On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling the personal information of California consumers through the use of third-party website advertising and analytics tools, failing to provide a “Do Not Sell My Personal Information” link for consumers to opt out of those sales, and failing to honor Global Privacy Control (GPC) signals as a means of opting out. As part of the relief, Sephora was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA.
Continue Reading California Attorney General Settles First-Ever CCPA Enforcement Action
Edward Holman
California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis
On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.
For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert.
Continue Reading California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis
And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law
Posted in Privacy, Regulatory
Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (SB 6) (CPOMA).1
Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA’s substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.
Continue Reading And Then There Were Five: Connecticut Enacts Comprehensive Privacy Law
Utah Poised to Become Fourth State with General Privacy Law
By Tracy Shapiro, Edward Holman & Amanda Irwin on
Posted in Uncategorized
Utah is poised to become the fourth state to enact comprehensive consumer privacy legislation, following California, Virginia, and Colorado. Earlier this month, Utah’s legislature passed the Utah Consumer Privacy Act (S.B. 227) (UCPA) with no opposing votes in both the Utah Senate and House of Representatives. The bill was sent to Utah Governor Spencer Cox on March 15, 2022 and the Governor has until March 24, 2022 to either sign or veto the bill, otherwise it will become law without his signature. If enacted, as is anticipated, the UCPA will become effective on December 31, 2023, six months after the Colorado Privacy Act (ColoPA) and nearly a year after the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA) come into effect.
Continue Reading Utah Poised to Become Fourth State with General Privacy Law
California Privacy Protection Agency Issues Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act
By Edward Holman, Tracy Shapiro & David Cornell on
Posted in Uncategorized
The California Privacy Protection Agency (CPPA), the newly formed state agency responsible for implementing the California Privacy Rights Act (CPRA), recently posted its first invitation for public comment on proposed rulemaking activities under the CPRA. Here is what you need to know:
Continue Reading California Privacy Protection Agency Issues Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act
California Attorney General Mandates CCPA-Covered Businesses Honor the Global Privacy Control and Announces Update on CCPA Enforcement Activity
By Edward Holman & Tracy Shapiro on
Posted in Privacy
Recently, the Office of the Attorney General of California announced three major updates that 1) added to the California Consumer Privacy Act’s (CCPA) opt-out rules related to the sale of personal information, 2) made it easier for consumers to participate in enforcing the CCPA, and 3) unveiled other focus areas of CCPA enforcement activities.
Continue Reading California Attorney General Mandates CCPA-Covered Businesses Honor the Global Privacy Control and Announces Update on CCPA Enforcement Activity