Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations

Just past midnight on May 11, 2024, the Vermont legislature passed the Vermont Data Privacy Act (VDPA). VDPA, if signed by Governor Phil Scott, will take effect on July 1, 2025, and will make Vermont the 18th state to establish consumer privacy rights in the same vein as the California Consumer Privacy Act (CCPA). Although many state consumer privacy laws feel cookie cutter at this point, VDPA contains nuances that will require companies to strategize data management intake and processing.Continue Reading While You Were Sleeping, Vermont Passed One of the Most Stringent State Consumer Privacy Laws Yet

Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA).  Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time. Continue Reading California Privacy Protection Agency Issues “Minimal” Guidance on CCPA in First Enforcement Advisory

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.Continue Reading California Delivers to DoorDash $375,000 Civil Penalty: California AG Announces Second CCPA Settlement

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today. Continue Reading California Appeals Court Holds CPRA’s Implementing Rules Are Immediately Enforceable

On September 18, 2023, the U.S. District Court for the Northern District of California granted technology trade association NetChoice, LLC’s request for a Preliminary Injunction in NetChoice LLC v. Bonta, a lawsuit challenging the constitutionality of the California Age-Appropriate Design Code Act (CAADCA), which the California Legislature passed last year. In granting the Preliminary Injunction, the court found that the law’s restrictions on commercial speech likely violate the First Amendment. 

Drawing inspiration from the UK Age-Appropriate Design Code, the CAADCA regulates covered businesses and their practices with respect to the collection, storage, and processing of personal data collected from children under the age of 18. CAADCA requires that the most restrictive default privacy settings be implemented for younger users and that any community standards, terms of service, and privacy settings be freely accessible and enforced. Following the September 18 ruling, the future of the CAADCA is uncertain. At the very least, the CAADCA is unlikely to be enforced on its intended effective date of July 1, 2024, as the injunction remains in place throughout the course of litigation.Continue Reading Pumping the Brakes: Federal Judge Grants Preliminary Injunction Blocking California Children’s Digital Privacy Law From Taking Effect

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).Continue Reading California’s New Data Broker Requirements

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On June 30, 2023, California Superior Court Judge James P. Arguelles held that the California Privacy Protection Agency (the “Agency”) cannot enforce any violation for the Agency’s regulations issued on March 29, 2023, under the California Consumer Privacy Act (CCPA), as amended by the California Consumer Privacy Rights Act (CPRA) until March 29, 2024. This holding stems from a petition brought by the California Chamber of Commerce (the “Chamber”) against the Agency, arguing that based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulations.

Although enforcement of the Agency’s regulations are delayed, the text of the CCPA, as well as regulations enacted prior to March 29, 2023, remain in effect and enforceable. The enforcement stay solely bars the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.Continue Reading Not So Fast: California Superior Court Delays Enforcement of Certain CPRA Regulations

Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.Continue Reading CPPA Final Regulations Are Here