Data Dive

The California Consumer Privacy Protection Agency (CPPA) issued draft rulemaking on automated decision-making technologies as part of its implementing regulations under the California Consumer Privacy Act (as revised, CCPA).

In a key move to further expand consumer data rights, California Gov. Gavin Newson signed The Delete Act (S.B. 362) (the Act) into law on October 10, 2023. The Act amends California’s data broker registration law (Cal. Civ. Code 1798.99.80 et. seq) to include new registration requirements and a singular mechanism for consumers to request that data brokers delete their personal information. Below we have outlined key provisions of the Act that data brokers should be aware of.

On October 8, 2023, Gov. Gavin Newsom (D-CA) signed Assembly Bill 947 (AB 947) into law, adding citizenship and immigration status to the California Consumer Privacy Act’s (CCPA) definition of “sensitive personal information.” AB 947 was first introduced in February 2023 but amended in March 2023 to focus on amendments to expand the definition of “sensitive personal information.”

On July 31, 2023, the California Privacy Protection Agency (CPPA) announced an enforcement review of the data privacy practices of connected vehicle (CV) manufacturers and technologies. This marks the first time the state’s new privacy regulator has used its review power under the California Consumer Privacy Act (CCPA) since the implementing CCPA regulations began taking effect in March (see here for more details).

On August 7, 2023, the Commissioner of Data Protection of the Dubai International Financial Centre (the DIFC), a financial free-zone in the United Arab Emirates, issued the first adequacy decision regarding the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the CCPA), recognizing the essential equivalence of the CCPA with the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL). Importantly, the issuance of the decision helps to facilitate the transfer of data between the DIFC and entities based in California in accordance with the DIFC DPL without requiring such entities to apply additional contractual measures. Furthermore, the Commissioner’s press release expressly notes that the issuance of the adequacy decision may serve as a precedent for the DIFC establishing a similar relationship with other U.S. states. California is now one of 49 countries, jurisdictions or organizations subject to an adequacy decision by the DIFC (the full list can be found here).

In this post, we discuss the Iowa Act Relating to Consumer Data Protection (ICDPA) taking effect on January 1, 2025. Companies should take the time now to understand the Iowa law’s requirements and incorporate them into their existing privacy compliance programs.

On March 15, 2023, the Colorado Attorney General (AG) finalized its set of regulations implementing the Colorado Privacy Act (CPA) – the Colorado Privacy Act Rules (“Colorado Rules”). The Colorado Rules clarify and expand upon the CPA’s requirements (see here for more information about the CPA), and will enter into effect alongside the CPA on July 1, 2023.

On March 30, 2023, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) has approved the CPPA’s regulations and filed them with the Secretary of State, completing the rulemaking process.