State Consumer Privacy Law Update: New Privacy Laws in Texas, Oregon, and Montana Take Effect in 2024
(03/27/2024)
Beginning July 1, 2024, Texas and Oregon will join the growing list of states with active consumer privacy laws, with Montana joining them on October 1. The new laws are similar to existing state data privacy laws in that they grant protections for consumers and impose requirements on companies collecting consumer personal data. While companies whose privacy programs already comply with existing data privacy laws will not have to make significant changes, companies considering data privacy laws for the first time will need to update their privacy policies and develop and implement new processes before July 1 to comply.
Global Privacy: Year in Review and a Look Forward, 2023–2024
(February 2024)
In 2023, global privacy developments kept pace with recent years, with a rash of continued activity surrounding data protection, cybersecurity, artificial intelligence (AI), and consumer privacy issues. Here we highlight key privacy milestones around the world and preview what may be next.
California Enacts the Delete Act, Tech & Sourcing @ Morgan Lewis
(11/20/2023)
In October, California enacted its newest privacy legislation, commonly referred to as the “Delete Act” (California Senate Bill No. 362). The Delete Act will allow consumers to request that any data broker that maintains any personal information related to that consumer delete such personal information.
Navigating the Global Data Privacy Landscape: What Multinational Corporations Should Consider When Doing Business
(08/25/2023)
The ever-evolving data privacy landscape continues to become more complex as new developments play out on the global stage. In the United States, a number of individual state laws have come into force, with more following in close step, and a new focus is emerging in health data protection. Across the pond, the EU-US Data Privacy Framework became effective and the UK government introduced a new draft of the UK Data Protection and Digital Information Bill. China and the Middle East’s approach to privacy continues to focus on cross-border data transfers and adaptations to new technologies, with the Gulf Cooperation Council region attaching significant penalties and enforcement actions in response to violations of the law.
US Data Privacy Legislation: Could a Federal Law Be on the Horizon?
(07/31/2023)
Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. US legislators have periodically introduced bills that would establish a federal data privacy law, but none have been put into action. The American Data Privacy Protection Act, introduced in May 2022, is the latest attempt to establish a federal privacy law while providing for limited preemption of state privacy laws. The measure has enough bipartisan support to make it out of committee, but chances for passage are unclear, as it appears to lack key support to move further. Nonetheless, 2023 promises to continue the trend of increased attention on data privacy and security by the US Congress and federal agencies.
How to Comply with the New EU-US Data Privacy Framework
(07/24/2023)
The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF. As a successor of the EU-US Privacy Shield, the EU-US DPF facilitates the transfer of EU personal data to participating organizations in the United States.
The Evolving Privacy Landscape: Biometric Data and Wiretapping Trends and Takeaways
(07/14/2023)
As technology continues to open doors for industry, adopters need to be mindful of pitfalls and opportunities. Here we discuss allegations against organizations implementing technology related to the processing of biometric data and information gathering on websites that may put them at risk and best practices for compliance.
The Broad Reach of Washington State’s My Health My Data Act
(07/07/2023)
The My Health My Data Act, signed by the governor of Washington State, is expected to have an impact on the privacy practices of a wide range of digital health businesses—potentially reaching beyond the state’s borders. While the Act takes effect on March 31, 2024 for regulated entities and on June 30, 2024 for small businesses, the Act's geofencing provision will become effective on July 23, 2023.
What Businesses Should Know About State Consumer Privacy Laws
(05/16/2023)
With the lack of comprehensive federal consumer privacy legislation, states are charting an evolving course for businesses to follow when handling data and information about their customers. Led by California, several other states have created laws to move regulations closer to the European Union’s General Data Protection Regulation. Virginia, Colorado, Utah, Connecticut, and Iowa have created their own consumer privacy protections, with Indiana, Montana, and Tennessee potentially following suit. Meanwhile, nearly a dozen other states are currently debating privacy laws.
Global Privacy Year in Review
(March 2023)
The need for privacy and cybersecurity compliance measures has become a paramount consideration as businesses become more digitally driven, data breaches become more publicized, and regulation continues to increase. Morgan Lewis privacy and cybersecurity lawyers advise clients operating in the United States, Europe, South America, and Asia on compliance with privacy and cybersecurity regulations. This global privacy year in review takes an in depth look at privacy and cybersecurity updates around the globe.
