The start of 2020 did not just bring us the effective date of the California Consumer Privacy Act (CCPA). It also lead to several state legislators introducing their own versions of potentially ground-breaking privacy and data security laws. Each law has nuances that will likely result in a compliance nightmare, particularly if all or most of the states and territories enact their own law. However, each also appears on its face to riff on either the EU’s General Data Protection Regulation (GDPR) or the CCPA.

The chart below provides a list (current as of April 14, 2020) of proposed state privacy legislation that could still be enacted this session. The purpose of the chart is to provide the broad strokes of each proposed law, show their similarities, and highlight key differences. The question is whether the GDPR and/or CCPA actually provide the most appropriate models to emulate? The CCPA is perceived and touted by many as the first and most comprehensive privacy and data security law of its kind in the US, but we can’t help but wonder: does first necessarily mean best?

States that considered but ultimately chose not to pass proposed privacy legislation in 2020 include: Florida, Maryland, Virginia, Washington, and Wisconsin.
Continue Reading What’s the Deal with the Other State Privacy Bills?

Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020.

Continue Reading Data Broker Registration for California is Live

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

On May 29, 2019, Nevada’s SB 220[1] became law, amending Nevada’s Privacy Law (2017).[2] The existing Nevada Privacy Law is similar to California’s Online Privacy Protection Act (2004), by requiring a conspicuously posted privacy policy. The new SB 220 resembles the new California Consumer Privacy Act (“CCPA”) but is more narrow in application and scope.


Continue Reading Nevada’s New Privacy Law Has Data Sale Opt-Out Rights

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:


Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law