California Privacy Rights Act

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

Continue Reading How do the CPRA, CPA & VCDPA approach data protection assessments?

Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.

This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.

Below is an analysis of this issue.

Continue Reading How do the CPRA, CPA & VCDPA treat biometric information?

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

Continue Reading How do the CPRA, CPA & VCDPA treat publicly available information?

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.

Continue Reading CCPA Update: New Regulations Approved

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law (2021)

Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative:

Continue Reading The California Privacy Rights Act Goes into Effect

According to the San Francisco Chronicle and Californians for Consumer Privacy, California voters have passed Proposition 24 – the California Privacy Rights Act (CPRA). The CPRA substantially modifies the California Consumer Privacy Act (CCPA), which just went into effect on January 1, 2020.

Members of Husch Blackwell’s privacy and data security practice will host

On June 24, 2020, the California Secretary of State announced that county election officials had validated enough signatures through the random signature validation process to make the California Privacy Rights Act of 2020 (a/k/a CCPA 2.0) eligible for the November 3, 2020 ballot. The final projected valid signatures based on the random sample validation process

Keypoint: If the California Privacy Rights Act is approved by voters in November, it would trigger a series of deadlines ultimately culminating in a January 1, 2023 effective date and July 1, 2023 enforcement date.

On May 4, 2020, privacy advocates reported that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA or CCPA.20) for the November election. Assuming the initiative passes the signature verification process, it would be on the November 3, 2020 ballot and become law if approved by a simple majority of California voters.

If the CPRA does pass in November, it will trigger a complicated timeline of staggered effective and enforcement dates and regulatory rulemaking deadlines.

Continue Reading CCPA 2.0: Analysis of the California Privacy Rights Act’s Implementation Timeline