The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency (“CPPA”) back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.

This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month “grace period” for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce (“the Chamber”) filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued  that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA’s enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.Continue Reading California Courts Give an Independence Day Present – CCPA Regulation Enforcement Delayed

2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.

The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.Continue Reading Texas Joins the Privacy Party

With the passage of Senate Bill 262, Florida has become the latest state who has woken up to the political capital that a state privacy law can provide. And while we see a lot of the “usual suspects” which populate other state privacy laws (e.g. notice, consumer rights, collection and use restrictions, etc.) – which we have posted on frequently – Florida didn’t just look to privacy with SB 262.  It also addressed two other issues which seem to be on the mind of Governor DeSantis – government censorship of online social media platforms, and protection of a minor’s personal information.Continue Reading Florida’s SB 262 – What Florida Thinks of Privacy (and more)

On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar,  “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”

The webinar will address the recent surge in consumer class actions, compliance considerations, and recent developments

Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.

Is there Really Anything New?

While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).Continue Reading Two New State Privacy Laws – But What is Really New?

Seyfarth Synopsis:  The Illinois Supreme Court issued its long-awaited decision in McDonald v. Symphony Bronzeville Park, LLC, et al., 2022 IL 126511 (Feb. 3, 2022), holding that claims for statutory damages against an employer under the Illinois Biometric Information Privacy Act (“BIPA”) are not preempted by the exclusivity provisions of the Illinois Workers’ Compensation

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment

On April 29, 2021, the national legislator in China released the second draft of the Personal Information Protection Law (“PIPL”) to collect public comments until May 28, 2021. The updated draft substantially follows the framework of the first draft, which marks China’s comprehensive system for the protection of personal information, sets forth general rules for the processing and transferring of personal information across China’s borders, and echoes certain mechanisms under the EU’s General Data Protection Regulation (“GDPR”), including application of extraterritorial jurisdiction, with which China would use long-arm jurisdiction to regulate the concerned entities across borders. This approach reflects China’s position that privacy law is an important component of China’s long term strategy on the international stage. In fact, the PIPL expressly contemplates China’s engagement with other jurisdictions (at both the country and regional levels) to try to create “interoperability” with these other privacy systems. Below we summarize key terms of the updated draft PIPL.
Continue Reading China Released Second Draft of Personal Information Protection Law

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses

Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.
Continue Reading Portland, OR and New York City Follow Illinois’ Lead on Private Rights of Action in Biometric Privacy Legislation