California Privacy Law
The California Consumer Privacy Act went into effect in 2020 and was recently amended by the California Privacy Rights Act, which entered into force January 1. Additional targeted privacy legislation passed by the state legislature in 2022, including the California Age-Appropriate Design Code Act. “California Privacy Law,” now in its newly updated fifth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
New in the Fifth Edition:
- A practical roadmap for compliance with the California Consumer Privacy Act (CCPA and CPRA) and regulations effective January 1, 2023
- Detailed interpretive guidance on new and existing federal and California laws, including California’s new Genetic Information Privacy Act and Age-Appropriate Design Code Act and myriad other statutes
- Insights from major federal and California cases, regulatory actions and settlements as of November 2022
- Updates on vendor contracting, privacy policy disclosures and risk mitigation measures
Comprehensive Privacy Laws Take Force in California, Virginia
The California Privacy Rights Act and the Virginia Consumer Data Protection Act took force January 1. The CPRA amends the existing California Consumer Privacy Act and hands enforcement powers to the California Privacy Protection Agency. Final CPRA regulations are pending final approval ahead of July 1 enforcement. Virginia’s law incorporates concepts from the CPRA, while other provisions carry their own nuances. The Virginia General Assembly used the 2022 legislative session to pass amendments to the law before it took effect.
Belarus Implements Cross-Border Transfer Rules
The director of Belarus’ National Center for Personal Data Protection signed an order implementing rules for the cross-border transfer of personal data. The order includes member states of the Eurasian Economic Union and defines allowable cases of cross-border data transfers, including transfers by state bodies and other organizations. The DPA said this will solve “issues related to the cross-border transfer by employers of personal data of their employees in cases necessary for the implementation of their labor functions.”
Attorney General Drops Revised Colorado Privacy Act Draft Rules
According to Husch Blackwell’s “Byte Back,” the Colorado attorney general’s office released revisions to the Colorado Privacy Act draft rules. The updated rules build off the first draft, published in September 2022, and reflect comments from three stakeholder sessions held in November 2022. Modifications include changes to provisions concerning privacy notices, consent, and data protection assessments. Tweaks were also made to language around universal opt-out mechanisms and dark patterns. The latest draft is under public comment through Feb. 1.
US State Privacy Developments
A recent summary from IAPP shows the recent state privacy developments:
- State Sen. Liz Brown reintroduced Senate Bill 5 to the Indiana Senate. Brown’s bill passed the Senate and two readings in the House during the 2022 legislative session. The bill is modeled after Virginia’s comprehensive privacy law. This year’s bill was assigned to the Senate Committee on Commerce and Technology.
- Maryland House Bill 33 concerning biometric privacy was reintroduced. The bill passed the Maryland House in 2022 before stalling in the Senate.
- State Sen. Angela Turner-Ford, reintroduced Senate Bill 2080, the Mississippi Consumer Data Privacy Act. The bill was not acted upon after its 2022 introduction.
- Oregon’s comprehensive privacy bill, Senate Bill 619, was introduced and awaits committee referral from the Senate president. The Oregon attorney general’s office drafted the bill and is the product of a working group established during fall of 2022.
- Oregon Senate Bill 196, the Oregon Age-Appropriate Design Code, was also introduced. The bill is modeled after the California Age-Appropriate Design Code Act passed in August 2022.
- The Virginia House and Senate each introduced companion amendments to the state’s Consumer Data Protection Act. House Bill 1688 and Senate Bill 1026 propose updates to children’s privacy provisions in the comprehensive statute, notably raising the coverage to children age 18 and under.
- Mississippi House Bill 467, the Biometric Identifiers Privacy Act, was introduced and referred to the Committee on the Judiciary A.
- New York Assembly Bill 1362, the Biometric Privacy Act, was introduced and referred to the Committee on Consumer Affairs and Protection.
- State Rep. Andrew Stoddard introduced an amendment to the Utah Consumer Privacy Act. House Bill 158 amends Utah’s law to include a carveout for law enforcement’s access to personal data with a warrant.
