Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing draft automated decisionmaking technology regulations although the Agency has yet to initiate the formal rulemaking process.

On November 27, 2023, the California Privacy Protection Agency (Agency) published draft automated decisionmaking technology regulations as well as revised draft risk assessment regulations. The draft regulations were released in connection with the Agency’s December 8 board meeting. Importantly, the draft regulations are only intended to facilitate Board discussion and public participation. The Agency has not yet started formal rulemaking.

This article focuses on how the two draft regulations address automated decisionmaking technology (ADMT). The risk assessment regulations contain additional provisions that are not addressed herein. In addition, given that these are only draft regulations, this article only provides a high-level summary and some takeaways. It does not provide an exhaustive analysis of the draft regulations.

Keypoint: October showed judges are not consistent in how they handle wiretapping cases although they are largely consistent in how courts handle VPPA claims.

This is the eighth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at privacy litigation decisions issued in October 2023. California judges remain inconsistent in how they rule on motions to dismiss wiretapping claims, with most courts struggling on the “tape recorder” or “human eavesdropper” distinction. In contrast, both California and Delaware federal courts dismissed VPPA claims, while a Florida federal district court denied a motion to dismiss. Perhaps coincidentally, more new VPPA cases were filed in Florida in October than any other court.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The California Privacy Protection Agency continued its rulemaking efforts by releasing revised draft cybersecurity audit regulations although the Agency has yet to initiate the formal rulemaking process.

In connection with its upcoming December 8 Board meeting, the California Privacy Protection Agency published revised draft cybersecurity audit regulations. In the below post, we provide background on the draft regulations and a brief summary of the notable changes.

Federal Trade Commission

Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Keypoint: The Utah Division of Consumer Protection published proposed rules regulating social media companies under Utah’s Social Media Regulation Act.

On October 15, 2023, the Utah Division of Consumer Protection (the “Agency”) published proposed rules for Utah’s Social Media Regulation Act (“SMRA”). As required by the SMRA, the draft rules outline requirements for age verification and consent methods. These draft rules come just a month following federal district courts in California, Texas, and Arkansas enjoining children’s online laws from going into effect in those states.

In the below post, we first provide background on the SMRA. We then provide a summary of the substantive sections of the proposed rules and lastly outline key takeaways.

Keypoint: The past two months have seen many courts dismiss privacy claims as judges appear to be more critical of plaintiffs’ theories while other judges have allowed cases to proceed past the motion to dismiss stage.

This is the seventh installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post we look at advancements in data privacy litigation in August and September 2023. Because we are covering two months in this post instead of our normal “one post per month” practice, this post is a bit longer than normal. We have seen a lot of development in privacy litigation over the past two months, however, so without further delay let’s dive in.

One final note. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.

In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:

  • Rebalancing the responsibility to defend cyberspace; and
  • Realigning incentives towards long-term investments to reward security and resilience.

This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.

Keypoint: A California federal district court granted NetChoice’s motion for preliminary injunction, finding that the California Age-Appropriate Design Code Act likely violates the First Amendment.

On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the California Age-Appropriate Design Code Act (AADC). The ruling comes only weeks after federal district courts in Texas and Arkansas enjoined children’s online laws from going into effect in those states.

In the below post, we provide a brief background on the AADC, analyze the court’s ruling, and provide some context and takeaways on how it could impact privacy laws more generally.

Deleting files from the system. Spam mail, electronic messages or personal data in computer systems. concept of technology and document management from laptop

Keypoint: Pending the Governor’s signature, the California Delete Act requires all data brokers to register with the CPPA next year and comply with a one-stop consumer deletion mechanism by 2026.

Last week, the California legislature passed the Delete Act (SB 362) (the “Act”) which amends California’s existing data broker law to subject all data brokers to new registration and disclosure requirements, and a one-stop mechanism for consumer deletion requests. In the below post, we analyze the Delete Act and the changes it makes to the existing data broker law.

Keypoint: Although they are only draft regulations and not part of the formal rulemaking process, the drafts demonstrate the Agency’s intent to create extensive obligations for businesses subject to these regulations.

In connection with its September 8, 2023 Board meeting, the California Privacy Protection Agency (“Agency”) published draft regulations on risk assessments and cybersecurity audits. The drafts were provided as meeting materials for a CPRA rules subcommittee update.

The drafts specifically state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” To that end, the drafts identify specific text for the Board to discuss and, in some instances, identify multiple options for Board consideration. The drafts also note that the Agency “has not yet started the formal rulemaking process for cybersecurity audits, risk assessments, or automated decisionmaking technology.”

Although these are only drafts, they nonetheless provide an initial insight into the Agency’s thought process for these new and significant rulemaking topics. In short, the drafts indicate the Agency’s intent to create extensive obligations for businesses subject to these regulations. In the below post, we provide a high-level summary and analysis of some of the more notable parts of the drafts.