Privacy

During its June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) voted to initiate the formal California Privacy Rights Act (CPRA) rulemaking process.  The draft rules are expected to be very similar to those previously published in advance of the Board meeting, although Deputy Attorney General Lisa Kim noted during the meeting that

            After years of negotiations, members of the U.S. Senate and House of Representatives have released bipartisan comprehensive privacy legislation—the American Data Privacy and Protection Act.  Democrats and Republicans have put forward separate proposals in the past that have more in common than different.  The two main points of disagreement that have historically stalled a comprehensive proposal are whether there should be a private right of action for privacy violations and to what extent federal laws should preempt state laws.  Even though this new draft takes novel approaches to both of those issues, division continues.  The chances of Congress passing privacy legislation this session or the next will turn on whether a broader consensus can be found in these two areas, especially after outside stakeholders and the business community now have an opportunity to fully engage.

            Aside from the private right of action and preemption, there is general agreement on how personal information should be collected, used, and shared.  For example, the main Democratic proposal, the Consumer Online Privacy Rights Act (S. 3195) introduced by Senator Maria Cantwell (D-WA), creates consumer rights to delete or correct data and port personal information.  Likewise, Republicans, led by Senators Roger Wicker (R-MS) and Marsha Blackburn (R-TN), have introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S. 2499), which would do largely the same.  The American Data Privacy and Protection Act unsurprisingly follows along these lines as well.  The most notable differences between the parties’ positions have been that the Democratic proposal has a private right of action, while the Republic version has no private right and would completely preempt state law.  The challenge continues to be finding a middle ground between these two approaches.  In particular, whether there is a way to address concerns about repeated lawsuits and opportunities to preserve at least some ability for states to enact and enforce their own regulations.

Continue Reading IS CONGRESS ABOUT TO PASS COMPREHENSIVE PRIVACY LEGISLATION?

In advance of the June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) staff has posted draft rules implementing the California Privacy Rights Act (CPRA).  The draft regulations keep much of the pre-existing California Consumer Privacy Act (CCPA) regulations intact, but modify certain provisions and propose new regulations.  A copy of the proposed

On May 19, the Federal Trade Commission (“FTC”) adopted, on a unanimous basis, a policy statement reminding educational technology vendors (“ed tech vendors”) of their duty to comply with the substantive privacy protections of the Children’s Online Privacy Protection Act (“COPPA”) and the Commission-issued COPPA Rule.  The policy statement reiterates the requirements of the Rule and previous informal guidance from Commission staff, and makes clear that ed tech vendors may not submit children to commercial surveillance and data monetization practices when using technology in the classroom.

The FTC’s COPPA Rule, which became effective in 2000 and was most recently amended in 2013, is intended to place parents in control over the information collected from their children online.  A major component of the Rule is that commercial online operators must (1) provide parents with notice of data collection and (2) obtain parental consent before the collection of personal information of children under age 13.

Recognizing the unique benefits of ed tech, the new policy statement reminds ed tech vendors that their compliance with the Rule extends beyond the notice and consent requirement.  Specifically, the FTC intends to scrutinize the activities of ed tech vendors in the following areas:

Continue Reading FTC Unanimously Adopts Policy Statement on Education Technology and COPPA

The Connecticut legislature passed Connecticut SB 6 on April 28, 2022.  If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.

The bill closely resembles the Colorado Privacy Act, with a few notable additions.  Like the

In his State of the Union address last week, President Biden declared that he wants to: “strengthen privacy protections, ban targeted advertising to children, and demand tech companies stop collecting personal data on our children.”  This statement comes just a couple of weeks after Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) introduced the Kids

This quarterly update summarizes key federal legislative and regulatory developments in the first quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in the States.  In the first quarter of 2022, Congress and the Administration focused

As companies begin to prepare their CPRA compliance strategies, they are grappling with whether to include personal information processed in employment and business-to-business contexts. Currently, the CPRA’s partial exemptions for both of those types of data sunset on December 31, 2022. However, last week, the CA legislature introduced AB 2871 and AB 2891. AB