Keypoint: The thirteen new enforcement case examples – released just a few months before the CCPA’s right to cure sunsets – provide further insight into the Attorney General’s enforcement priorities.

As we previously reported, last week the California Attorney General’s Office announced its first public settlement for alleged non-compliance with the California Consumer Privacy Act (CCPA), consisting of a $1.2 million penalty as well as injunctive relief. Although much of the discussion since the announcement has been appropriately focused on the contours of the settlement agreement, the Office contemporaneously published thirteen new CCPA enforcement case examples. The new examples add to the twenty-seven examples the Office published in July 2021.

Because the Office does not generally release information to the public about its investigations, the new case examples provide a rare glimpse into the Office’s past year of CCPA enforcement activities. With the CCPA’s thirty day right to cure sunsetting on January 1, 2023, businesses should review these case examples as part of their ongoing compliance efforts.

Below is an overview of the new enforcement case examples.

Keypoint: The Attorney General’s announcement of a $1.2 million penalty sends a “strong message” to companies to come into compliance.

On August 24, 2022, California Attorney General Bonta announced the first public enforcement action under the California Consumer Privacy Act (CCPA) as well as a new round of investigative sweeps and more enforcement case examples.

During an online press conference, Attorney General Bonta announced a $1.2 million settlement with a company over allegations it illegally sold data in violation of the CCPA. Bonta stated the enforcement action should send a “strong message” to companies to comply with the CCPA. The enforcement action arose out of a prior investigative sweep in which the Attorney General’s office sent over one-hundred (100) notices of violation.

In the sixteenth episode of our Legislating Data Privacy podcast series, we are joined – for the second time – by the International Association of Privacy Professional’s Joseph Duball.

In what has become a yearly conversation, Husch Blackwell’s David Stauss and Joe discuss what happened with proposed privacy legislation during the 2022 session and look

Keypoint: As currently drafted, the ADPPA’s private right of action provides U.S. citizens with the opportunity to enforce their privacy rights but limits lawsuits to federal court and provides covered entities and service providers with mechanisms to mitigate the risk of such claims, including through the use of arbitration provisions and class action waivers.

As we previously reported, the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) is eligible for a full House vote after the House Committee on Commerce & Energy (House Committee) reported out an amended version on July 20, 2022. Prior to reporting out the ADPPA, the House Committee adopted an Amendment in the Nature of a Substitute (AINS) that made numerous changes to the bill, including modifications to the bill’s private right of action (PRA).

The contours of the ADPPA’s PRA are crucial.

Privacy advocates point to the inclusion of the PRA as one way in which the ADPPA is stronger than the California Consumer Privacy Act. However, Senator Maria Cantwell (D-Wash.) – whose support is necessary to pass the bill because she chairs the relevant Senate committee – stated that the ADPPA contains “major enforcement holes” and does not have her support. Recently, Senator Cantwell stated that “she couldn’t support the bipartisan framework unless House lawmakers add tougher enforcement measures, including limits on forced arbitration and a broad right for individuals to sue companies that violate the law.” According to Cantwell, “The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like.” “If you’re charitable, you call it ignorance. If you think that it’s purposeful, it literally won’t pass the House because they just won’t meet the test of what a strong federal bill looks like.” Meanwhile, business advocates such as the U.S. Chamber of Commerce are adamantly opposed to any bill “that creates a blanket private right of action.”

Given how important this issue is to passing a federal privacy bill, the below article contains a detailed analysis of the ADPPA’s current PRA as the House Committee passed it on July 20. The article then outlines the PRA contained in Senator Cantwell’s 2019 bill, the Consumer Online Privacy Right Act for comparison purposes.

If you are interested in learning more about the ADPPA, we are hosting a webinar on it on August 18, 2022. Click here for more information and to register. We also would like to thank the Future of Privacy Forum and the IAPP’s Cobun Zweifel-Keegan whose redline of the latest version of the ADPPA was instrumental in the drafting of this article.

Keypoint: The House Committee on Energy & Commerce reported out the American Data Privacy and Protection Act by a vote of 53-2, referring the bill to the full House.

On July 20, 2022, the House Committee on Energy & Commerce reported out an amended version of the American Data Privacy and Protection Act (ADPPA) (H.R. 8152) after holding a markup. The bill passed by a vote of 53-2 and is now eligible for a  full House floor vote. Lawmakers previously voted the bill out of a House subcommittee on June 23, 2022.

In the below article, we provide a brief overview of the amendments to the ADPPA as well as a discussion of recent objections raised by various entities and individuals.

Keypoint: While the Agency previously published draft regulations in early June, its filing of a Notice of Proposed Rulemaking officially initiates the rulemaking process and triggers a 45-day comment period.

On July 8, 2022, the California Privacy Protection Agency (Agency) announced that it has initiated the formal rulemaking process to adopt proposed regulations implementing the Consumer Privacy Rights Act of 2020 (CPRA). The announcement comes exactly six weeks after the Agency published draft regulations in connection with an Agency Board meeting held on June 8, 2022.

In the below post we identify the rulemaking documents filed by the Agency, discuss the rulemaking timeframe and scope, highlight comments the Agency made regarding other privacy laws, and identify the non-substantive changes made between this version and the prior draft version published in June.

In the fifteenth episode of our Legislating Data Privacy podcast series, we are joined – for the second time – by Connecticut Senator James Maroney.

Senator Maroney is the author of the Connecticut Data Privacy Act – the nation’s fifth broad consumer privacy law. In this episode, Senator Maroney discusses how he navigated passing the

Keypoint: A revised version of the American Data Privacy and Protection Act was formally introduced in the House and voted out of a subcommittee.

As we previously reported, on June 3, 2022, a bipartisan and bicameral group of lawmakers released a discussion draft of a comprehensive data privacy bill called the American Data Privacy and Protection Act (ADPPA). Representatives Frank Pallone Jr. (D-N.J.), Cathy McMorris Rodgers (R-Wash.), and Senator Roger Wicker (R-Miss.) all supported the discussion draft although it lacked the key support of Senator Maria Cantwell (D-Wash.).

On June 21, 2022, lawmakers formally introduced the ADPPA as H.R. 8152. On June 23, 2022, the Subcommittee on Consumer Protection and Commerce of the House Committee on Energy and Commerce held an open mark up session on the ADPPA and seven other bills. During the mark up session, the subcommittee ordered and favorably reported the bill, as amended by a substitute, to the full committee.

In the below post, we analyze some of the key changes between the discussion draft and current version of the ADPPA, briefly recap the mark up session, and discuss the bill’s path forward.

Keypoint: The comments focus on identifying areas in which the Attorney General’s Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the Colorado Privacy Act with state and international privacy laws.

The Colorado Attorney General’s Office is currently accepting pre-rulemaking input on the Colorado Privacy Act (CPA). It also will host public listening sessions on June 22  and June 28 for those interested in providing oral comments.

Given the importance of these forthcoming regulations to the development of U.S. privacy law, members of Husch Blackwell’s data privacy practice submitted extensive comments to the Office. The purpose of the comments is to identify areas in which the Office may provide additional clarity to consumers and businesses and to ensure, where appropriate, the interoperability of the CPA with other state privacy laws enacted in California, Connecticut, Utah, and Virginia and international privacy laws such as GDPR.