On August 16, 2024, the U.S. Court of Appeals for the Ninth Circuit issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA or the Act) from going into effect. Specifically, the Ninth Circuit upheld the district court’s injunction related to Data Protection Impact Assessment (DPIA) provisions while the district court further considers whether the remaining portions of the law are likely to be severable or unconstitutional on their own. Although the Ninth Circuit’s decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA.Continue Reading Ninth Circuit Ruling Paves the Way for California Age-Appropriate Design Code to Partially Come into Effect
California
Substantial New CCPA Regulations Inch Closer to Reality: A Detailed Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses
On July 16, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss advancing its over 200-page draft rulemaking package to formal proceedings.[1] The proposed regulations include 37 pages of significant new obligations spanning cybersecurity audits, automated decision-making technology (e.g., artificial intelligence, (AI)), privacy risk assessments, and 72 pages of other updates to existing regulations. Together, these regulations would create new compliance obligations for tens of thousands of California businesses and are preliminarily estimated to generate a staggering $4.2 billion in compliance costs for those businesses in their first year alone. Critically, these estimates do not include the many businesses that are based outside of California, yet subject to the California Consumer Privacy Act (CCPA) because they do business in California, meaning the real economic burden is likely to be far more significant.Continue Reading Substantial New CCPA Regulations Inch Closer to Reality: A Detailed Overview of the New Requirements and Their Projected $4 Billion Cost to California Businesses
California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations
On February 9, 2024, the California Third District Court of Appeals in Sacramento overturned a lower court order that postponed enforcement of the California Privacy Protection Agency’s (CPPA) newest rules. The decision restores the authority of the CPPA and California Attorney General to enforce the latest regulations under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (“updated CCPA regulations”).Continue Reading California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations
Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon
On December 8, 2023, the California Privacy Protection Agency (CPPA) Board discussed a draft of its forthcoming artificial intelligence (AI) regulations on automated decision making technology (ADMT). The proposed regulations, published earlier on November 27, 2023, would impose significant new requirements on businesses subject to the California Consumer Privacy Act (CCPA) that use ADMT for certain use cases. The ADMT draft rules are expected to be part of the Agency’s larger rulemaking package alongside rules governing cybersecurity audits and risk assessments under the CCPA, as amended by the California Privacy Rights Act. While the draft ADMT regulations currently have no legal effect and are likely to undergo further revision before formal rulemaking begins, the current draft nonetheless provides an important preview of the rigorous new compliance requirements that could later take effect. Notable items put forth for public discussion include:Continue Reading Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon
California Enacts One-Stop Mechanism for Data Broker Deletion Requests
California residents may soon be able to click “backspace” on data brokers doing business in the state. On October 10, 2023, California Governor Gavin Newsom signed Senate Bill 362, colloquially known as the Delete Act, into law. The statute amends the state’s existing data broker registration law and builds on the state’s primary privacy law, the California Consumer Privacy Act (CCPA), by adding to residents’ ability to exercise their personal information deletion rights. Most notably, the law establishes a one-stop mechanism where state residents will be able to request—in one verifiable request—that all data brokers delete their personal information.Continue Reading California Enacts One-Stop Mechanism for Data Broker Deletion Requests
Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations
In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. We previously issued an alert reminding businesses that the CPRA amendments to the CCPA become enforceable starting July 1, 2023, but, in accordance with the court’s ruling, the Agency’s recent modifications to the CCPA regulations to account for the CPRA’s changes to the CCPA now will not become enforceable until March 29, 2024. Per the court’s ruling, the prior CCPA regulations will remain in effect until the new regulations become enforceable.Continue Reading Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations
Are You Ready for the 3Cs?: California, Colorado, and Connecticut’s New Privacy Laws Become Enforceable July 1, 2023
On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting July 1, 2023. While there are a number of compliance obligations that overlap among these laws, businesses should be aware of the key obligations for ColoPA, specifically the ColoPA Rules that were finalized just a few months ago, and the CTDPA, since they may require businesses to update their privacy notices and practices. This alert provides a high-level summary of significant obligations from the ColoPA law and regulations and the CTDPA to aid companies preparing to be in compliance by the July 1st deadline.
Colorado
As covered in prior alerts,1 entities subject to ColoPA, which include the ColoPA Rules finalized on March 15, 2023, can face civil penalties of up to $20,000 per violation for noncompliance if the violation cannot be cured within 60 days. As such, businesses should go through these key takeaways to ensure they have properly considered the obligations for their companies:
- Privacy Notice Content Requirements. Unlike the CCPA, ColoPA requires controllers to map each category of personal data collected to the controller’s specific use of that data. The ColoPA also requires controllers to notify consumers of material changes to its privacy notice, such as when the controller begins to share personal data with new categories of third parties and when a controller processes personal data for a new purpose.
- Consent. ColoPA requires controllers to obtain opt-in consent prior to processing a variety of data, including sensitive data, personal data concerning known children, and processing personal data for new purposes (even if personal data was collected prior to July 1, 2023). The ColoPA also establishes specific requirements for how to obtain valid, informed consent.
- Consent for Previously Collected Data, Reseeking Consent, and Refreshing Consent. Companies should also take note of the many other requirements for establishing and maintaining proper consent obligations. Most notably:
- Controllers must refresh previously obtained consents if the consumer has not interacted with the controller in the past 24 months unless the consumer has the ability to update their opt-out preferences at any time through a user-controlled interface.
- Controllers that do not obtain valid consent to continue processing sensitive data that was collected prior to July 1, 2023, will have until July 1, 2024, to obtain that consent.
- Controllers can also reseek a valid form of consent from consumers if they have a “reasonable belief” that the consumer intended to opt back into the sale of personal data or processing of personal data for targeted advertising.
- Right to Opt Out. Like the CCPA, ColoPA allows consumers to opt out of the sale of their personal data. Although consumer opt-out rights under the CCPA now extend to the “sharing” of personal data for targeted advertising purposes,2 ColoPA goes a step further and allows consumers to opt out of any use or any other processing of personal data for the purposes of targeted advertising. The ColoPA confirms that “Your Privacy Choices” (among other examples) can be a valid opt-out link text, which aligns with one of the options provided by the CCPA.
- Data Minimization. Businesses that store personal data, including photographs, audio or voice recordings, and biometric identifiers, will need to annually assess whether such storage is necessary, adequate, or relevant for the stated processing purpose.
- Data Protection Assessments. The ColoPA Rules require companies to conduct data protection assessments for processing activities conducted after July 1, 2023, that “present[] a heightened risk of harm” to consumers. ColoPA provides much more prescriptive guidance than the CCPA and the Virginia Consumer Data Protection Action (VCDPA) on how to conduct these assessments.
Connecticut
While we previously covered the scope and applicability of the CTDPA here, companies should be aware that just a few weeks ago, the Connecticut state legislature amended the CTDPA by creating new data privacy requirements for consumer health data and children’s personal data.3 The provisions related to processing of consumer health data will take effect on July 1, 2023, whereas other provisions related to the use and processing of children’s data will go into effect in July and October of 2024. From the period of July 1, 2023-December 31, 2024, the Connecticut Attorney General will provide companies with a notice of alleged violations and a 60-day cure period, if the attorney general determines that a cure is possible. But beginning on January 1, 2025, the attorney general will have discretion on whether to grant a controller or processor an opportunity to cure.
Companies that have already begun preparing for compliance with the laws in Colorado and Virginia will likely still require additional updates to comply with the CTDPA. Below, we summarize the major differences between these laws and the key obligations from the CTDPA passed on May 10, 2022, and as amended on June 2, 2023.
- Expanded Definition of Sensitive Data. The CTDPA requires controllers to obtain consent before processing sensitive data, consistent with the VCDPA and ColoPA. As amended, the CTDPA’s definition of “sensitive data” is expanded to include “consumer health data”4 and “data concerning an individual’s status as a victim of a crime.”
- Right to Opt Out. Like Colorado and Virginia, Connecticut residents will have the right to opt out of personal data sales, targeted advertising, and profiling. Notably, however, the CTDPA does not require that opt-outs be authenticated like ColoPA.
- New Prohibitions on the Disclosure of Consumer Health Data. As amended, the CTDPA adds a new section outlining specific requirements related to consumer health data, including prohibiting persons from: 1) providing employees or contractors with consumer health data unless they are subject to a contractual or statutory duty of confidentiality; 2) using geofences within 1,750 feet of mental, reproductive, and sexual health facilities “for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer’s consumer health data”; and 3) selling consumer health data without first obtaining consumer consent.
Businesses should not delay in addressing some or all of these new obligations until July 1. Companies that updated their notice and practices for January 2023, when the CPRA and VCPDA went into effect, with the aim to be compliant throughout 2023 will almost certainly need to address the many developments since then and should revisit their compliance practices.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA, ColoPA, and CTDPA compliance efforts, please contact Maneesha Mithal, Tracy Shapiro, Eddie Holman, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1] We previously covered the Colorado AG’s rulemaking process and pre-rulemaking considerations in the following Wilson Sonsini Alerts: “Colorado AG’s Office Announces Final Colorado Privacy Act Rules: Key Takeaways,” “Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways,” “Colorado Attorney General Announces Privacy Rulemaking,” and “Colorado Attorney General Issues Pre-Rulemaking Considerations for the Colorado Privacy Act.” We also provided an overview of the ColoPA’s key requirements in another Wilson Sonsini Alert, “Colorado Becomes Third State to Pass New General Privacy Law.”
[2]Referred to as “cross-context behavioral advertising” in the CCPA.
[3]See passed Senate Bill 3 (enacted on June 2, 2023).
[4]Defines “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”Continue Reading Are You Ready for the 3Cs?: California, Colorado, and Connecticut’s New Privacy Laws Become Enforceable July 1, 2023