We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.

The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:

  • Language that is easy to understand;
  • Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
  • Avoids language that is confusing to the consumer;
  • Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
  • Designed in a way that it is easy to execute.


Continue Reading Cookie Banners under the CCPA/CPRA

With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”).  The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.

Important: The written comment period will not end until November 21.  Accordingly, it is possible these Regulations may change again.
Continue Reading Rush to the Finish Line: The California Privacy Protection Agency Releases CPRA Modified Regulations

Once again, California is setting trends in the world of privacy laws. On September 15, 2022, California’s Governor signed the first comprehensive state law to protect children’s online safety. A week later, on September 23, 2022, the New York Senate introduced a similar bill.

New York’s newly introduced Bill, S9563, the Child Data Privacy and Protection Act (“Bill”), largely mirrors the newly passed California law but has some added protections and procedures that online products targeting children must follow if the law is enacted.
Continue Reading From Coast to Coast: New York Introduces New Bill Aiming To Enhance Protections For Children Online a Week After California Enacts Similar Law

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.


Continue Reading I’m Done With My Data, Now What?

Last week, the California Legislature passed Assembly Bill 2273:  the California Age-Appropriate Design Code Act (“CAADCA”).  CAADCA is an online safety bill, which contains unique privacy requirements to protect minors under the age of 18.

Covered Businesses:  Covered businesses under the bill include any “business,” as defined by the California Consumer Privacy Act, “that provides an online service, product, or feature likely to be accessed by children.”  This means that if your company conducts business in California and (a) has an annual gross revenue of more than $25 million; or (b) alone or in combination, buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or (c) derives 50% or more of its annual revenue from selling consumers’ personal information, then you will need to evaluate whether your products or services must also address CAADCA requirements.
Continue Reading Child’s Play: Latest California Bill Creates Significant Increase in Regulation for Covered Businesses Collecting Personal Data of Children

The California Attorney General’s office recently announced that French multinational personal care and beauty products retailer Sephora, Inc. has agreed to pay $1.2 million to resolve allegations that the company violated the California Consumer Privacy Act (CCPA), making it the first settlement under California’s landmark privacy law.

The CCPA is a first-in-the-nation law that was passed in 2018 and went into effect in 2020.  It gives Californians the right to know what information a business collects about them and shares; the right to delete personal information collected from them; the right to opt out of the sale of their personal information; and the right to not be discriminated against for exercising all the right the CCPA gives them.  Oftentimes, online retailers allow third-party companies to install tracking software to monitor a consumer’s shopping trends.
Continue Reading The CCPA Strikes the First Major Blow: Sephora Settles Allegations for $1.2 Million

We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation:
Continue Reading Are You Ready for CPRA? 6 Tips for the Final 6 Months

By now, we are used to seeing notifications on our phones asking whether we would like certain applications to track our activity across other companies’ apps and websites. Typically, these tracking tools are used to examine and assess advertising efficiency. Although beneficial marketing tools, companies must be mindful of how tracking tools are used on their platform to avoid infringing on individuals’ data privacy rights.

Recently, Canadian regulators found that Tim Hortons, a coffee and bake shop chain, violated Canada’s federal privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), by tracking customers’ (who downloaded its app) movement every few minutes of every day. Following an app update in May 2019, the company allegedly tracked users not only when using the app, but whenever individuals’ devices were turned on –collecting massive amounts of location data without users’ knowledge.

Continue Reading In Hot Water, eh? Canadian Regulators Investigate Tim Horton’s Tracking of App Users

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry