Photo of Peter Hegel

Peter Hegel counsels clients on protection of personally identifiable information (PII) and infrastructure.

The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.Continue Reading Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two

Introduction

While candy sales skyrocketed and trick-or-treaters donned costumes this past Halloween weekend, the California Privacy Protection Agency (Agency) Board was busy holding its first public meeting since September. Over the course of the two-day meeting on Friday and Saturday, October 28 and 29, the Agency welcomed new board member Alastair Mactaggart and discussed and debated numerous provisions of the Modified Draft Proposed California Consumer Privacy Act Regulations (Draft CCPA Regulations). Most importantly, it unanimously passed a motion directing the Agency staff to take all steps necessary to prepare and notice modifications to the text of the proposed regulatory amendments for an additional 15-day comment period.Continue Reading This is Not a Drill: CPPA Gets Closer to Finalizing Certain Privacy Regulations

The Colorado attorney general’s office sent shockwaves throughout the privacy world on September 30, 2022, when it published its proposed Colorado Privacy Act (CPA) draft rules (Draft Rules). The Draft Rules are complex and comprehensive; at 38 pages of single-spaced text, they are longer than the CPA itself. The Draft Rules are accompanied by a

Overview

2022 has been relatively quiet as it relates to state updates to breach notification laws, but Maryland made significant alterations to its general data breach notification law. Additionally, several other states made more minor changes, and the federal government issued or proposed several new data security and breach reporting requirements for certain types of

Last week, the Consumer Privacy Protection Agency (Agency) Board rounded out the first half of 2022 by releasing draft California Privacy Rights Act (CPRA) regulations. This first set of CPRA regulations focus on updating existing California Consumer Privacy Act (CCPA) regulations to account for the new provisions of the CPRA and addressing specific areas such

On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement [1], the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.” [2] Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts.
Continue Reading Data Privacy Day Surprise Enforcement for Loyalty Programs

Last week while Americans were preoccupied with carving turkey and baking pies, the privacy world was aflutter with a string of developments in Europe that may drastically affect the future of worldwide website usage and global advertising technology as we currently know it. In short, due to some of the recent positions taken by regulators, “tracking” techniques and cookies as we know them may quickly be saddled with extra compliance requirements.
Continue Reading Requiem for a Cookie: The Beginning of the End for Current AdTech Models

On October 21, 2021, the FTC released a report making it quite clear: internet service providers (ISPs) are next in line for heightened FTC scrutiny. After analyzing the data collection, sharing, and usage practices of the six largest ISPs and three of their affiliated advertising entities, the FTC concluded that the ISPs “amass large pools of sensitive data, and that their uses of such data could lead to significant harms.” [1]

This report traces its lineage back to August 2019, when the FTC used its powers under Section 6(b) of the FTC Act to issue Orders to File Special Reports to the six largest ISPs that comprised approximately 98.8% of the mobile internet market.
Continue Reading ISPs, the FTC Has You In Their Crosshairs