Photo of Zenus Franklin

Zenus focuses on addressing a variety of business and finance matters, including data governance regulations such as GDPR, CCPA, COPPA, PCI-DSS, and state data breach notification laws. He also assists clients with internal policy development, implementation, assessment, training, and incident response management.

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).

Continue Reading California’s New Data Broker Requirements

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.

Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.

Continue Reading UPDATE: Litigation Related to Website Technology & Data Sharing

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).

Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing

We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.

The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:

  • Language that is easy to understand;
  • Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
  • Avoids language that is confusing to the consumer;
  • Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
  • Designed in a way that it is easy to execute.


Continue Reading Cookie Banners under the CCPA/CPRA

With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”).  The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.

Important: The written comment period will not end until November 21.  Accordingly, it is possible these Regulations may change again.
Continue Reading Rush to the Finish Line: The California Privacy Protection Agency Releases CPRA Modified Regulations

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.
Continue Reading What is the American Data Privacy and Protection Act?

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry

The Colorado Privacy Act (“CPA”) takes effect July 1, 2023, and will provide express consumer rights, as well as controller and processor obligations, relating to personally identifiable information of Colorado consumers. This month, the Office of the Colorado Attorney General (the “Office”) outlined the pre-rulemaking considerations for the CPA (“Pre-Rulemaking Considerations”), in an effort to educate regulated entities on the trajectory of this new law, and how such entities may address the upcoming requirements. The Pre-Rulemaking Considerations were also forecasted in Colorado AG Phil Weiser’s address to the International Association of Privacy Professionals 2022 Global Privacy Summit.
Continue Reading Colorado AG Explains Rocky Mountain Way for Data Privacy Law