On June 18, 2024, the California Attorney General and the Los Angeles City Attorney (collectively, “the People”) announced a settlement with Tilting Point Media LLC (Tilting Point). The settlement resolves allegations that Tilting Point violated the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the Privacy Rights for California Minors in the Digital World Act (Digital Privacy for Minors Act).Continue Reading Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations
Edward Holman
Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision
On June 20, 2024, the United States District Court for the Northern District of Texas ordered the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to vacate its guidance that had restricted HIPAA-covered entities’ use of third party online tracking technologies, such as common website advertising and analytics tools. In vacating the guidance, the court held that the agency exceeded its authority by redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this order is a defeat for OCR’s guidance on online tracking technologies, regulated companies should react cautiously. The order could be appealed and potentially reversed, OCR could still bring enforcement actions in other circuits advancing their interpretation of PHI, and the Federal Trade Commission’s (FTC’s) laws and state privacy laws could still apply.Continue Reading Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision
California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations
On February 9, 2024, the California Third District Court of Appeals in Sacramento overturned a lower court order that postponed enforcement of the California Privacy Protection Agency’s (CPPA) newest rules. The decision restores the authority of the CPPA and California Attorney General to enforce the latest regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (“updated CCPA regulations”).Continue Reading California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations
Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon
On December 8, 2023, the California Privacy Protection Agency (CPPA) Board discussed a draft of its forthcoming artificial intelligence (AI) regulations on automated decision making technology (ADMT). The proposed regulations, published earlier on November 27, 2023, would impose significant new requirements on businesses subject to the California Consumer Privacy Act (CCPA) that use ADMT for certain use cases. The ADMT draft rules are expected to be part of the Agency’s larger rulemaking package alongside rules governing cybersecurity audits and risk assessments under the CCPA, as amended by the California Privacy Rights Act. While the draft ADMT regulations currently have no legal effect and are likely to undergo further revision before formal rulemaking begins, the current draft nonetheless provides an important preview of the rigorous new compliance requirements that could later take effect. Notable items put forth for public discussion include:Continue Reading Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon
California Enacts One-Stop Mechanism for Data Broker Deletion Requests
California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.Continue Reading California Enacts One-Stop Mechanism for Data Broker Deletion Requests
CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments
Significant New CCPA Compliance Requirements Likely on the Way
On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:Continue Reading CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments