Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Continue Reading Virginia is for Privacy, Apparently

As anticipated, on September 29, 2020, Governor Newsom signed into law Assembly Bill 1281 incorporating an extension of time for the sunset of the employee and business to business exemptions of the California Consumer Privacy Act of 2018 (“CCPA”) to January 1, 2022.
Continue Reading Don’t Let the Sun Go Down – Governor Newsom Signs Off on the Extension of Key CCPA Exemptions for Employee and B2B Data

Over the past several weeks, the California Attorney General (“AG”) published revisions to its proposed regulations implementing the CCPA (the “Modified Regulations”), and then further revised the Modified Regulations (“Version 2”).  Despite earlier warnings to the business community that AG’s initial draft of Regulations would not materially change, we’ve now seen it happen twice.  The full redlines of both the Modified Regulations and Version 2 are available here. This article highlights what’s new, what remains the same, what we expect to have the biggest impact on businesses working toward compliance, and the lack of predictability of next moves given the growing global health crisis.  
Continue Reading CCPA Update: Oops, the CA AG Did It Again

On Thursday, October 10, 2019, only 83 days before the California Consumer Privacy Act (“CCPA”) was set to become effective, California Attorney General Xavier Becerra held a press conference, with no prior notice, and issued his long awaited proposed regulations (the “Regulations”). The hope had been that the Regulations would provide much needed guidance to businesses of all sizes and in all industries as to how to implement a law that was hastily passed in a week’s time in 2018. Instead, while the Regulations provide some clarity around the mechanisms that organizations may use to verify and respond to the various consumer requests allowed by the law, the Regulations also add even more ambiguity to a number of requirements. Even more concerning, the Regulations add some new requirements and deadlines that do not exist in the statute itself.

The Regulations include 24 pages of legalese. Every privacy lawyer I know – and I know the best and the brightest – is struggling to interpret these Regulations and what they really mean. That does not bode well for businesses who (1) are trying to run businesses and not become privacy experts; and (2) cannot afford experienced privacy counsel. And that, in turn, does not help California consumers. As I have said many times before, California can do better. I call again on all California businesses of any size, and in every industry, to submit comments to the Attorney General to let the AG know the impact on your business and the California economy. Comments are due on or before December 6.  There will also be hearings around the state December 2-5. Let’s show up and be heard.

With that, we give you a summary of the Regulations. I would say enjoy, but I know better.


Continue Reading The California AG’s Proposed CCPA Regulations are Live, but Not Ready for Prime Time

California’s Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest.
Continue Reading CCPA Amendment Update: Bill to Expand Private Right of Action is Dead (for Now)

The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.


Continue Reading Attorney General Holds Public Forum on CCPA

Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.

With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.


Continue Reading Your Vacuum Cleaner, Your Coffee Maker, and Your Baby Monitor May Be Watching You, So They Better Be Secure: California Passes New Connected Device Cybersecurity Law

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:


Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law