UPDATE: The program, “The Proposed CPRA (California Privacy Rights Act) Regulations: What to look for, deciding whether to comment, and how to prepare,” originally scheduled to take place on Thursday, June 30 has been rescheduled as Chairperson Urban of the CPPA recently indicated that she will provide additional information regarding the timeline for public comment

The CCPA’s (California Consumer Privacy Act) exemption on human resources (HR) and business-to-business (B2B) personal information expires on January 1, 2023 when the CPRA takes effect. Unlike the other new state privacy laws effective in 2023, the CPRA will apply to personal information that a business collects from its employees, job applicants, independent contractors and

Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of

Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the noticeable exception of the California Consumer Privacy Act (CCPA) and its

Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations:

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys.  Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his

Modern data privacy statutes create special rules for activities that involve “selling.” Among other things, most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information sold. As the following chart indicates, the term “sale” is defined slightly different between and among state statutes, with some

What types of documents, policies, procedures, and protocols should service providers consider putting in place to comply with the CCPA?

The written policies and procedures that service providers put into place to assist in their compliance with the CCPA differ depending upon several factors including the size of the service provider, the quantity of personal