State Consumer Privacy Law Update: New Privacy Laws in Texas, Oregon, and Montana Take Effect in 2024
(03/27/2024)
Beginning July 1, 2024, Texas and Oregon will join the growing list of states with active consumer privacy laws, with Montana joining them on October 1. The new laws are similar to existing state data privacy laws in that they grant protections for consumers and impose requirements on companies collecting consumer personal data. While companies whose privacy programs already comply with existing data privacy laws will not have to make significant changes, companies considering data privacy laws for the first time will need to update their privacy policies and develop and implement new processes before July 1 to comply.
Global Privacy: Year in Review and a Look Forward, 2023–2024
(February 2024)
In 2023, global privacy developments kept pace with recent years, with a rash of continued activity surrounding data protection, cybersecurity, artificial intelligence (AI), and consumer privacy issues. Here we highlight key privacy milestones around the world and preview what may be next.
California Enacts the Delete Act, Tech & Sourcing @ Morgan Lewis
(11/20/2023)
In October, California enacted its newest privacy legislation, commonly referred to as the “Delete Act” (California Senate Bill No. 362). The Delete Act will allow consumers to request that any data broker that maintains any personal information related to that consumer delete such personal information.
Navigating the Global Data Privacy Landscape: What Multinational Corporations Should Consider When Doing Business
(08/25/2023)
The ever-evolving data privacy landscape continues to become more complex as new developments play out on the global stage. In the United States, a number of individual state laws have come into force, with more following in close step, and a new focus is emerging in health data protection. Across the pond, the EU-US Data Privacy Framework became effective and the UK government introduced a new draft of the UK Data Protection and Digital Information Bill. China and the Middle East’s approach to privacy continues to focus on cross-border data transfers and adaptations to new technologies, with the Gulf Cooperation Council region attaching significant penalties and enforcement actions in response to violations of the law.
US Data Privacy Legislation: Could a Federal Law Be on the Horizon?
(07/31/2023)
Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. US legislators have periodically introduced bills that would establish a federal data privacy law, but none have been put into action. The American Data Privacy Protection Act, introduced in May 2022, is the latest attempt to establish a federal privacy law while providing for limited preemption of state privacy laws. The measure has enough bipartisan support to make it out of committee, but chances for passage are unclear, as it appears to lack key support to move further. Nonetheless, 2023 promises to continue the trend of increased attention on data privacy and security by the US Congress and federal agencies.
How to Comply with the New EU-US Data Privacy Framework
(07/24/2023)
The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF. As a successor of the EU-US Privacy Shield, the EU-US DPF facilitates the transfer of EU personal data to participating organizations in the United States.
The Evolving Privacy Landscape: Biometric Data and Wiretapping Trends and Takeaways
(07/14/2023)
As technology continues to open doors for industry, adopters need to be mindful of pitfalls and opportunities. Here we discuss allegations against organizations implementing technology related to the processing of biometric data and information gathering on websites that may put them at risk and best practices for compliance.
The Broad Reach of Washington State’s My Health My Data Act
(07/07/2023)
The My Health My Data Act, signed by the governor of Washington State, is expected to have an impact on the privacy practices of a wide range of digital health businesses—potentially reaching beyond the state’s borders. While the Act takes effect on March 31, 2024 for regulated entities and on June 30, 2024 for small businesses, the Act's geofencing provision will become effective on July 23, 2023.
What Businesses Should Know About State Consumer Privacy Laws
(05/16/2023)
With the lack of comprehensive federal consumer privacy legislation, states are charting an evolving course for businesses to follow when handling data and information about their customers. Led by California, several other states have created laws to move regulations closer to the European Union’s General Data Protection Regulation. Virginia, Colorado, Utah, Connecticut, and Iowa have created their own consumer privacy protections, with Indiana, Montana, and Tennessee potentially following suit. Meanwhile, nearly a dozen other states are currently debating privacy laws.
Global Privacy Year in Review
(March 2023)
The need for privacy and cybersecurity compliance measures has become a paramount consideration as businesses become more digitally driven, data breaches become more publicized, and regulation continues to increase. Morgan Lewis privacy and cybersecurity lawyers advise clients operating in the United States, Europe, South America, and Asia on compliance with privacy and cybersecurity regulations. This global privacy year in review takes an in depth look at privacy and cybersecurity updates around the globe.
California Enforces Consumer Privacy Law With ‘Investigative Sweep’
(02/10/2023)
In a nod to Data Privacy Day, California Attorney General Rob Bonta recently announced an “investigative sweep” directed primarily at ensuring that businesses can accept and timely process consumer opt-out requests. Although not limited in scope, the attorney general noted an emphasis on retail, travel, and food services businesses in this wave of enforcement.
California Consumer Privacy Act: Employee and B2B Exemptions Expire January 1, 2023
(10/14/2022)
The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended, further complicating the privacy regulatory landscape for businesses in California. California employers must prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.
Virginia Enacts Broad Data Privacy Law, Second in US After California: What It Means for Businesses
(February 18, 2021 (Updated March 15, 2021))
Virginia has become the second state in the United States to pass a comprehensive data privacy law after the Virginia Consumer Data Protection Act (CDPA) passed both houses of Virginia’s state legislature in February with overwhelming bipartisan support and was promptly signed into law by Virginia Governor Ralph Northam. The CDPA has a number of key similarities to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), which comes into effect in 2023, and the European Union’s General Data Protection Regulation (GDPR), and it follows a similar framework with proposed data privacy bills pending in other statehouses.
California Approves Even Tougher Privacy Laws
(11/10/2020)
A majority of California voters approved the California Privacy Rights Act of 2020 (CPRA) on November 3. The CPRA expands provisions of the California Consumer Privacy Act (CCPA), creates new consumer privacy rights, establishes the California Privacy Protection Agency as California’s privacy regulator, and removes the ability of businesses to fix violations before being penalized for violations. The CPRA becomes effective on January 1, 2023, with enforcement commencing on July 1, 2023. This article summarizes a few notable aspects of the CPRA and highlights practical steps that businesses should take to ensure compliance.
New CCPA Amendment Extends Exemptions for Employment-Related and B2B Data
(10/01/2020)
California Governor Gavin Newsom on September 29 signed into law Assembly Bill 1281, which ensures that the California Consumer Privacy Act (CCPA) limited exemptions for employment-related and business-to-business (B2B) data will be extended until at least January 1, 2022. The enactment of AB 1281 is a welcome development for businesses and employers that have been relying on these two important exemptions, which were set to sunset on January 1, 2021.
Complying with Newly Finalized CCPA Regulations
(09/10/2020)
The landmark California Consumer Privacy Act (CCPA) requires certain companies doing business in California to implement new consumer privacy rights and provide new privacy policies to consumers. Even though the California attorney general’s right to enforce the law began July 1, 2020, the CCPA regulations did not become final and effective until August 14, 2020.
Practical Advice on Privacy: COVID-19 Pandemic Will Not Delay July 1 CCPA Enforcement Date
(06/25/2020)
Despite the coronavirus (COVID-19) pandemic, the California attorney general intends to enforce the California Consumer Privacy Act (CCPA) beginning July 1, 2020, pending the anticipated approval from the California Office of Administrative Law (OAL) on the final text of the proposed CCPA regulations. This article discusses the scope of the new regulations and identifies practical steps that companies can take to ensure compliance before July 1.
Practical Steps to Take Before CCPA Enforcement Begins, Tech & Sourcing @ Morgan Lewis
(06/23/2020)
The July 1 enforcement of the California Consumer Privacy Act (CCPA) is one week away. Despite calls by the business community and trade associations to push back the enforcement date to January 2021 due to the coronavirus (COVID-19) pandemic and related disruptions to compliance efforts, the California state attorney general issued a press release on June 2 stating, “Businesses have had since January 1 to comply with the law, and we are committed to enforcing it starting July 1.”
Practical Advice on Privacy: CCPA: What Companies Need to Do Ahead of July 1 Enforcement
(06/04/2020)
With the July 1 enforcement of the California Consumer Privacy Act (CCPA) less than a month away, the state attorney general has finally submitted the final text of the proposed CCPA regulations to the California Office of Administrative Law. This article discusses the current landscape and provides practical steps that companies can take before enforcement begins.
Amidst COVID-19, CA Attorney General Issues Second Modified CCPA Regulations
(03/25/2020)
The California attorney general on March 12 released additional modified regulations (Second Set of Modifications) proposing further refinements to the California Consumer Privacy Act. This latest set are mostly minor adjustments, introducing fewer significant new concepts than the previous iterations on October 11, 2019 and February 7 and 10, 2020. Against this backdrop, businesses responding to the coronavirus (COVID-19) outbreak seek enforcement delays as the regulations approach final form.
Data Privacy Bill Introduced in Washington State, Tech & Sourcing @ Morgan Lewis
(01/28/2020)
Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.”
Practical Advice on Privacy: Preparing for the CCPA Private Right of Action for Certain Security Incidents
(01/06/2020)
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. This new cause of action is among the many new statutory rights established by the CCPA, which represents a major turning point for privacy and cybersecurity standards and will significantly impact enforcement in California and beyond. This article highlights the key features of the private right of action and discusses how companies can prepare. Enforcement actions by the California attorney general are discussed in a subsequent article.
Practical Advice on Privacy: The CCPA Impacts Non-US Companies. Are You Prepared?
(12/05/2019)
California is the fifth largest economy in the world. Its new laws and regulations have an impact far beyond its borders. Many Non-US companies do business in California. The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, applies broadly, and includes companies that are based outside of the state. This article discusses how the CCPA impacts non-US companies and what those companies need to do to prepare for CCPA compliance.
Practical Advice on Privacy: Employee and Other Notices by January 1, 2020, and Related Issues for Employers
(12/02/2019)
The California Consumer Privacy Act (CCPA) gives California residents various new rights regarding the collection, use, and disclosure of their personal information, and imposes a number of obligations on businesses covered by the CCPA, including some that apply to personal information collected from employees, owners, officers, directors, job applicants, and contractors, effective January 1, 2020. This article discusses issues for employers under the CCPA, as amended by AB 25, and under related regulations proposed by the California attorney general, including compliance with a notice provision by January 1.
Practical Advice on Privacy: Responding to Requests to Opt Out
(11/22/2019)
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to the consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (request to know); (2) delete any personal information that the business has collected from the consumer (request to delete); and (3) not sell the consumer’s personal information (request to opt out).
Practical Advice on Privacy: Responding to Requests to Delete
(11/20/2019)
The recently proposed regulations implementing the California Consumer Privacy Act (CCPA) “establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” This article focuses on the consumer’s right to request deletion of the consumer’s personal information collected by the business, and outlines the best practices for responding to such requests to delete under the CCPA, including some information on the exceptions to deletion request.
Practical Advice on Privacy: Responding to Requests to Know
(11/15/2019)
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to a consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (a request to know); (2) delete any personal information that the business has collected from the consumer (a request to delete); and (3) not sell the consumer’s personal information (a request to opt out).
Practical Advice on Privacy: Privacy Policy Requirements
(11/13/2019)
All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.
Practical Advice on Privacy: Verifying Consumer Requests
(11/08/2019)
The second article in our Guide to the CCPA series focuses on verifying consumer requests received pursuant to the California Consumer Privacy Act (CCPA). The California attorney general’s recently proposed regulations implementing the CCPA establish rules and procedures for verifying the identity of consumers making requests to know and requests to delete. This article explains those rules and provides best practices for verifying consumer requests made under the CCPA.
Practical Advice on Privacy: Receiving Requests
(11/06/2019)
The California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA) on October 10, providing detailed guidance on CCPA compliance for affected businesses. This article, the first in our Practical Advice on Privacy: Guide to CCPA Requests series, focuses on best practices for receiving consumer requests made under the CCPA.
The Proposed CCPA Regulations Are Here: An Overview
(10/18/2019)
While the California attorney general’s proposed regulations do not address all provisions of the California Consumer Privacy Act, they do include new procedures and deadlines and cover compliance issues for businesses not covered by the statute. For example, there are new obligations concerning service providers, training and recordkeeping, and standards for certain businesses maintaining the personal information of 4 million or more consumers for commercial purposes, like data brokers.
CCPA Amendments to Watch as Effective Date Draws Closer, Bloomberg Law
(10/02/2019)
Morgan Lewis attorneys review amendments approved to the California Consumer Privacy Act (CCPA) and awaiting approval by California Governor Gavin Newsom. In the Bloomberg Law article, they say the amendments will create important exemptions for employee and business-to-business data.
California Legislature Proposes CCPA Amendments as Effective Date Draws Closer
(09/23/2019)
At the close of its legislative session on September 13, the California legislature passed five bills to amend and clarify the scope of the landmark California Consumer Privacy Act, which establishes new statutory privacy rights and business obligations for the collection and use of “personal information.”
The CCPA’s ‘Verifiable Consumer Request’ Requirement and Data Breach Risks, Tech & Sourcing @ Morgan Lewis
(09/05/2019)
The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.
Consumer Opt-Out Requirements Under New Nevada Privacy Law Take Effect October 1
(08/15/2019)
Nevada Senate Bill (SB) 220 will go into effect on October 1, 2019. SB 220 amends Nevada’s data privacy law to require that website operators honor a consumer’s request not to sell the consumer’s personal information. Exempt from the new law are certain financial and health institutions, and individuals involved in the manufacture and service of motor vehicles.
California: New IoT Law Signed
(October 2018)
By January 2020, manufacturers of Internet-enabled (IoT) devices that are sold or offered for sale in California (connected devices) must comply with the new legislation. For cyber security regulations in California. This includes the requirement to equip their devices with adequate security features to protect the device and the information contained therein.
USA: New California Data Protection Act CCPA as a Trendsetter
(July 2018)
The article analyzes the CCPA, which has been described as a landmark privacy bill that aims to give California consumers increased transparency and control over how companies use and share their personal information by January 2020. Companies with business in California should start with their compliance work as soon as possible.
California Enacts Sweeping GDPR-Like Privacy Law
(07/10/2018)
In order to cause the withdrawal of a privacy measure slated to appear on the November ballot, the California Senate and Assembly approved the California Consumer Privacy Act (CCPA) on June 27, and it was signed into law by Governor Jerry Brown the same day. The CCPA, as enacted, modified some of the provisions in the ballot measure that were considered most onerous by business interests. But, like the ballot measure, the CCPA creates an array of new consumer privacy rights—similar in some respects to the European Union’s General Data Protection Regulation (GDPR)—that will cause many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights. Organizations subject to the CCPA must comply by January 1, 2020.
New Colorado Data Privacy Law Requires Businesses to Improve Protection of Personal Information
(06/26/2018)
Colorado Governor John Hickenlooper recently signed into law House Bill 1128, which will take effect on September 1, 2018. The new law requires businesses owning, maintaining, or licensing personal information of Colorado residents to maintain a written policy for disposing documents containing personal identifying information; implement appropriate security procedures to protect personal information; and comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by a data breach.
California Consumer Privacy Act Could Spell a Sea Change in US Privacy Law
(06/06/2018)
The California Consumer Privacy Act, which could be on the ballot in November, aims to introduce a groundbreaking approach to consumer privacy that not only is likely to resonate with the state’s voters, but is also expected to have national implications – thanks to California’s reputation as a trendsetter in consumer privacy. If passed, the act will come with significant compliance challenges and costs that companies should prepare for ahead of time.