As we approach the end of the year, here are the Top 10 Privacy posts on the Debevoise Data Blog in 2023 by page views. If you are not already a Blog subscriber, click here to sign up.


1. California Privacy Protection Agency Begins CCPA Rulemaking for Cybersecurity Audits (September 20, 2023)

In September 2023, staff at the California Privacy Protection Agency (the “Agency” or “CPPA”) put forward Draft Cybersecurity Audit Regulations (“the Draft”) for the CPPA Board’s consideration. While the Agency had not yet begun formal rulemaking at the time of this post, the Draft suggested an ambitious role for the Agency in setting cybersecurity norms for entities covered by the CCPA and echoes requirements found elsewhere in other recent cybersecurity rulemaking from the FTC and NYDFS. In this post, we outline the primary measures contemplated by the Draft and offer thoughts on how it stacks up against recent rulemaking by the FTC and NYDFS. At the December 8, 2023 board meeting, the CPPA voted to advance the recently updated proposed cybersecurity audit regulations to formal rulemaking. The CPPA also published a summary of changes, as well as a redline to the prior version, of the cybersecurity audit regulations.


2. UK Online Safety Bill Passed – An FAQ (September 26, 2023)

After years of deliberation, the UK passed its long-awaited Online Safety Bill (the “OS Bill”). It imposes content moderation requirements on certain online platforms and service providers to address illegal and harmful content. The OS Bill reflects a recent trend to scrutinize online platforms’ and service providers’ operations, particularly their interaction with children. For example, the UK ICO has made children’s privacy a top enforcement priority and, in April 2023, issued a £127m penalty against TikTok Inc for inter alia failing to use children’s personal data lawfully. Similar trends exist in the EU. The Digital Services Act, for example, requires businesses to monitor and regulate illicit materials on their platforms, and regulators, including the Irish DPC, have issued numerous high profile fines for misuse of Children’s personal data.


3. Washington’s Novel Health Data Law: An In-Depth Look (August 2, 2023)

U.S. state privacy continues to be at the forefront of legislative and policymaking activity. Although states continue to pass comprehensive privacy laws in 2023, Washington’s My Health My Data Act (“MHMDA”) deserves closer attention due to its breadth as well as its novel—and potentially onerous—provisions. This post highlights key aspects of the MHMDA with a focus on net-new provisions that organizations should consider as they build out their privacy compliance programs. Entities covered by MHMDA must comply with the law’s obligations and prohibitions by March 31, 2024, and small businesses must comply by June 30, 2024.


4. European Data Protection Roundup

Throughout 2023, we published our European Data Protection Roundup that includes key takeaways on privacy protection laws. Below, we provide an overview of our 2023 data protection roundups that address privacy issues:

December 2022 and January: Cookies; Access rights

February: Enforcement trends; Data access requests

March: Data processing agreements

April: Children’s data protection

May: Third country data transfers; GDPR individuals’ rights

June & July: Data transfers to the U.S.; Web analytics; Privacy enforcement trends

August: Biometric data; Data scraping; Dark patterns

September: UK-US data bridge; Rights under UK GDPR

October: Consent for use of personal data; Employee monitoring


5. California Attorney General’s CCPA Sweep Indicates Focus on HR Data (July 21, 2023)

On July 14, 2023, California Attorney General Rob Bonta announced a California Consumer Privacy Act (“CCPA”) enforcement sweep focused on large California employers’ compliance with the CCPA’s requirements applicable to the personal information of employees and job applicants. This is a clear signal that the Attorney General will not wait to pursue enforcement of these provisions, even though the California Privacy Protection Agency (the “Agency”) has yet to address them in its rulemaking. In this post, we offer a roadmap for compliance for companies with California employees, independent contractors, and applicants to consider as they continue to enhance their existing programs or fully operationalize these changes.


6. The Arrival of 2023 U.S. State Privacy Laws – Part 1: California Update (January 17, 2023)

With the arrival of 2023 came a novel patchwork of privacy requirements arising out of comprehensive state privacy laws that have been adopted (or amended) by legislatures in California, Virginia, Colorado, Connecticut and Utah. Although privacy practitioners have been busy analyzing these laws and assisting clients with compliance efforts, rulemaking in California and Colorado has made this a moving target. In this post, we review the status of the California Privacy Protection Agency’s (“CPPA”) rulemaking for the California Privacy Rights Act (“CPRA”) following a public meeting on December 16. At the meeting, the CPPA revealed an updated timeline for its rulemaking process and when it expects the rules to take effect. On March 29, 2023, the California Office of Administrative Law approved the CPPA’s regulations and filed them with the Secretary of State. The final regulations became effective on March 29, 2023. The CPPA continues to publish announcements here.


7. National Association of Attorneys General’s 2023 Consumer Protection Spring Conference (June 12, 2023)

On May 10−12, 2023, the National Association of Attorneys General (the “NAAG”) held its Spring 2023 Consumer Protection Conference to discuss the intersection of consumer protection issues and technology. During the portion of the conference that was open to the public, panels featuring federal and state regulators, private legal practitioners, and industry experts discussed potential legal liabilities and consumer risks related to artificial intelligence (“AI”), online lending, and targeted advertising. In this Debevoise Update, we recap some of the panels and remarks, which emphasized regulators’ increased scrutiny of the intersection of consumer protection and emerging technologies, focusing on the leading themes from the conference: transparency, fairness, and privacy.


8. Privacy by Design: Insights from the UK ICO’s Product Design Forum (March 8, 2023)

On February 23, 2023, the UK ICO hosted its latest privacy forum in a series aimed at helping product designers and managers incorporate “privacy by design” or “data protection by design and by default” principles into their work. Presenters from a wide range of sectors, including from the ICO, offered practical guidance that may help companies better understand current market practice, the ICO’s expectations, and the direction of forthcoming regulatory guidance.


9. The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update (February 6, 2023)

On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act. This post addresses the timeline for COAG rulemaking and the current proposed rules. In March 2023, the COAG filed the finalized ColoPA Rules with the Colorado Secretary of State’s Office. The COAG has established a site dedicated to ColoPA resources, including FAQs. Companies subject to ColoPA should review their practices to ensure compliance with ColoPA and its implementing rules, which became effective on July 1, 2023.


10. Debevoise Authors 2023 Edition of the PLI Privacy Law Answer Book (January 23, 2023)

The Data Strategy and Security team at Debevoise & Plimpton LLP has authored the Practising Law Institute’s 2023 edition of the Privacy Law Answer Book, a user-friendly guide to the laws and regulations that govern how companies collect, use, store and transfer the personal information of their consumers and employees. The book is styled as a Q&A so that practitioners can easily find answers to both common and uncommon questions. The book is the result of significant contributions from Debevoise partners, counsels, and associates, and is now available to legal and privacy practitioners.

***

To subscribe to the Data Blog, please click here.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Kim T. Le is a corporate counsel and a member of the Debevoise Healthcare & Life Sciences Group. She is also active in the firm’s Data Strategy & Security practice. She can be reached at kle@debevoise.com.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Aisling Cowell is an associate in the Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group. She can be reached at acowell@debevoise.com

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.