2022-Data-Privacy-State-Privacy-Update

Keypoint: This week the Utah Senate and Wisconsin Assembly passed bills, the Florida House Judiciary Committee advanced HB9, new bills were introduced in Connecticut and Kentucky, and Virginia lawmakers passed a VCDPA amendment.

Below is our seventh weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide two reminders.

First, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: California legislators introduced eight bills to amend or supplement the CPRA, including AB2891 that seeks to extend the employee and business-to-business exemptions, and AB2871 that seeks to make those exemptions indefinite.

Last week, California lawmakers proposed eight bills to amend or supplement the California Privacy Rights Act (CPRA).

AB2871 and AB2891, both filed by Assembly Member Low on February 18, 2022, would extend the employee and business-to-business exemptions either indefinitely (AB2871) or until January 1, 2026 (AB2891). Both exemptions are currently set to sunset on January 1, 2023. The filing of these bills was first reported by Jennifer Ruehr. Whether either of these bills has a chance at passing remains to be seen.

2022-Data-Privacy-State-Privacy-Update

Keypoint: This week Indiana’s bill continued to advance in the House (after previously passing the Senate), lawmakers voted bills out of committee in Iowa and Oklahoma, and new bills were introduced in Maine, Utah and Wisconsin.

Below is our sixth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide three reminders.

First, on February 23, 2022, we will be hosting a webinar to analyze the proposed CCPA-like privacy bills. For more information, and to register, click here.

Second, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Finally, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

State Privacy Guide_widget_300x196-04

Keypoint: The CPRA requires that businesses use certain types of sensitive personal information only for limited purposes, otherwise they must notify consumers of the additional purposes and provide consumers the opportunity to opt-out of such processing, while the VCDPA and CPA require controllers to obtain consumer consent and conduct data processing assessments prior to processing sensitive data. 

This is the fourth article in our ten-part weekly series comparing key provision of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat sensitive personal information. The CPRA has a broad definition of sensitive personal information although, to be subject to the law’s limitations, a business must collect or process that information for the “purpose of inferring characteristics about a consumer.” If so, the CPRA grants consumers the right to limit a business’s processing of such data to certain purposes specified in the law. Conversely, the VCDPA and CPA define sensitive data differently than the CPRA and require controllers to obtain consumer consent and conduct a data processing assessment prior to processing such information.

Below is an analysis of this topic.

2022-Data-Privacy-State-Privacy-Update

Keypoint: This week new bills were introduced in Arizona, Iowa, Rhode Island, and Wisconsin, bills were voted out of committee in Florida, New York, and Ohio, and there was more movement on the VCDPA amendment bills.

Below is our fifth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide three reminders.

First, on February 23, 2022, we will be hosting a webinar to analyze the proposed CCPA-like privacy bills. For more information, and to register, click here.

Second, we regularly update our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Finally, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Last week, the Alaska House Labor & Commerce Committee voted HB 159, the Alaska Consumer Data Privacy Act, out of committee. A few days before the committee hearing, we talked with Representative Zack Fields, the primary proponent of the bill.

HB 159 underwent a significant revision over the summer led by the efforts of

State Privacy Guide_widget_300x196-03

Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado’s provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General’s office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

2022-Data-Privacy-State-Privacy-Update

Keypoint: This week the Indiana Senate passed a bill, lawmakers in Alaska, Massachusetts, and Washington passed bills out of committee, new bills were introduced in West Virginia and Wisconsin, and there was movement on many VCDPA amendment bills.

Below is our fourth weekly update on the status of proposed state privacy legislation in 2022. Before we get to our update, we wanted to provide three reminders.

First, we will be hosting a webinar analyzing the proposed CCPA-like privacy bills on February 23, 2022. For more information, and to register, click here.

Second, we will be regularly updating our 2022 State Privacy Law Tracker to keep pace with the latest developments with CCPA-like privacy bills. We encourage you to bookmark the page for easy reference.

Finally, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.

Keypoint: With the CCPA’s “right to cure” violations expiring at the end of the year, businesses should take note of the AG’s recent enforcement efforts and, to the extent necessary, provide the requisite notice of financial incentive if the business offers discounts, free items, loyalty programs, or other rewards, in exchange for personal information.

California Attorney General Rob Bonta marked Data Privacy Day (January 28) by announcing an “investigative sweep of a number of businesses operating loyalty programs in California” for allegedly failing to comply with the California Consumer Privacy Act’s (CCPA) notice of financial incentive requirement. Letters were sent on January 28 “to major corporations in retail, home improvement, travel, and food services industries.” As required under the CCPA, entities that received letters will have thirty days to cure the alleged violation.

The press release did not disclose the number of letters sent or provide details on the specific nature of the alleged violations other than stating this “sweep of notices . . . focuses on businesses that are failing to provide a notice of financial incentive to customers that opt into their loyalty program.”

For businesses that offer loyalty programs or other financial incentives, below is a discussion on the CCPA’s notice of financial incentive requirement, including what the notices must contain and how businesses should relay the notices to California residents.