Keypoint: It was another busy week with bills introduced in Colorado, New York and West Virginia, a committee hearing in New Jersey on three bills, a public hearing in Washington on the Washington Privacy Act, the Oklahoma bill was referred to the Senate Judiciary committee, one Florida bill passed out of committee, and a hearing was set on the other Florida bill.

For the fourth week in a row, we are providing an update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide three reminders.

First, there has been so much debate about what to call Virginia’s new privacy law – the Virginia Consumer Data Protection Act – that we started an online poll. Tell us whether you think the law should be called the CDPA or VCPDA. We will keep voting open until April 2 and release the results on our blog.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of March 22, 2021

Fraser, ColoradoKeypoint: The Colorado bill mirrors the Virginia Consumer Data Protection Act and Washington Privacy Act but contains some notable differences.

On March 19, 2021, Colorado lawmakers introduced the Colorado Privacy Act (SB21-190).

The bill is similar to Virginia’s Consumer Data Protection Act (VCDPA) and the Washington Privacy Act (WPA) but contains notable differences, including with respect to the scope of its exemptions and the rights it would provide to Colorado residents.

Senator Rodriguez (Democrat) and Senator Lundeen (Republican and minority whip) sponsored the bill, signaling that it has bi-partisan support. The bill has been assigned to the Senate’s Business, Labor and Technology Committee, which Senator Rodriguez chairs.

According to the legislative calendar, the deadline for bills to pass out of the Senate is April 7, 2021, which means the bill will have to move quickly.

Below is a general overview of the bill as introduced.

Continue Reading Colorado Privacy Act Introduced

Health Insurance Portability and accountability act HIPAA and stethoscopeAs an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that better align with the Information Blocking Rule, which goes into effect on April 5, 2021.  Learn more or follow this issue on our Healthcare Law Insights blog.

Keypoint: The appointment of the five California Privacy Protection Agency board members is the first significant step to the California Privacy Rights Act becoming fully operative in 2023.

On March 17, California officials announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (CPPA). The CPPA was established by the California Privacy Rights Act (CPRA), which California voters approved in the November election. The CPPA will take over rulemaking duties from the California Attorney General’s office and will administratively enforce the CPRA. Given that California has the world’s fifth largest economy, the CPPA has the potential to be one of the most important data privacy authorities in the world.

Continue Reading CPRA Update: Board Appointments Announced for California Privacy Protection Agency

Keypoint: Modifications to the CCPA regulation’s provisions regarding requests to opt-out and authorized agent requests are now final.

On March 15, 2021, the California Attorney General’s office announced that the Office of Administrative Law has approved the Attorney General’s proposed changes to the CCPA regulations. The new regulations make three general changes relating to the right to opt out of sales and one change to authorized agent requests. In addition, the Attorney General’s press release reaffirms that enforcement activities are proceeding.

Continue Reading CCPA Update: New Regulations Approved

Keypoint: There were four notable developments this week: the Florida House passed a bill out of committee, lawmakers proposed a new bill in Texas, the Washington Privacy Act was  scheduled for a public hearing and committee session on March 17 and 19, respectively, and the Illinois Right to Know Act was scheduled for a March 19 hearing in the Cybersecurity, Data Analytics & IT Committee.

For the third week in a row, we are providing an update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide three reminders.

First, we hosted a webinar on Virginia’s Consumer Data Protection Act on March 11. You can access the recording here.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of March 15, 2021

Keypoint: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.

Continue Reading New York’s DFS Publishes a Cyber Insurance Risk Framework

Keypoint: It was a busy week for privacy law. Since the update we provided last week Virginia’s bill was signed into law, bills in Washington and Oklahoma advanced, and Utah’s bill failed to pass before its legislative session closed.

Last week, we provided an update on the status of proposed CCPA-like privacy legislation. In that article, we noted that the contents were “time-sensitive and subject to change.” Typical to privacy law, in just a week, the landscape of these proposed laws changed dramatically. Given these changes, we decided to publish another update and, like last week, waited until a weekend when state legislatures are quiet.

Before we get to our update, we wanted to provide three reminders.

First, we will be hosting a webinar on Virginia’s Consumer Data Protection Act on March 11. You can register for the webinar here. If you are unable to attend the webinar live, you can still register, and we will email a copy of the presentation and a link to the webinar recording to you.

Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.

Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of March 8, 2021

Keypoint: Although weakened from its original version, the Oklahoma bill would (if enacted) provide substantial privacy rights to Oklahoma residents and, in some respects, provide more privacy protections than found in the CCPA.

On March 4, 2021, the Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act by a vote of 85-11 with 5 excused. The bill, which is perhaps best described as a heavily-modified version of the California Consumer Privacy Act (CCPA), will now move to the Oklahoma Senate.

The Oklahoma bill was the subject of extensive reporting last month after a prior version of the bill, which included a private right of action, passed unanimously through the House Technology Committee. However, the private right of action was deleted in a significantly modified version of the bill that was introduced earlier this week.

Yet, even with the amendments, the bill is still notable for at least three reasons: scope of applicability, consent for collection, and opt-in to sales. Below is a high-level summary of the some of the bill’s more notable provisions.

Continue Reading Oklahoma House Passes Computer Data Privacy Act

Keypoint: As expected, the Washington Privacy Act passed the Senate and will now move to the House of Representatives.

For the third year in a row, the Washington Senate overwhelmingly passed the Washington Privacy Act (WPA). This year, the Senate voted 48-1 to pass the bill. The legislation will now move to the House of Representatives.

Last year, the House passed an amended version of the WPA adding, among other things, a private right of action. However, the Senate and House were ultimately unable to resolve their differences in a conference committee and the WPA failed.

It remains to be seen whether this year’s version of the WPA will pass. Of course, one notable difference this year is that Virginia just enacted a modified version of the WPA. Whether that spurs Washington lawmakers to finally resolve their differences is anyone’s guess.

A copy of the bill that passed the Senate is available here. Our analysis of the bill as introduced is available here.