below provides a high-level summary of the response frameworks under each law. It does not dive into statutory exceptions or how to substantively respond to requests.

The California Consumer Privacy Act (CCPA) and its regulations, as amended by the CPRA, is relatively prescriptive as it concerns processing consumer requests. The CPA and VCDPA, meanwhile, provide parameters but leave the processing of consumer requests largely to the discretion of the organization. Unique to the CPA and VCDPA, however, is the introduction of an appeals process that must also inform or assist the consumer in contacting the state Attorney General if dissatisfied with the result of the appeal.

Continue Reading How do the CPRA, VCDPA & CPA treat consumer requests?

Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.

This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.

In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.

Continue Reading How do the CPRA, CPA & VCDPA treat data processing agreements?

Keypoint: The CPRA and CPA introduce the concept of dark patterns into state consumer data privacy laws although this area has come under increased attention recently with FTC enforcement actions and guidance, state attorneys general lawsuits, and class action litigation.

This is the seventh post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treats dark patterns. The CPRA and CPA both prohibit use of dark patterns to obtain consumer consent. The basic distinction between the CPRA and CPA is when they require consumer consent. The CPRA generally allows businesses to obtain consumer consent to circumvent certain consumer rights that have already been exercised. In comparison, the CPA requires consumer consent for the processing of sensitive data. The legal landscape will also likely continue to change and develop, as both laws may see additional rulemaking on this issue.

In contrast, the VCDPA does not directly address dark patterns although, in theory, the state Attorney General could still regulate dark patterns through the law’s definition of consent.

Finally, while the concept of dark patterns is new for the CPRA and CPA, it must be understood in the context of Federal Trade Commission (FTC) enforcement and guidance, state attorneys general lawsuits, and class action litigation.

In the below article, we first consider what constitutes a dark pattern and ongoing multi-layered enforcement regarding them. We then analyze the role of dark patterns in each of the three state privacy laws.

Continue Reading How do the CPRA, CPA & VCDPA treat dark patterns?

Keypoint: The requirements for recognizing opt-out preference signals for certain types of processing vary widely depending on which state laws apply.

This is the sixth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat opt-out preference signals. The California Consumer Privacy Act (CCPA), through its regulations, requires businesses to recognize such signals. However, the CPRA makes this an optional requirement. In contrast, Colorado will require controllers to recognize these signals as of July 1, 2024, whereas Virginia sits on the other end of the spectrum and does not require controllers to recognize them.

In the below article, we first discuss how California currently addresses this issue under the CCPA and how the CPRA will change those requirements. We then discuss Colorado’s approach.

Continue Reading How do the CPRA, CPA & VCDPA treat opt-out signals?

Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.

This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.

In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.

Continue Reading How do the CPRA, CPA & VCDPA treat sales?

Keypoint: California legislators introduced eight bills to amend or supplement the CPRA, including AB2891 that seeks to extend the employee and business-to-business exemptions, and AB2871 that seeks to make those exemptions indefinite.

Last week, California lawmakers proposed eight bills to amend or supplement the California Privacy Rights Act (CPRA).

AB2871 and AB2891, both filed by Assembly Member Low on February 18, 2022, would extend the employee and business-to-business exemptions either indefinitely (AB2871) or until January 1, 2026 (AB2891). Both exemptions are currently set to sunset on January 1, 2023. The filing of these bills was first reported by Jennifer Ruehr. Whether either of these bills has a chance at passing remains to be seen.

Continue Reading CPRA Update: Multiple Bills Filed, Including Proposals to Extend the Employee and B2B Exemptions