On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.

For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert.
Continue Reading California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis

Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1

Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.
Continue Reading And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law

Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March 15, 2022 and the Governor has until March 24, 2022 to either sign or veto the bill, otherwise it will become law without his signature. If enacted, as is anticipated, the UCPA will become effective on December 31, 2023, six months after the Colorado Privacy Act (ColoPA) and nearly a year after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA) come into effect.
Continue Reading Utah Poised to Become Fourth State with General Privacy Law

Colorado may soon enter the national stage for its new privacy legislation. On June 8, 2021, Colorado’s legislature passed the Colorado Privacy Act (SB21-190) (ColoPA). The bill was recently sent to the Colorado governor’s desk, where he will have until July 8 to sign or veto the bill, otherwise it will become law without his signature. If Governor Jared Polis signs the bill or does not act on it (and assuming the act is not put to a referendum), Colorado will become the third U.S. state to enact comprehensive privacy legislation, after California and Virginia.
Continue Reading Colorado Becomes Third State to Pass New General Privacy Law

Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements.
Continue Reading Virginia Legislature Sends Novel Privacy Law to Governor’s Desk