California Privacy Rights Act

Subscribe to California Privacy Rights Act via RSS
State Privacy Guide_widget_300x196-08

Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.

This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.

In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.

Keypoint: The CPRA and CPA introduce the concept of dark patterns into state consumer data privacy laws although this area has come under increased attention recently with FTC enforcement actions and guidance, state attorneys general lawsuits, and class action litigation.

This is the seventh post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treats dark patterns. The CPRA and CPA both prohibit use of dark patterns to obtain consumer consent. The basic distinction between the CPRA and CPA is when they require consumer consent. The CPRA generally allows businesses to obtain consumer consent to circumvent certain consumer rights that have already been exercised. In comparison, the CPA requires consumer consent for the processing of sensitive data. The legal landscape will also likely continue to change and develop, as both laws may see additional rulemaking on this issue.

In contrast, the VCDPA does not directly address dark patterns although, in theory, the state Attorney General could still regulate dark patterns through the law’s definition of consent.

Finally, while the concept of dark patterns is new for the CPRA and CPA, it must be understood in the context of Federal Trade Commission (FTC) enforcement and guidance, state attorneys general lawsuits, and class action litigation.

In the below article, we first consider what constitutes a dark pattern and ongoing multi-layered enforcement regarding them. We then analyze the role of dark patterns in each of the three state privacy laws.

State Privacy Guide_widget_300x196-06

Keypoint: The requirements for recognizing opt-out preference signals for certain types of processing vary widely depending on which state laws apply.

This is the sixth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat opt-out preference signals. The California Consumer Privacy Act (CCPA), through its regulations, requires businesses to recognize such signals. However, the CPRA makes this an optional requirement. In contrast, Colorado will require controllers to recognize these signals as of July 1, 2024, whereas Virginia sits on the other end of the spectrum and does not require controllers to recognize them.

In the below article, we first discuss how California currently addresses this issue under the CCPA and how the CPRA will change those requirements. We then discuss Colorado’s approach.

State Privacy Guide_widget_300x196-05

Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.

This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.

In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.

Keypoint: California legislators introduced eight bills to amend or supplement the CPRA, including AB2891 that seeks to extend the employee and business-to-business exemptions, and AB2871 that seeks to make those exemptions indefinite.

Last week, California lawmakers proposed eight bills to amend or supplement the California Privacy Rights Act (CPRA).

AB2871 and AB2891, both filed by Assembly Member Low on February 18, 2022, would extend the employee and business-to-business exemptions either indefinitely (AB2871) or until January 1, 2026 (AB2891). Both exemptions are currently set to sunset on January 1, 2023. The filing of these bills was first reported by Jennifer Ruehr. Whether either of these bills has a chance at passing remains to be seen.

State Privacy Guide_widget_300x196-04

Keypoint: The CPRA requires that businesses use certain types of sensitive personal information only for limited purposes, otherwise they must notify consumers of the additional purposes and provide consumers the opportunity to opt-out of such processing, while the VCDPA and CPA require controllers to obtain consumer consent and conduct data processing assessments prior to processing sensitive data. 

This is the fourth article in our ten-part weekly series comparing key provision of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat sensitive personal information. The CPRA has a broad definition of sensitive personal information although, to be subject to the law’s limitations, a business must collect or process that information for the “purpose of inferring characteristics about a consumer.” If so, the CPRA grants consumers the right to limit a business’s processing of such data to certain purposes specified in the law. Conversely, the VCDPA and CPA define sensitive data differently than the CPRA and require controllers to obtain consumer consent and conduct a data processing assessment prior to processing such information.

Below is an analysis of this topic.

State Privacy Guide_widget_300x196-03

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

State Privacy Guide_widget_300x196-02

Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.

This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.

Below is an analysis of this issue.

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.