Privacy & Information Security Law Blog

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.

On April 2, 2024, the California Privacy Protection Agency (“CPPA”) Enforcement Division issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The purpose of this Enforcement Advisory is to address the CPPA Enforcement Division’s observation that some businesses are asking consumers “to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” The Enforcement Advisory serves as a reminder to businesses to apply the data minimization principle to each purpose for which they collect, use, retain and share consumers’ personal information, including information that businesses collect when processing consumers’ CCPA requests.  The Enforcement Advisory provides further guidance on how businesses may comply with the principle, noting, however, that in general, Enforcement Advisories “do not implement, interpret or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice or reflect the views of the [CPPA]’s Board.” The Advisory notes several other caveats, reiterating the general point that  Enforcement Advisories do not have the force of law or safe harbor for CCPA compliance purposes.  However, the guidance provides illustrative hypotheticals and substantive insight into how the CPPA may approach enforcement in certain areas and “encourages” businesses to voluntarily comply with the law.

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

As reported on the Hunton Employment & Labor Perspectives blog, on February 15, 2024, California lawmakers introduced the bill AB 2930. AB 2930 seeks to regulate use of artificial intelligence (“AI”) in various industries to combat “algorithmic discrimination.” The proposed bill defines “algorithmic discrimination” as a “condition in which an automated decision tool contributes to unjustified differential treatment or impacts disfavoring people” based on various protected characteristics including actual or perceived race, color, ethnicity, sex, national origin, disability and veteran status. 

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

On February 9, 2024, a California state court of appeal ruled in favor of the California Privacy Protection Agency (“CPPA”) and vacated the lower court order postponing enforcement of the CPPA’s final regulations under the California Consumer Privacy Act.

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

The California Privacy Protection Agency (“CPPA”) Board (the “Board”) announced an upcoming public meeting to take place over Zoom on Friday, December 8, 2023 at 9 am PST.

On October 8, 2023 and October 10, 2023, California Governor Gavin Newsom signed A.B. 947, A.B. 1194, S.B. 362 and S.B. 244 into law. A.B. 947 amends the California Consumer Privacy Act of 2018’s (“CCPA”) definition of “sensitive personal information” to include personal information that reveals a consumer’s “citizenship or immigration status,” while A.B. 1194 amends the CCPA to require a business to comply with the obligations imposed by the CCPA if the personal information collected by the business contains information related to accessing, procuring or searching for services regarding contraception, pregnancy care and perinatal care, including, but not limited to, abortion services, unless the personal information is used for a specified business purposes as defined by the CCPA, is only retained in aggregated and deidentified form and is not sold or shared.

On October 18, 2023, California Attorney General Rob Bonta filed an appeal to overturn a preliminary injunction issued by the U.S. District Court for the Northern District of California last month that prevents the enforcement of the California Age-Appropriate Design Code Act (“CA AADC”). The appeal was submitted to the U.S. Court of Appeals for the Ninth Circuit and marks an important step in assessing the potential progress of the CA AADC.

On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.

On September 14, 2023, California Attorney General Rob Bonta announced a $93 million settlement with Google, LLC (“Google”) resolving alleged violations of California’s false advertising law and unfair competition law.

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

On September 18, 2023, Judge Beth Labson Freeman of the U.S. District Court for the Northern District of California granted NetChoice’s request for preliminary injunction in NetChoice v. Bonta, finding that NetChoice is likely to succeed on its claim that the California Age-Appropriate Design Code (“CA AADC”) violates the First Amendment. Specifically, the Court found that, as a speech restriction, the CA AADC would likely fail both strict scrutiny and a lesser standard of scrutiny. The preliminary injunction blocks the CA AADC from going into effect until the case is ...

On August 31, 2023, NetChoice, a national trade association of large online businesses, filed supplemental briefing in its challenge to the California Age-Appropriate Design Code (“CA AADC”). The success or failure of NetChoice’s lawsuit will determine whether companies need to be CA AADC-compliant on July 1, 2024 when the law is anticipated to take effect.

On August 29, 2023, the California Privacy Protection Agency (“CPPA”) Board issued draft regulations on Risk Assessment and Cybersecurity Audit (the “Draft Regulations”). The CPPA Board will discuss the Draft Regulations during a public meeting on September 8, 2023.

On July 10, 2023, California Governor Newsom signed into law A.B. 127, which places the working group for the California Age-Appropriate Design Code Act (the “Act”) under the California Office of the Attorney General. The Act creates a working group, formally named the California Children’s Data Protection Working Group, to produce a report on recommendations for best practices concerning children’s access to online services. Under A.B. 127, the deadline for the first report from the working group will be pushed back from January 1, 2024, to July 1, 2024, and the working group will be required to consist of only nine members, instead of the original 10-member requirement.

On July 14, 2023, California Attorney General Rob Bonta (“California AG”) announced a new enforcement sweep aimed at ensuring that companies comply with the California Consumer Privacy Act of 2018 (“CCPA”) with respect to the personal information of employees and job applicants. The exemption for HR-related data under the CCPA expired on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act of 2020 became operative.

On June 29, 2023, the Superior Court of California for the County of Sacramento issued a Tentative Ruling providing for a postponement of enforcement of final CPRA regulations for 12 months after the regulations were finalized (i.e., March 29, 2024). Tentative Rulings are posted by a court the day before a writ or motion is noticed for a hearing and state how the court intends to rule on the motion based on the papers filed by the parties. The ruling may change based on oral argument.  The hearing on the Petition for Writ of Mandate for the CPRA regulations was noticed for June 30, 2023 at ...

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

On May 22, 2023, the Federal Trade Commission filed an amicus brief in support of a ruling by the United States Court of Appeals for the Ninth Circuit that COPPA does not preempt state laws claims that are consistent with COPPA.

On May 4, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on May 15, 2023 to discuss California Privacy Rights Act of 2020 (“CPRA”) regulations proposals and priorities, and other CPPA activities.

On March 30, 2023, the California Privacy Protection Agency (“CPPA”) announced that California’s Office of Administrative Law (“OAL”) approved the CPPA’s substantive rulemaking package to implement the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”).

On Monday, March 27, 2023, the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth submitted a response to the California Privacy Protection Agency (CPPA)’s Invitation for Preliminary Comments on Proposed Rulemaking for cybersecurity audits, risk assessments and automated decisionmaking.

On March 15, 2023, the Colorado Attorney General’s Office finalized rules implementing the Colorado Privacy Act (“CPA”). The finalized rules were released with an official redline that reflects prior revisions of the rules dated December 21, 2022, January 27, 2023, and February 23, 2023. The rules will be published in the Colorado Register later this month and will go into effect on July 1, 2023, when the CPA takes effect.

On March 3, 2023, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the Agency’s priorities, budget, the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of the CPPA subcommittees. The meeting focused on the following topics:

On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:

On February 21, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on March 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and the activities of CPPA subcommittees.

On February 14, 2023, the California Privacy Protection Agency (“CPPA”) announced that it had filed its first substantive rulemaking package for the proposed final draft California Privacy Act of 2020 (“CPRA”) regulations with California’s Office of Administrative Law (“OAL”), beginning a 30-day review period.

On February 10, 2023, the California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board unanimously approved for submission to California’s Office of Administrative Law (“OAL”) proposed final California Privacy Rights Act (“CPRA”) regulations released on January 31, 2023 which update the draft CPRA regulations released on November 3, 2022.

On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).

On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On December 6, 2022, the California Privacy Protection Agency (“CPPA”) announced that it will hold a virtual public meeting to discuss the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics. Anticipated topics for discussion include:

As reported in the the Retail Industry Law Resource blog:

Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back user’s interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which chat the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consent may be warranted.

On November 14, 2022, Judge Edward J. Davila of the Northern District of California approved a $90 million privacy settlement against Meta Platforms, Inc. (formerly Facebook, Inc.) for unlawfully tracking user information when users were logged out of the site. Under the order granting plaintiffs’ motion for final approval of the class action settlement and attorney fees, Facebook must pay $90 million dollars in settlements, of which $26.1 million will be for attorney fees, and delete certain “wrongfully collected” data. Despite numerous objections that the settlement ...

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On October 28-29, 2022, the California Privacy Protection Agency (“CPPA”) held a Board Meeting to discuss the modified proposed regulations promulgated for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), as well as the remainder of the rulemaking process. The CPPA previously released the modified proposed regulations on October 17, 2022.  

On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for an upcoming CPPA Board Meeting. The Board Meeting scheduled for October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.

On September 27, 2022, California Governor Gavin Newsom signed into law a pair of bills designed to prevent medical information and other data held by California entities from being used in out-of-state abortion prosecutions. 

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On October 21 and October 22, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold public meetings to discuss and take possible action, including adoption or modification of proposed regulations, to “implement, interpret, and make specific” the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 .

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On September 6, 2022, the California legislature presented Assembly Bill 2392 to Governor Gavin Newsom. AB-2392, which has not yet been signed by Governor Newsom, would allow Internet-connected device manufacturers to satisfy existing device labeling requirements by complying with National Institute of Standards and Technology (“NIST”) standards for consumer Internet of Things (“IoT”) products.

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a new wave of enforcement efforts targeted at business’ recognition of the Global Privacy Control (“GPC”), and issued an updated summary of recent CCPA enforcement efforts.

Editor’s Note: The California legislature failed to enact the proposed CCPA exemption amendments to Assembly Bill 1102.

On August 16, 2022, California Assembly Member Cooley introduced amendments to Assembly Bill 1102 that would extend the California Consumer Privacy Act’s (“CCPA’s”) temporary exemptions for HR and B2B data for an additional two years – until January 1, 2025. Under the CCPA, these exemptions are set to expire on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act (“CPRA”) become operative.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board held a special public meeting to discuss agency staff’s recommendations that the Board formally oppose the draft federal American Data Privacy and Protection Act (“ADPPA”). The latest version of the ADPPA recently was voted out of the U.S. House Energy and Commerce Committee, and is set to advance to the House Floor.

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold a remote, special public meeting at 9AM PDT to discuss possible action on proposed federal privacy legislation, including the American Data Privacy and Protection Act (“ADPPA”), according to the Board’s publicly released agenda.

On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce (the “Committee”) passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote.

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On July 8, 2022, the California Privacy Protection Agency Board (“CPPA Board”) began the formal rulemaking process to establish regulations promulgating the amendments made to the California Consumer Privacy Act (“CCPA”) by the California Privacy Rights Act (“CPRA”) (collectively, the “CCPA/CPRA”). The CPPA Board issued a formal Notice of Proposed Rulemaking and Initial Statement of Reasons, and released the proposed regulations. The 45-day public comment period has now begun.

On May 26, 2022, California Attorney General Rob Bonta issued a press release reminding health app providers that California’s Confidentiality of Medical Information Act (“CMIA”) applies to mobile apps that are designed to store medical information, which includes health apps such as fertility trackers. The press release reminds health app providers that the CMIA requires businesses to preserve the confidentiality of medical information and prohibits the disclosure of medical information without proper authorization. It also urges mobile app providers to adopt robust security and privacy measures to protect reproductive health information. According to the press release, this should include, at a minimum, “assess[ing] the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”

As reported in the Hunton Employment & Labor Perspectives Blog:

Assembly Bill 1651, or the Workplace Technology Accountability Act, a new bill proposed by California Assembly Member Ash Kalra, would regulate employers and their vendors regarding the use of employee data. Under the bill, data is defined as “any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular worker, regardless of how the information is collected, inferred, or obtained.”  Examples of data include personal identity information; biometric information; health, medical, lifestyle, and wellness information; any data related to workplace activities; and online information. The bill confers certain data rights on employees, including the right to access and correct their data. 

On May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference several public pre-rulemaking stakeholder sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, stakeholders ranging from privacy and cybersecurity experts to trade associations and California small business owners provided verbal comments, insights and suggestions to the CPPA as it develops the forthcoming CPRA regulations. The sessions focused on a number of issues, including automated decision-making, data minimization and purpose limitation, dark patterns, consumers’ rights (e.g., opt-out rights, limitation on the use of sensitive personal information), and cybersecurity audits and risk assessments. Comments and positions taken amongst the stakeholders varied. Some of the positions taken by stakeholders are summarized below:

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 19, 2022, the California state legislature and an industry self-regulatory group each separately took steps to enhance online privacy protections for children who are not covered by the Children’s Online Privacy Protection Act (“COPPA”), which applies only to personal information collected online from children under the age of 13.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) will hold public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”) via video conference. As we previously reported, the CPPA, which has rulemaking authority under the CPRA and will be responsible for implementing and enforcing the CPRA, recently estimated that it will not publish final CPRA regulations until the third or fourth quarter of 2022.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

On March 2, 2022, eight states announced a bipartisan, nationwide investigation into whether TikTok operates in a way that causes or exacerbates harm to the physical and mental health of children, teens and young adults. The probe will further consider whether the company violated state consumer protection laws and put the public at risk.

On February 18, 2022, California Assembly Member Evan Low (D) introduced a pair of bills – AB 2871 and AB 2891 – that would extend the duration of the current exemptions in the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act (“CPRA”)) for certain HR data and business-to-business (“B2B”) customer representative personnel data from most of the law’s requirements. The existing temporary “HR” and “B2B” exemptions were first introduced through amendments to the CCPA, and were extended by the CPRA, under which the exemptions will sunset on the CPRA’s compliance deadline, January 1, 2023.

On February 17, 2022, the California Privacy Protection Agency (“CPPA”) announced at a board meeting that it will delay the publication of final regulations under the California Privacy Rights Act (“CPRA”). As drafted, the CPRA provides for regulations to be finalized by July 1, 2022, to allow for a six-month compliance window ahead of the law’s January 1, 2023 effective date. However, the CPPA estimated that it will not publish final regulations until the third or fourth quarter of 2022. The CPPA also indicated that it may not issue draft regulations until June 2022. The CPPA cited delays in hiring staff and beginning operations as reasons for the delayed rulemaking process.

On February 14, 2022 the FTC announced that, at the agency’s request, federal courts in California ordered two Voice over Internet Protocol (“VoIP”) service providers to produce information as part of ongoing investigations by the FTC into telemarketing calls and robocalls made in violation of the Telemarketing Sales Rule (“TSR”). Failure to comply with the court orders could result in the VoIP service providers being held in contempt of court.

On January 24, 2022, a group of state attorneys general (Indiana, Texas, D.C. and Washington) (the “State AGs”) announced their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data. The State AGs created a plan to initiate lawsuits alleging that consumers of certain online services are falsely led to believe that they can prevent the collection of their location data by changing their account and device settings, when the online services do not, in fact, honor such settings. The State AGs have alleged that this practice constitutes a deceptive and unlawful trade practice under applicable state consumer protection law. The State AGs’ announcement highlights the underlying concern that consumers may be provided with a choice to opt out of location tracking but still have their location data made accessible to certain online service providers.

On January 28, 2022, California Attorney General Rob Bonta published a statement regarding recent investigations conducted by the California Office of Attorney General (“AG”) with respect to businesses operating loyalty programs and their compliance with the California Consumer Privacy Act’s (“CCPA’s”) financial incentive requirements. As a result of the investigations, the AG’s Office sent non-compliance notices to major corporations across multiple sectors, including retail, food services, travel and home improvement. The businesses have 30 days to cure the alleged CCPA violations and bring their loyalty programs into compliance with the CCPA. Otherwise, enforcement action can be initiated.

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 4, 2021, the California Privacy Protection Agency (“CPPA”) appointed Ashkan Soltani as its first Executive Director. Soltani, a former chief technologist for the Federal Trade Commission and senior advisor to the White House, began his new role on Monday. He also is a distinguished fellow at the Georgetown Law Institute for Technology Law and Policy and the Georgetown Center on Privacy and Technology.

On September 22, 2021, the California Privacy Protection Agency (“CPPA” or “Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (“CPRA”). The CPPA was established by the CPRA, which vested the Agency with full administrative power, authority and jurisdiction to implement and enforce the CCPA. The Agency’s responsibilities include updating existing regulations and adopting new regulations.

The California Attorney General (“AG”) recently released a summary of enforcement actions the agency brought against companies in violation of the CCPA since enforcement of the Act began on July 1, 2020. The summary provides 27 illustrative examples of instances in which the AG sent notices of alleged noncompliance with the CCPA and how each company cured the alleged noncompliance.

The California Attorney General has updated its CCPA FAQs to state that the newly developed Global Privacy Control (“GPC”) “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”

July 1, 2021 marks the deadline for certain businesses to comply with the metrics reporting obligations under the California Consumer Privacy Act of 2018 (“CCPA”) regulations. Section 999.317(g) of the regulations applies to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.

On March 18, 2021, Lisa Sotto, Chair of Hunton’s global Privacy and Cybersecurity practice, and Mike Swift, MLaw Chief Global Digital Risk Correspondent, led a webinar on Everything You Need to Know About the California Privacy Rights Act. The webinar, which was part of LexisNexis’ Emerging Issues Webinar Series, provides an immersive look at the California Privacy Rights Act (“CPRA”) and other recent privacy laws.

On April 1, 2021, California’s Supreme Court ruled unanimously that the state’s prohibition on recording calls without consent applies to parties on the call and not just third-party eavesdroppers. Writing for the Court, Chief Justice Tani G. Cantil-Sakauye wrote that California’s penal code “prohibits parties as well as nonparties from intentionally recording a communication transmitted between a cellular or cordless phone and another device without the consent of all parties to the communication.”

As reported by Bloomberg Law, on March 17, 2021, the five board members of the California Privacy Protection Agency (“CPPA”) were announced. The CPPA was established by the California Privacy Rights Act (“CPRA”), which was approved by California voters during the November 2020 election.

On March 15, 2021, the California Attorney General (“AG”) approved additional CCPA Regulations that impact certain sections of the initial CCPA Regulations that went into effect on August 14, 2020. These amendments, which were the subject of the third and fourth sets of proposed modifications, went into effect on March 15, 2021.

On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

This is an extraordinary and unprecedented time for the retail industry. Hunton Andrews Kurth’s 2020 Retail Industry Year in Review provides an in-depth analysis of the issues and challenges that retailers faced in the past year, and a look ahead at what they can expect in 2021. The Year in Review includes several articles authored by our privacy and cybersecurity lawyers, including on topics such as the cashier-less technology revolution, the California Privacy Rights Act of 2020 and “buy now, pay later” plans.

Read the full publication.

On December 10, 2020, the California Attorney General (“AG”) issued a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). This set of modifications builds upon the third draft set previously issued on October 12, 2020, which had not been finalized. Specifically, the modifications would revise portions of the regulations relating to the notice of right to opt-out.

According to the AG’s website, the fourth set of modified draft regulations are subject to another public comment period. The ...

On November 19, 2020, Hunton Andrews Kurth will host a webinar examining the recently approved California Privacy Rights Act (“CPRA”) and how it revises the California Consumer Privacy Act of 2018 (“CCPA”).

On September 18, 2020, the U.S. Department of Commerce (“Commerce”) announced detailed sanctions relating to the mobile applications WeChat and TikTok. These prohibitions were issued in accordance with President Trump’s Executive Orders issued on August 6, 2020, imposing economic sanctions against the platforms under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.). These orders, if they become fully effective, will (1) prohibit mobile app stores in the U.S. from permitting downloads or updates to the WeChat and TikTok mobile apps; (2) prohibit U.S. companies from providing Internet backbone services that enable the WeChat and TikTok mobile apps; and (3) prohibit U.S. companies from providing services through the WeChat mobile app for the purpose of transferring funds or processing payments to or from parties. The sanctions do not target individual or business use of the applications but are expected to degrade the ability of persons in the United States to use the apps for the purposes they were designed to serve.

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

UPDATE: On September 25, 2020, California Governor Gavin Newsom vetoed SB-980.

On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On July 1, 2020, the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 came into effect (“New DP Law”). Due to the current pandemic, a three-month grace period, running until October 1, 2020, has been provided for companies to comply. The New DP Law replaces DIFC Law No. 1 of 2007. The release of the New DP Law is, in part, an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses).

On July 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became enforceable by the California Attorney General. Under the statute, businesses are granted 30 days to cure any alleged violations of the law after being notified of alleged noncompliance. If a business fails to cure the alleged violation, it may be subject to an injunction and liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

The Federal Trade Commission (“FTC”) announced its latest Children’s Online Privacy Protection Act (“COPPA”) settlement with California-based app developer HyperBeard and its individual principals. According to the FTC, since at least 2016, HyperBeard has offered a number of child-directed mobile apps, with names like BunnyBuns, KleptoCats and NomNoms that featured brightly colored, animated characters, such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and that are described in child-friendly terms like “super cute” and “silly.” These apps are free to download and play, but they generate revenue through in-app advertising and purchases. The FTC alleges that the defendants were aware that children were using their apps, and that they promoted them to child audiences on a kids’ entertainment website, through children’s books and through the merchandizing of officially licensed plush stuffed animals and toys. Defendants allowed third-party ad networks to collect persistent identifiers from children in order to serve them with interest-based ads without parental notice or consent, in violation of COPPA.

On June 1, 2020, the Office of the California Attorney General submitted the final California Consumer Privacy Act (“CCPA”) proposed regulations to the California Office of Administrative Law (“OAL”). Notably, the final proposed regulations are the same as the draft issued in March. The OAL must review the rulemaking package for procedural compliance with California’s Administrative Procedure Act. The OAL’s typical 30-day review period has been extended by 60 calendar days under an executive order related to the COVID-19 pandemic. Assuming OAL approves the regulations, the final text will be filed with the Secretary of State.