California Enforces Consumer Privacy Law With ‘Investigative Sweep’
(02/10/2023)
In a nod to Data Privacy Day, California Attorney General Rob Bonta recently announced an “investigative sweep” directed primarily at ensuring that businesses can accept and timely process consumer opt-out requests. Although not limited in scope, the attorney general noted an emphasis on retail, travel, and food services businesses in this wave of enforcement.
California Consumer Privacy Act: Employee and B2B Exemptions Expire January 1, 2023
(10/14/2022)
The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended, further complicating the privacy regulatory landscape for businesses in California. California employers must prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.
Virginia Enacts Broad Data Privacy Law, Second in US After California: What It Means for Businesses
(February 18, 2021 (Updated March 15, 2021))
Virginia has become the second state in the United States to pass a comprehensive data privacy law after the Virginia Consumer Data Protection Act (CDPA) passed both houses of Virginia’s state legislature in February with overwhelming bipartisan support and was promptly signed into law by Virginia Governor Ralph Northam. The CDPA has a number of key similarities to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), which comes into effect in 2023, and the European Union’s General Data Protection Regulation (GDPR), and it follows a similar framework with proposed data privacy bills pending in other statehouses.
California Approves Even Tougher Privacy Laws
(11/10/2020)
A majority of California voters approved the California Privacy Rights Act of 2020 (CPRA) on November 3. The CPRA expands provisions of the California Consumer Privacy Act (CCPA), creates new consumer privacy rights, establishes the California Privacy Protection Agency as California’s privacy regulator, and removes the ability of businesses to fix violations before being penalized for violations. The CPRA becomes effective on January 1, 2023, with enforcement commencing on July 1, 2023. This article summarizes a few notable aspects of the CPRA and highlights practical steps that businesses should take to ensure compliance.
New CCPA Amendment Extends Exemptions for Employment-Related and B2B Data
(10/01/2020)
California Governor Gavin Newsom on September 29 signed into law Assembly Bill 1281, which ensures that the California Consumer Privacy Act (CCPA) limited exemptions for employment-related and business-to-business (B2B) data will be extended until at least January 1, 2022. The enactment of AB 1281 is a welcome development for businesses and employers that have been relying on these two important exemptions, which were set to sunset on January 1, 2021.
Complying with Newly Finalized CCPA Regulations
(09/10/2020)
The landmark California Consumer Privacy Act (CCPA) requires certain companies doing business in California to implement new consumer privacy rights and provide new privacy policies to consumers. Even though the California attorney general’s right to enforce the law began July 1, 2020, the CCPA regulations did not become final and effective until August 14, 2020.
Practical Advice on Privacy: COVID-19 Pandemic Will Not Delay July 1 CCPA Enforcement Date
(06/25/2020)
Despite the coronavirus (COVID-19) pandemic, the California attorney general intends to enforce the California Consumer Privacy Act (CCPA) beginning July 1, 2020, pending the anticipated approval from the California Office of Administrative Law (OAL) on the final text of the proposed CCPA regulations. This article discusses the scope of the new regulations and identifies practical steps that companies can take to ensure compliance before July 1.
Practical Steps to Take Before CCPA Enforcement Begins, Tech & Sourcing @ Morgan Lewis
(06/23/2020)
The July 1 enforcement of the California Consumer Privacy Act (CCPA) is one week away. Despite calls by the business community and trade associations to push back the enforcement date to January 2021 due to the coronavirus (COVID-19) pandemic and related disruptions to compliance efforts, the California state attorney general issued a press release on June 2 stating, “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”
Practical Advice on Privacy: CCPA: What Companies Need to Do Ahead of July 1 Enforcement
(06/04/2020)
With the July 1 enforcement of the California Consumer Privacy Act (CCPA) less than a month away, the state attorney general has finally submitted the final text of the proposed CCPA regulations to the California Office of Administrative Law. This article discusses the current landscape and provides practical steps that companies can take before enforcement begins.
Amidst COVID-19, CA Attorney General Issues Second Modified CCPA Regulations
(03/25/2020)
The California attorney general on March 12 released additional modified regulations (Second Set of Modifications) proposing further refinements to the California Consumer Privacy Act. This latest set are mostly minor adjustments, introducing fewer significant new concepts than the previous iterations on October 11, 2019 and February 7 and 10, 2020. Against this backdrop, businesses responding to the coronavirus (COVID-19) outbreak seek enforcement delays as the regulations approach final form.
Data Privacy Bill Introduced in Washington State, Tech & Sourcing @ Morgan Lewis
(01/28/2020)
Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.”
Practical Advice on Privacy: Preparing for the CCPA Private Right of Action for Certain Security Incidents
(01/06/2020)
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. This new cause of action is among the many new statutory rights established by the CCPA, which represents a major turning point for privacy and cybersecurity standards and will significantly impact enforcement in California and beyond. This article highlights the key features of the private right of action and discusses how companies can prepare. Enforcement actions by the California attorney general are discussed in a subsequent article.
Practical Advice on Privacy: The CCPA Impacts Non-US Companies. Are You Prepared?
(12/05/2019)
California is the fifth largest economy in the world. Its new laws and regulations have an impact far beyond its borders. Many Non-US companies do business in California. The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, applies broadly, and includes companies that are based outside of the state. This article discusses how the CCPA impacts non-US companies and what those companies need to do to prepare for CCPA compliance.
Practical Advice on Privacy: Employee and Other Notices by January 1, 2020, and Related Issues for Employers
(12/02/2019)
The California Consumer Privacy Act (CCPA) gives California residents various new rights regarding the collection, use, and disclosure of their personal information, and imposes a number of obligations on businesses covered by the CCPA, including some that apply to personal information collected from employees, owners, officers, directors, job applicants, and contractors, effective January 1, 2020. This article discusses issues for employers under the CCPA, as amended by AB 25, and under related regulations proposed by the California attorney general, including compliance with a notice provision by January 1.
Practical Advice on Privacy: Responding to Requests to Opt Out
(11/22/2019)
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to the consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (request to know); (2) delete any personal information that the business has collected from the consumer (request to delete); and (3) not sell the consumer’s personal information (request to opt out).
Practical Advice on Privacy: Responding to Requests to Delete
(11/20/2019)
The recently proposed regulations implementing the California Consumer Privacy Act (CCPA) “establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” This article focuses on the consumer’s right to request deletion of the consumer’s personal information collected by the business, and outlines the best practices for responding to such requests to delete under the CCPA, including some information on the exceptions to deletion request.
Practical Advice on Privacy: Responding to Requests to Know
(11/15/2019)
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to a consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (a request to know); (2) delete any personal information that the business has collected from the consumer (a request to delete); and (3) not sell the consumer’s personal information (a request to opt out).
Practical Advice on Privacy: Privacy Policy Requirements
(11/13/2019)
All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.
Practical Advice on Privacy: Verifying Consumer Requests
(11/08/2019)
The second article in our Guide to the CCPA series focuses on verifying consumer requests received pursuant to the California Consumer Privacy Act (CCPA). The California attorney general’s recently proposed regulations implementing the CCPA establish rules and procedures for verifying the identity of consumers making requests to know and requests to delete. This article explains those rules and provides best practices for verifying consumer requests made under the CCPA.
Practical Advice on Privacy: Receiving Requests
(11/06/2019)
The California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA) on October 10, providing detailed guidance on CCPA compliance for affected businesses. This article, the first in our Practical Advice on Privacy: Guide to CCPA Requests series, focuses on best practices for receiving consumer requests made under the CCPA.
The Proposed CCPA Regulations Are Here: An Overview
(10/18/2019)
While the California attorney general’s proposed regulations do not address all provisions of the California Consumer Privacy Act, they do include new procedures and deadlines and cover compliance issues for businesses not covered by the statute. For example, there are new obligations concerning service providers, training and recordkeeping, and standards for certain businesses maintaining the personal information of 4 million or more consumers for commercial purposes, like data brokers.
CCPA Amendments to Watch as Effective Date Draws Closer, Bloomberg Law
(10/02/2019)
Morgan Lewis attorneys review amendments approved to the California Consumer Privacy Act (CCPA) and awaiting approval by California Governor Gavin Newsom. In the Bloomberg Law article, they say the amendments will create important exemptions for employee and business-to-business data.
California Legislature Proposes CCPA Amendments as Effective Date Draws Closer
(09/23/2019)
At the close of its legislative session on September 13, the California legislature passed five bills to amend and clarify the scope of the landmark California Consumer Privacy Act, which establishes new statutory privacy rights and business obligations for the collection and use of “personal information.”