- The Virginia Senate took up bills to amend the Virginia Consumer Data Protection Act. Senate Bill 1087 proposes provisions to protect genetic data privacy, while SB 1432 concerns protection of personal health records.
- State Del. Wayne Clark introduced House Bill 2460, an act concerning children’s privacy, to the West Virginia House. The bill, which would bring privacy protections for children under 18, was referred to the House Committee on the Judiciary.
- Two comprehensive privacy bills were introduced to the Hawaii Senate. Senate Bill 974 and SB 1110 passed their first readings on the Senate floor and await committee referrals.
- A subcommittee of the Iowa House Committee on Economic Growth and Technology passed Iowa House Study Bill 12, an act to consumer data protection, to the full committee on a 3-0 vote.
- The Massachusetts Legislature will consider two comprehensive privacy bills in addition to Senate Bill 745. Senate Bill 1971, the Massachusetts Information Privacy and Security Act, and House Bill 3245, Internet Bill of Rights, both take aspects from the EU General Data Protection Regulation.
EDPB Releases Binding Decisions on Meta’s Legal Basis for Personalized Ads
The European Data Protection Board released its binding decisions on the legal basis used by Meta’s Facebook and Instagram for processing data for personalized advertising. The decisions were adopted under the EU General Data Protection Regulation’s Article 65 following two dispute resolution procedures triggered by Ireland’s Data Protection Commission. EDPB Chair Andrea Jelinek said the decisions “clarify that Meta unlawfully processed personal data for behavioral advertising,” adding the decisions “may also have an important impact on other platforms that have behavioral ads at the center of their business model.”
Canada Could See Federal and Provincial Privacy Bills Advanced in 2023
Canada is poised to potentially pass several major private sector privacy law reforms on both the federal and provincial levels, Dentons Canada Privacy and Cybersecurity National Practice Leader Chantal Bernier writes. She said the provinces of British Columbia and Quebec could implement EU General Data Protection Regulation-level fines and improved privacy rights for individuals. Federally, the omnibus C-27 containing Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act will be brought before Parliament again after being introduced last year.
Czech Republic DPA Publishes Plan for 2023
The Czech Republic’s data protection authority published its action plan for 2023. The DPA said it will focus on the “processing of personal data in attendance systems, when using social networks, in large-scale camera systems and on large processors or bailiffs.” It will also inspect select police information systems and focus on the field of telemarketing with cooperation from the Czech Telecommunications Office.
NIST Explores Potential Updates to Cybersecurity Framework
The U.S. National Institute of Standards and Technology has begun considering revisions to its Cybersecurity Framework 2.0. The agency published a concept paper outlining the first proposed updates since 2018, including modernized cybersecurity best practices, sector-specific requirements, and cybersecurity governance. The NIST said it looks at “making more substantial changes than in the previous update” to reflect “the evolving cybersecurity landscape.” The concept paper is up for public comment through March 3.
NIST Launches AI Risk Management Framework
The U.S. National Institute of Standards and Technology published its Artificial Intelligence Risk Management Framework. NIST said the voluntary framework aims to help the private and public sectors “adapt to the AI landscape as technologies continue to develop and to be used by organizations in varying degrees and capacities.” U.S. Department of Commerce Deputy Secretary Don Graves said the framework “should accelerate AI innovation and growth while advancing rather than restricting or damaging civil rights, civil liberties and equity for all.”
European Council, Parliament Reach Agreement on Access to E-Evidence
The Council of the European Union and the European Parliament reached an agreement on the draft regulation and directive on cross-border access to electronic evidence. The regulation enables judicial authorities to obtain or preserve e-evidence regardless of the data’s location. “With this agreement, we respond to a key request by our judicial authorities. More and more crimes are planned or committed online and our authorities need the tools to prosecute them as they do for crimes offline,” the Swedish Minister of Justice said.