California Data Privacy Roundup

Article

November 2022

By: Travis P. Brennan

1. The California Privacy Rights Act (CPRA) is nearly upon us, but that’s not all:

- 1/1/2023: California Consumer Privacy Act’s (CCPA) mandatory right to cure expires; CPRA takes effect; the Virginia Consumer Data Protection Act takes effect
- 7/1/2023: CPRA becomes enforceable; the Colorado Privacy Act takes effect; the Connecticut Data Privacy Act takes effect
- 12/31/2023: The Utah Consumer Privacy Act takes effect

2. The new California Privacy Protection Agency (CPPA) was supposed to publish implementing regulations last July. That didn’t happen, but we’re finally getting close to having a first round of regulations. The CPPA recently made changes to its draft regulations, and the CPPA board held meetings on October 28 and 29 to consider modifying and adopting them. The Board authorized Agency staff to prepare and provide notice of additional changes to the draft, and public comments on the latest version of the draft must be submitted by November 21, 2022.

3. The CCPA recently gained admission into the Global Privacy Assembly. In yet another sign that California sets the benchmark for U.S. consumer privacy protection, the CPPA joined the U.S. Federal Trade Commission (FTC) as the second voting member of the Assembly from the United States. The Assembly is a global forum of over 130 data protection and privacy authorities whose goal is to advance privacy by enabling cooperation among privacy authorities across the world. 

4. The FTC recently took action against Drizly and its CEO for security failures. The FTC alleged that Drizly failed to implement basic security measures (while publicly claiming that it had appropriate protections in place), exposing the data of 2.5 million consumers. Without admitting or denying the allegations, Drizly has agreed to a consent order that includes detailed requirements for implementing a comprehensive information security program. The order’s emphasis on the need for data minimization is notable.  

5. The Global Privacy Control is a new technical specification for transmitting universal opt-out signals at the browser level. California’s Attorney General insists that businesses must treat a GPC signal as a “Do Not Sell Or Share My Personal Information” request under the CCPA.