On July 16, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss advancing its over 200-page draft rulemaking package to formal proceedings.[1] The proposed regulations include 37 pages of significant new obligations spanning cybersecurity audits, automated decision-making technology (e.g., artificial intelligence, (AI)), privacy risk assessments, and 72 pages of other updates to existing regulations. Together, these regulations would create new compliance obligations for tens of thousands of California businesses and are preliminarily estimated to generate a staggering $4.2 billion in compliance costs for those businesses in their first year alone. Critically, these estimates do not include the many businesses that are based outside of California, yet subject to the California Consumer Privacy Act (CCPA) because they do business in California, meaning the real economic burden is likely to be far more significant.Continue Reading Substantial New CCPA Regulations Inch Closer to Reality: A Detailed Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses

On May 21, 2024, France adopted law No. 2024-449 to secure and regulate the digital space. This law grants new enforcement powers and authority to the French Data Protection Authority (CNIL), including to seize documents, record declarations during dawn raids, and enforce certain provisions of the Digital Services Act (DSA) and the Digital Governance Act (DGA).Continue Reading New Enforcement Powers for the French Data Protection Authority (CNIL)

In the first half of 2024, seven new states—Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island—all enacted their takes on comprehensive privacy laws, bringing the total number of states with such laws

Continue Reading Seven New States Join Patchwork of U.S. Comprehensive Privacy Laws: Top 10 Trends from the First Half of 2024

In a decision with far-ranging implications for federal administrative law, the United States Supreme Court issued its long-awaited ruling in Loper Bright Enterprises v. Raimondo (Loper Bright).1 The Supreme Court’s six-Justice majority held that the Administrative Procedure Act (APA) requires courts interpreting agency regulations to determine independently whether the agencies have acted within their statutory authority, even where the statute at issue is ambiguous. In so holding, the Court overruled its 1984 decision in Chevron USA v. Natural Resources Defense Council, which for the last four decades had governed thousands of cases involving federal agency interpretations of ambiguous laws.Continue Reading “Chevron is overruled”: How Loper Bright Will Change the Regulatory Law Landscape

On June 18, 2024, the California Attorney General and the Los Angeles City Attorney (collectively, “the People”) announced a settlement with Tilting Point Media LLC (Tilting Point). The settlement resolves allegations that Tilting Point violated the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and the Privacy Rights for California Minors in the Digital World Act (Digital Privacy for Minors Act).Continue Reading Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations