On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The
Continue Reading FTC Settles Allegations of Data Security Failures with Edtech Company CheggTracy Shapiro
Colorado Attorney General Issues Draft Rules for the Colorado Privacy Act
Posted in Privacy, Regulatory
On October 10, 2022, the Colorado Secretary of State published draft rules for the Colorado Privacy Act (ColoPA) in the Colorado Register, thus initiating a public comment period that will run through February 1, 2023.…
Continue Reading Colorado Attorney General Issues Draft Rules for the Colorado Privacy ActCalifornia Legislature Passes Far-Reaching Online Privacy and Content Regulation Bill for Minors
By Tracy Shapiro, Edward Holman & Roger Li on
Posted in Privacy, Regulatory
On August 30, 2022, the California legislature passed the California Age-Appropriate Design Code Act (the Act). Modeled after the UK’s Age-Appropriate Design Code, California’s act drastically changes the landscape of online privacy and content availability for minors in California. The Act goes beyond the current federal protections of the Children’s Online Privacy Protection Act (COPPA) and could impose onerous new requirements on companies that were and were not previously covered by COPPA. These requirements include, among other things, estimating the ages of minors using the company’s online services; conducting detailed Data Protection Impact Assessments (DPIAs) for new and existing products; significantly restricting the collection, use, and sharing of minors’ personal information; and configuring default privacy settings to a “high level of privacy.” If the bill is signed into law by Governor Newsom, the Act would come into effect July 1, 2024.
Continue Reading California Legislature Passes Far-Reaching Online Privacy and Content Regulation Bill for Minors
California Attorney General Settles First-Ever CCPA Enforcement Action
By Edward Holman, Tracy Shapiro & Roger Li on
Posted in Privacy, Regulatory
On August 24, 2022, the California Attorney General (AG) announced the entry of a final judgment to resolve claims that makeup retailer Sephora violated the California Consumer Privacy Act (CCPA). Notably, this is the California AG’s first enforcement action resulting in a fine and settlement under the CCPA. The California AG alleged that Sephora violated the CCPA by failing to disclose that it was selling the personal information of California consumers through the use of third-party website advertising and analytics tools, failing to provide a “Do Not Sell My Personal Information” link for consumers to opt out of those sales, and failing to honor Global Privacy Control (GPC) signals as a means of opting out. As part of the relief, Sephora was ordered to pay a $1.2 million penalty and, among other things, implement a monitoring and reporting program to demonstrate its ongoing compliance with the CCPA.
Continue Reading California Attorney General Settles First-Ever CCPA Enforcement Action
Privacy Post-Dobbs: Recent Guidance from U.S. Regulators
By Tracy Shapiro, Maneesha Mithal, Haley Bavasi & Hale Melnick on
Posted in Privacy
On June 24, 2022, the United States Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization,1 opening a legal path to state laws restricting or prohibiting access to certain reproductive health services. To enforce these laws, law enforcement officials may attempt to access individuals’ health information, including from technology platforms that process health information on behalf of individuals or other businesses.
Continue Reading Privacy Post-Dobbs: Recent Guidance from U.S. Regulators
California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis
On May 27, 2022, the California Privacy Protection Agency (CPPA) released a much-anticipated first draft of some of the anticipated regulations implementing the California Privacy Rights Act (CPRA).[1] The release accompanied the CPPA’s announcement of its next public meeting on June 8, 2022, where the agency will, among other agenda items, consider possible action regarding the draft regulations and the delegation of rulemaking authority functions to the CPPA’s executive director. Ahead of this meeting, on June 3, the CPPA released a draft Initial Statement of Reasons (ISOR) to accompany the draft regulations, which provides an explanation of the purpose and necessity of the draft regulations, along with an FAQ offering further information about the draft regulations and rulemaking process. While the formal CPRA rulemaking process has not yet officially begun, we expect to learn more about a potential schedule for the notice and comment period for the regulations at the CPPA’s June 8 meeting.
For a more high-level overview of the draft regulations’ key takeaways, please see our Wilson Sonsini Alert.
Continue Reading California Privacy Protection Agency Releases Draft CPRA Regulations – An In-Depth Analysis