During its June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) voted to initiate the formal California Privacy Rights Act (CPRA) rulemaking process. The draft rules are expected to be very similar to those previously published in advance of the Board meeting, although Deputy Attorney General Lisa Kim noted during the meeting that

Lindsey Tonsager
Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.
In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.
Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.
Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.
The CPPA Meets on May 26th, 2022
The California Privacy Protection Agency (“CPPA”) held a board meeting on May 26th, 2022. At the meeting, Executive Director Ashkan Soltani, Acting General Counsel Brian Soublet, and members of the Board offered insight into the following key topics:
- Bifurcation of CPRA Rulemaking Process: The Board’s CPRA Rules Subcommittee indicated that the CPPA’s rulemaking process will
California Privacy Protection Agency Staff Posts Draft Rules Implementing the CPRA
In advance of the June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) staff has posted draft rules implementing the California Privacy Rights Act (CPRA). The draft regulations keep much of the pre-existing California Consumer Privacy Act (CCPA) regulations intact, but modify certain provisions and propose new regulations. A copy of the proposed…
FTC Unanimously Adopts Policy Statement on Education Technology and COPPA
On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule. The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.
The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online. A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.
Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement. Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:…
Continue Reading FTC Unanimously Adopts Policy Statement on Education Technology and COPPA
Connecticut Legislature Passes Comprehensive Privacy Bill
The Connecticut legislature passed Connecticut SB 6 on April 28, 2022. If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.
The bill closely resembles the Colorado Privacy Act, with a few notable additions. Like the…
Utah Legislature Passes Comprehensive Privacy Bill
Utah appears poised to be the next state with a comprehensive privacy law on its books, following California, Virginia, and Colorado. On March 2nd, the Utah House of Representatives voted unanimously to approve an amended version of the legislative proposal, and the Senate concurred with the House amendment on the following day. …
California Legislature Introduces Bills To Extend Employment and Business-To-Business Data Exemptions
As companies begin to prepare their CPRA compliance strategies, they are grappling with whether to include personal information processed in employment and business-to-business contexts. Currently, the CPRA’s partial exemptions for both of those types of data sunset on December 31, 2022. However, last week, the CA legislature introduced AB 2871 and AB 2891. AB…
California Privacy Protection Agency Clarifies Timing of Forthcoming CPRA Regulations
Last week the California Privacy Protection Agency (“CPPA”) held its sixth Board meeting and first meeting of 2022. The meeting notably included a discussion of the expected timing for issuing final regulations implementing the California Privacy Rights Act.
As a reminder, the Agency gave notice to the California Attorney General on October 21, 2021 that…
State Legislative Trends to Watch in 2022
A new year means new state privacy bills introduced in states across the country. With two additional states joining California last year with the passage of the Virginia Consumer Data Protection Act and the Colorado Privacy Act, it is likely that more states will join the fray this year in creating a patchwork of comprehensive…
Senators Introduce Legislation to Regulate Privacy and Security of Wearable Health Devices and Genetic Testing Kits
Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health…