On Friday, January 28, the world celebrated its 16th Data Protection/Privacy Day. As the privacy community capped off a week of programming and gazed into the future of potential data privacy enforcement [1], the celebrations were quickly overshadowed by California Attorney General Rob Bonta, who announced that his office was targeting businesses operating loyalty programs for potential enforcement actions. According to Bonta, his office issued “notices to business[es] that operate loyalty programs and use personal information in violation of California’s data privacy law.” [2] Accordingly, it is expected that a plethora of businesses may soon receive notices of noncompliance. Once a business receives a notice of noncompliance, that business will have 30 days to cure or fix the alleged violation before an enforcement action is initiated. Enforcement actions may result in penalties of up to $7,500 per violation, which can quickly accrue to significant amounts.
Continue Reading Data Privacy Day Surprise Enforcement for Loyalty Programs

California’s proliferation of new privacy laws shows no sign of slowing. In September and October, California’s Governor Gavin Newsom signed multiple privacy bills into law, covering genetics, abortion rights, and updates to the California Privacy Rights Act (CPRA) in Assembly Bill 694 (AB 694), which among other things clarifies the timing of the California Privacy Protection Agency’s (CPPA) rulemaking responsibilities.
Continue Reading California’s Governor Newsom Signs New Privacy Law Clarifying Timeline for CPRA Regulations

There have been several notable developments this month at the California Attorney General’s office relating to the CCPA. First, California Attorney General (AG) Rob Bonta held a press conference and issued a press release regarding CCPA enforcement in the past year. AG Bonta signaled that under his leadership, as under prior California Attorneys General, such as now Vice President Kamala Harris and United States Department of Health and Human Services Secretary Xavier Becerra, the AG’s office will continue its focus on privacy. AG Bonta emphasized the importance of the CCPA at a time when so much of our lives has moved online due to the COVID-19 pandemic and that “there’s more work to be done.” He reported “great progress” in CCPA enforcement, noting that 75% of businesses that received a notice of violation came into compliance within the CCPA’s 30-day cure period, while the remaining 25% are within the cure period or currently under active investigation.
Continue Reading Recent Developments at the California Attorney General’s Office Concerning the CCPA and Enforcement

On June 25, 2021, the U.S. Supreme Court in TransUnion LLC v. Ramirez (No. 20-297, slip op.) clarified that for standing purposes in federal courts, an important difference exists between (i) a plaintiff’s statutory cause of action to sue over a violation of law, and (ii) a plaintiff suffering concrete harm because of the violation of law. The Court stated that “an injury in law is not an injury in fact” and held that only those plaintiffs who suffer a “concrete injury” apart from the violation of law alone have standing to sue. This case involved TransUnion’s alleged inaccurate reporting of class members as potential threats to America’s national security. Only a subset of the class, however, was the subject of these incorrect reports provided to third parties, and the Court acknowledged only these individuals as having standing to sue.
Continue Reading Recent Federal Court Decisions Creating Uncertainty Around CCPA Standing

Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 7, 2021, making it the third comprehensive state privacy law enacted in the United States. California led with the California Consumer Privacy Act (CCPA), which was recently amended by the California Privacy Rights Act of 2020, and the Virginia Consumer Data

On March 19, 2021, Colorado State Senators Richard Rodriguez (D) and Paul Lundeen (R) introduced Senate Bill 21-190 as part of a bipartisan effort to make Colorado the latest state to implement comprehensive legislation establishing certain consumer data privacy rights. Dubbed “A Bill for an Act Concerning Additional Protection of Data Relating to Personal Privacy,” SB 21-190 largely follows in the footsteps of California’s CCPA, Virginia’s CDPA and the European Union’s GDPR with a stated intent to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate.”
Continue Reading Colorado Joins Ranks of States Introducing Consumer Data Privacy Legislation

On March 15, 2021, the California Attorney General approved additional regulations for the California Consumer Privacy Act (CCPA), which focuses on the right to the right to opt-out of sale, authorized agents, and notices to consumers under 16 years of age.  Specifically, sections 999.306, 999.315, 999.326 and 999.332 were revised and/or added to the CCPA regulations in this final review.  This privacy quick tip highlights the changes that were made.
Continue Reading California Attorney General Approves New Regulations Governing the California Consumer Privacy Act

On March 17, 2021, California officials announced their appointees to the five-member inaugural board of the California Privacy Protection Agency (CPPA). Approved by voters in the November 2020 election cycle, the California Privacy Rights Act (CPRA) called for the creation of the CPPA, an administrative agency tasked with the enforcement of the CPRA and the 2018 California Consumer Privacy Act (CCPA). Below is an overview of the CPPA Board and the appointees who will be leading the agency.
Continue Reading California Officials Announce Board Member Appointees to the California Privacy Protection Agency

A federal court in California recently dismissed a lawsuit brought under the California Consumer Privacy Act (CCPA) against Walmart, concluding that the CCPA did not apply retroactively and that the plaintiff had failed to specify the date of the alleged violation giving rise to his claim. The case—Gardiner v. Walmart Inc.—represents a meaningful hurdle for potential CCPA plaintiffs whose claims are either undated or predate the CCPA’s effective date.
Continue Reading Court Rules that CCPA Does Not Apply Retroactively and Requires Specific Allegations Regarding Date of Violation

On March 2, 2021, Governor Ralph Northam signed into law Virginia’s Consumer Data Protection Act (VCDPA), a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA). Virginia is now the second state to adopt a comprehensive data privacy law, and many more states are expected to follow suit in the near future. The VCDPA will go into effect on January 1, 2023, the same day that California’s new data privacy law, the California Privacy Rights Act (CPRA), goes into effect. Below is an overview of the key provisions of the VCDPA.
Continue Reading Virginia Joins California in Adopting a Comprehensive Data Privacy Law