As we approach the end of the year, here are the Top 10 Privacy posts on the Debevoise Data Blog in 2023 by page views. If you are not already a Blog subscriber, click here to sign up.
1. California Privacy Protection Agency Begins CCPA Rulemaking for Cybersecurity Audits (September 20, 2023)
In September 2023, staff at the California Privacy Protection Agency (the “Agency” or “CPPA”) put forward Draft Cybersecurity Audit Regulations (“the Draft”) for the CPPA Board’s consideration. While the Agency had not yet begun formal rulemaking at the time of this post, the Draft suggested an ambitious role for the Agency in setting cybersecurity norms for entities covered by the CCPA and echoes requirements found elsewhere in other recent cybersecurity rulemaking from the FTC and NYDFS. In this post, we outline the primary measures contemplated by the Draft and offer thoughts on how it stacks up against recent rulemaking by the FTC and NYDFS. At the December 8, 2023 board meeting, the CPPA voted to advance the recently updated proposed cybersecurity audit regulations to formal rulemaking. The CPPA also published a summary of changes, as well as a redline to the prior version, of the cybersecurity audit regulations.
2. UK Online Safety Bill Passed – An FAQ (September 26, 2023)
After years of deliberation, the UK passed its long-awaited Online Safety Bill (the “OS Bill”). It imposes content moderation requirements on certain online platforms and service providers to address illegal and harmful content. The OS Bill reflects a recent trend to scrutinize online platforms’ and service providers’ operations, particularly their interaction with children. For example, the UK ICO has made children’s privacy a top enforcement priority and, in April 2023, issued a £127m penalty against TikTok Inc for inter alia failing to use children’s personal data lawfully. Similar trends exist in the EU. The Digital Services Act, for example, requires businesses to monitor and regulate illicit materials on their platforms, and regulators, including the Irish DPC, have issued numerous high profile fines for misuse of Children’s personal data.
3. Washington’s Novel Health Data Law: An In-Depth Look (August 2, 2023)
U.S. state privacy continues to be at the forefront of legislative and policymaking activity. Although states continue to pass comprehensive privacy laws in 2023, Washington’s My Health My Data Act (“MHMDA”) deserves closer attention due to its breadth as well as its novel—and potentially onerous—provisions. This post highlights key aspects of the MHMDA with a focus on net-new provisions that organizations should consider as they build out their privacy compliance programs. Entities covered by MHMDA must comply with the law’s obligations and prohibitions by March 31, 2024, and small businesses must comply by June 30, 2024.
4. European Data Protection Roundup
Throughout 2023, we published our European Data Protection Roundup that includes key takeaways on privacy protection laws. Below, we provide an overview of our 2023 data protection roundups that address privacy issues:
December 2022 and January: Cookies; Access rights
February: Enforcement trends; Data access requests
March: Data processing agreements
April: Children’s data protection
May: Third country data transfers; GDPR individuals’ rights
June & July: Data transfers to the U.S.; Web analytics; Privacy enforcement trends
August: Biometric data; Data scraping; Dark patterns
September: UK-US data bridge; Rights under UK GDPR
October: Consent for use of personal data; Employee monitoring
5. California Attorney General’s CCPA Sweep Indicates Focus on HR Data (July 21, 2023)
On July 14, 2023, California Attorney General Rob Bonta announced a California Consumer Privacy Act (“CCPA”) enforcement sweep focused on large California employers’ compliance with the CCPA’s requirements applicable to the personal information of employees and job applicants. This is a clear signal that the Attorney General will not wait to pursue enforcement of these provisions, even though the California Privacy Protection Agency (the “Agency”) has yet to address them in its rulemaking. In this post, we offer a roadmap for compliance for companies with California employees, independent contractors, and applicants to consider as they continue to enhance their existing programs or fully operationalize these changes.
6. The Arrival of 2023 U.S. State Privacy Laws – Part 1: California Update (January 17, 2023)
With the arrival of 2023 came a novel patchwork of privacy requirements arising out of comprehensive state privacy laws that have been adopted (or amended) by legislatures in California, Virginia, Colorado, Connecticut and Utah. Although privacy practitioners have been busy analyzing these laws and assisting clients with compliance efforts, rulemaking in California and Colorado has made this a moving target. In this post, we review the status of the California Privacy Protection Agency’s (“CPPA”) rulemaking for the California Privacy Rights Act (“CPRA”) following a public meeting on December 16. At the meeting, the CPPA revealed an updated timeline for its rulemaking process and when it expects the rules to take effect. On March 29, 2023, the California Office of Administrative Law approved the CPPA’s regulations and filed them with the Secretary of State. The final regulations became effective on March 29, 2023. The CPPA continues to publish announcements here.
7. National Association of Attorneys General’s 2023 Consumer Protection Spring Conference (June 12, 2023)
On May 10−12, 2023, the National Association of Attorneys General (the “NAAG”) held its Spring 2023 Consumer Protection Conference to discuss the intersection of consumer protection issues and technology. During the portion of the conference that was open to the public, panels featuring federal and state regulators, private legal practitioners, and industry experts discussed potential legal liabilities and consumer risks related to artificial intelligence (“AI”), online lending, and targeted advertising. In this Debevoise Update, we recap some of the panels and remarks, which emphasized regulators’ increased scrutiny of the intersection of consumer protection and emerging technologies, focusing on the leading themes from the conference: transparency, fairness, and privacy.
8. Privacy by Design: Insights from the UK ICO’s Product Design Forum (March 8, 2023)
On February 23, 2023, the UK ICO hosted its latest privacy forum in a series aimed at helping product designers and managers incorporate “privacy by design” or “data protection by design and by default” principles into their work. Presenters from a wide range of sectors, including from the ICO, offered practical guidance that may help companies better understand current market practice, the ICO’s expectations, and the direction of forthcoming regulatory guidance.
9. The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update (February 6, 2023)
On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act. This post addresses the timeline for COAG rulemaking and the current proposed rules. In March 2023, the COAG filed the finalized ColoPA Rules with the Colorado Secretary of State’s Office. The COAG has established a site dedicated to ColoPA resources, including FAQs. Companies subject to ColoPA should review their practices to ensure compliance with ColoPA and its implementing rules, which became effective on July 1, 2023.
10. Debevoise Authors 2023 Edition of the PLI Privacy Law Answer Book (January 23, 2023)
The Data Strategy and Security team at Debevoise & Plimpton LLP has authored the Practising Law Institute’s 2023 edition of the Privacy Law Answer Book, a user-friendly guide to the laws and regulations that govern how companies collect, use, store and transfer the personal information of their consumers and employees. The book is styled as a Q&A so that practitioners can easily find answers to both common and uncommon questions. The book is the result of significant contributions from Debevoise partners, counsels, and associates, and is now available to legal and privacy practitioners.
***
To subscribe to the Data Blog, please click here.