California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.Continue Reading California Enacts One-Stop Mechanism for Data Broker Deletion Requests
Tracy Shapiro
CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments
Posted in Cybersecurity, Privacy
Significant New CCPA Compliance Requirements Likely on the Way
On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:Continue Reading CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments
OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies
By Tracy Shapiro, Hale Melnick, Stacy Okoro & Haley Bavasi on
Posted in Cybersecurity, Privacy
On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking technologies integrated into their websites and mobile apps. The FTC released a press release about the joint letter here and OCR released a press release about the joint letter here.Continue Reading OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies
Texas, Oregon, and Delaware Join the Comprehensive U.S. State Privacy Law Landscape
By Edward Holman, Stacy Okoro & Tracy Shapiro on
Posted in Privacy
New Requirements Include Identifying Specific Third Parties to Whom Businesses Disclose Data and Consent for Targeted Advertising to Teens
Texas, Oregon, and Delaware are the latest states to join the growing landscape of comprehensive data privacy laws, adding to the many state privacy laws that were passed this year.1 On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act. On July 18, 2023, Governor Tina Kotek signed Oregon Senate Bill 619, referred to as the Oregon Consumer Privacy Act. Similarly, on June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act. In doing so, Texas and Oregon officially became the 10th and 11th states, respectively, to enact a comprehensive privacy law. Assuming Governor John Carney also signs the Delaware Personal Data Privacy Act, his state would join as the 12th with that status. All three of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they each include some key particularities that companies should be aware of as they plan their compliance strategies.Continue Reading Texas, Oregon, and Delaware Join the Comprehensive U.S. State Privacy Law Landscape
FTC Announces Proposed Settlement with 1Health.io Genetic Testing Firm for Privacy and Security Violations
By Tracy Shapiro, Maneesha Mithal, Hale Melnick, Yeji Kim & Haley Bavasi on
Posted in Privacy
On June 16, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order) with genetic testing company Vitagene, Inc., now known as 1Health.io (1Health.io), for allegedly misrepresenting its security and privacy practices regarding its data storage, deletion, and usage. The FTC also alleged that the company unfairly changed material privacy policy disclosures without obtaining affirmative consumer consent.Continue Reading FTC Announces Proposed Settlement with 1Health.io Genetic Testing Firm for Privacy and Security Violations
Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations
By Edward Holman, Stacy Okoro & Tracy Shapiro on
Posted in Privacy
In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. We previously issued an alert reminding businesses that the CPRA amendments to the CCPA become enforceable starting July 1, 2023, but, in accordance with the court’s ruling, the Agency’s recent modifications to the CCPA regulations to account for the CPRA’s changes to the CCPA now will not become enforceable until March 29, 2024. Per the court’s ruling, the prior CCPA regulations will remain in effect until the new regulations become enforceable.Continue Reading Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations