US Consumer Privacy Acts

In October, California enacted its newest privacy legislation, commonly referred to as the “Delete Act” (California Senate Bill No. 362). The Delete Act will allow consumers to request that any data broker that maintains any personal information related to that consumer delete such personal information.

The ever-evolving data privacy landscape continues to become more complex as new developments play out on the global stage. In the United States, a number of individual state laws have come into force, with more following in close step, and a new focus is emerging in health data protection. Across the pond, the EU-US Data Privacy Framework became effective and the UK government introduced a new draft of the UK Data Protection and Digital Information Bill. China and the Middle East’s approach to privacy continues to focus on cross-border data transfers and adaptations to new technologies, with the Gulf Cooperation Council region attaching significant penalties and enforcement actions in response to violations of the law.

The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF. As a successor of the EU-US Privacy Shield, the EU-US DPF facilitates the transfer of EU personal data to participating organizations in the United States.

The My Health My Data Act, signed by the governor of Washington State, is expected to have an impact on the privacy practices of a wide range of digital health businesses—potentially reaching beyond the state’s borders. While the Act takes effect on March 31, 2024 for regulated entities and on June 30, 2024 for small businesses, the Act's geofencing provision will become effective on July 23, 2023.

The need for privacy and cybersecurity compliance measures has become a paramount consideration as businesses become more digitally driven, data breaches become more publicized, and regulation continues to increase. Morgan Lewis privacy and cybersecurity lawyers advise clients operating in the United States, Europe, South America, and Asia on compliance with privacy and cybersecurity regulations. This global privacy year in review takes an in depth look at privacy and cybersecurity updates around the globe.

The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, establishing some of the most comprehensive consumer privacy rights within the United States. In this post we highlight these changes in law and provide a checklist to help companies comply with these new legal challenges.

Welcome to the second post in our Spotlight series, where we talk with a leader in a particular field or emerging area of interest to technology and sourcing lawyers and professionals.

The California attorney general released a fourth set of proposed modifications to the California Consumer Privacy Act regulations; notable regulatory changes include a new opt-out button for websites and an offline notice of the right to opt out.

A majority of California voters approved the California Privacy Rights Act of 2020 (CPRA) on November 3. The CPRA expands provisions of the California Consumer Privacy Act (CCPA), creates new consumer privacy rights, establishes the California Privacy Protection Agency as California’s privacy regulator, and removes the ability of businesses to fix violations before being penalized for violations. The CPRA becomes effective on January 1, 2023, with enforcement commencing on July 1, 2023. This article summarizes a few notable aspects of the CPRA and highlights practical steps that businesses should take to ensure compliance.

California Governor Gavin Newsom on September 29 signed into law Assembly Bill 1281, which ensures that the California Consumer Privacy Act (CCPA) limited exemptions for employment-related and business-to-business (B2B) data will be extended until at least January 1, 2022. The enactment of AB 1281 is a welcome development for businesses and employers that have been relying on these two important exemptions, which were set to sunset on January 1, 2021.

California recently approved the final regulations to the California Consumer Privacy Act (CCPA), which took effect August 14, 2020. This article highlights some of the most notable changes to the final regulations and identifies broadened areas of enforcement by the California attorney general.

The July 1 enforcement of the California Consumer Privacy Act (CCPA) is one week away. Despite calls by the business community and trade associations to push back the enforcement date to January 2021 due to the coronavirus (COVID-19) pandemic and related disruptions to compliance efforts, the California state attorney general issued a press release on June 2 stating, “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”

This article summarizes what will or will not represent violation of the FIDIC golden principles and how certain potential deviations can be viewed from the employer’s perspective.

The California attorney general on March 12 released additional modified regulations (Second Set of Modifications) proposing further refinements to the California Consumer Privacy Act. This latest set are mostly minor adjustments, introducing fewer significant new concepts than the previous iterations on October 11, 2019 and February 7 and 10, 2020. Against this backdrop, businesses responding to the coronavirus (COVID-19) outbreak seek enforcement delays as the regulations approach final form.

Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.”

The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. This new cause of action is among the many new statutory rights established by the CCPA, which represents a major turning point for privacy and cybersecurity standards and will significantly impact enforcement in California and beyond. This article highlights the key features of the private right of action and discusses how companies can prepare. Enforcement actions by the California attorney general are discussed in a subsequent article.

The California Consumer Privacy Act (CCPA) gives California residents various new rights regarding the collection, use, and disclosure of their personal information, and imposes a number of obligations on businesses covered by the CCPA, including some that apply to personal information collected from employees, owners, officers, directors, job applicants, and contractors, effective January 1, 2020. This article discusses issues for employers under the CCPA, as amended by AB 25, and under related regulations proposed by the California attorney general, including compliance with a notice provision by January 1.

The recently proposed regulations implementing the California Consumer Privacy Act (CCPA) “establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” This article focuses on the consumer’s right to request deletion of the consumer’s personal information collected by the business, and outlines the best practices for responding to such requests to delete under the CCPA, including some information on the exceptions to deletion request.

All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.

The California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA) on October 10, providing detailed guidance on CCPA compliance for affected businesses. This article, the first in our Practical Advice on Privacy: Guide to CCPA Requests series, focuses on best practices for receiving consumer requests made under the CCPA.

Morgan Lewis partner Mark Krotoski and associate Kevin Benedicto authored an article for Law360 about California AB 1130, which was recently enacted and amends the state’s data breach notification law.

Morgan Lewis attorneys review amendments approved to the California Consumer Privacy Act (CCPA) and awaiting approval by California Governor Gavin Newsom. In the Bloomberg Law article, they say the amendments will create important exemptions for employee and business-to-business data.

Will typical cyber-related liability insurance policies respond to actions initiated under the CCPA? In their current form, many likely will not. This post suggests enhancements to existing cyberliability policies to maximize their potential responsiveness to CCPA actions.

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

New York has increased its effort to enforce cybersecurity by creating a new unit designed to combat cybercrime and protect individuals’ sensitive data from attacks.

By January 2020, manufacturers of Internet-enabled (IoT) devices that are sold or offered for sale in California (connected devices) must comply with the new legislation. For cyber security regulations in California. This includes the requirement to equip their devices with adequate security features to protect the device and the information contained therein.

The article analyzes the CCPA, which has been described as a landmark privacy bill that aims to give California consumers increased transparency and control over how companies use and share their personal information by January 2020. Companies with business in California should start with their compliance work as soon as possible.

In order to cause the withdrawal of a privacy measure slated to appear on the November ballot, the California Senate and Assembly approved the California Consumer Privacy Act (CCPA) on June 27, and it was signed into law by Governor Jerry Brown the same day. The CCPA, as enacted, modified some of the provisions in the ballot measure that were considered most onerous by business interests. But, like the ballot measure, the CCPA creates an array of new consumer privacy rights—similar in some respects to the European Union’s General Data Protection Regulation (GDPR)—that will cause many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights. Organizations subject to the CCPA must comply by January 1, 2020.

The California Consumer Privacy Act will appear on the November ballot in California. It establishes new, groundbreaking consumer privacy rights similar to some of the new privacy (GDPR) rules in Europe. Among other things, it empowers consumers to find out what information businesses are collecting about them and gives them the choice to tell businesses to stop selling their personal information.

The article summarizes the impact of The US COULD Act on businesses in Germany, in particular new risks for storing personal data in the Cloud. Some of the provisions in the US CLOUD Act my collide with the provisions of the General Data Protection Regulation (GDPR) for international data transfers.

Join us for the July edition of Fast Break, where partner Amy Magnano will answer these questions through the lens of Washington state’s new My Health My Data (MHMD) legislation. Passed this April, the law is intended to protect the privacy of consumer data not covered by HIPAA.

Please join us as we discuss the latest developments in state consumer privacy legislation, including the California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, and Utah Consumer Privacy Act. We will consider how businesses can meet the challenges of a US privacy regulatory landscape that is growing increasingly complex.

Join Mark Krotoski and Taylor Day for our next installment on cybersecurity issues for global public companies.

Please join us as we discuss the latest developments in state consumer privacy legislation, including the upcoming California Privacy Rights Act and the Virginia Consumer Data Protection Act.

Morgan Lewis lawyers Nancy Yamaguchi and Akiko Araki are presenting "The New GDPR in California – Are You Ready for CCPA Compliance?" at this event sponsored by Pasona.

Our next installment of the Global Public Company Academy will focus on cybersecurity issues for global public companies. Topics will include a review of the cyberthreat environment including under the coronavirus (COVID-19) pandemic; the significant costs and consequences of cyberattacks and incidents; a recent case study; operating in a heightened regulatory enforcement, including under the California Consumer Privacy Act; and how you can be prepared.

Morgan Lewis presents a course that will provide a global update regarding key amendments and regulations of the California Consumer Privacy Act (CCPA) of 2018 and the GDPR.

The January 1 effective date of the landmark California Consumer Privacy Act (CCPA) is fast approaching, but the law’s requirements remain a moving target. In this webinar we will provide an overview of the latest amendments to the CCPA, the state of the law and related regulations, and practical perspectives on CCPA compliance.

California has long been a laboratory for innovative privacy legislation, and there were many new experiments in 2018 and 2019.

On June 27, California enacted the nation’s most comprehensive consumer privacy law, the California Consumer Privacy Act of 2018 (CCPA). This webinar will provide an overview of the landmark privacy measure.

Partner Reece Hirsch was quoted in a Law360 round-up of key privacy policy developments in the first half of 2022.

In this article for ZD Akutell, Axel Spies addressed the Utah Consumer Privacy Act (UCPA) which became the fourth comprehensive US state privacy law with some provisions that depart from comprehensive privacy laws in California, Colorado, and Virginia.

Partner Reece Hirsch spoke to Law360 about customer loyalty programs and California’s Consumer Privacy Act (CCPA), which mandates that businesses explain how the financial incentive or price or service difference is reasonably related to the value of the consumer's data, including a good faith estimate of the value of the consumer's data and a description of the method the business used to calculate that value.

Partner Ezra Church spoke with Law360 about cybersecurity and privacy trends to watch out for in 2022, including how some companies will be preparing to handle recently enacted privacy legislation in states like Virginia and Colorado—which will give consumers more access and control of their personal data—when they take effect in 2023.

Morgan Lewis partners Greg Parks and Kristin Hadgis and associates Drew Jordan and Taylor Day authored an article for Law360 about the Virginia Consumer Data Protection Act, a comprehensive privacy law expected to be signed into law soon.

Partner Reece Hirsch spoke with Law360 about California’s Proposition 24, a ballot measure that, if adopted, would build on the California Consumer Privacy Act (CCPA).

Partner Reece Hirsch spoke with Bloomberg Law about a recent bill in California which extends exemptions related to the California Consumer Privacy Act to 2022.

Morgan Lewis partner Reece Hirsch was featured in a Reuters Q&A about the California Consumer Privacy Act, which went into effect on July 1.

Morgan Lewis partner Reece Hirsch spoke with Bloomberg Law about the effect of the pandemic on enforcing the California Consumer Privacy Act.

Morgan Lewis partner Reece Hirsch spoke with the Recorder about final proposed regulations regarding the enforcement of the California Consumer Privacy Act (CCPA). In the article, he discussed ambiguities related to the lack of an opt-out button.

Morgan Lewis partner and co-head of the firm’s privacy and cybersecurity practice Reece Hirsch was interviewed by Law360 for an article about significant legislative and regulatory developments expected in the cybersecurity and privacy space in 2020, including the California Consumer Privacy Act (CCPA).

Morgan Lewis partner Gregory Parks, co-leader of the firm’s privacy and cybersecurity practice, was interviewed for a Law360 article about a new law in Nevada that allows residents to opt out of the sale of their data.

Law360  Quoted: Reece Hirsch