Hello all, and happy Thursday!
On February 9th, the California Privacy Protection Agency (CPPA) made a(nother) surprise announcement. It won its appeal and CPRA enforcement is effective now—not as of March 29, 2024, but as of July 1, 2023.
For those of you who haven’t been following the shifting timeline of CPRA enforcement, here’s a quick (but admittedly complicated) overview.
Most of the CPRA came into force on January 1, 2023. However, only the statutory requirements of the CPRA and the regulatory requirements of the previous California Consumer Privacy Act (CCPA) were enforceable; that is, those requirements defined in the text of the law itself and the regulations developed around the earlier CCPA.
Some issues (like data privacy) are too expansive and complicated to effectively manage with just one fixed set of requirements defined in the text of a law. In these cases, another state or federal authority makes rules that comprise the law’s regulatory requirements. In regard to the CPRA, that authority is the CPPA. This agency has been making additional rules to ensure the CPRA comprehensively and effectively regulates data privacy in California.
Unfortunately, the CPPA was late finalizing its rules and only wrapped them up in March of 2023. The California Chamber of Commerce sued, arguing that enforceability was always meant to kick in a year after rulemaking was finalized, so California courts delayed enforcement to March 29th, 2024. The CPPA filed an appeal at the time.
Again, this refers to the regulatory enforcement of the CPRA; not the statutory enforcement of the CPRA or the regulatory enforcement of the CCPA. That’s why the Sephora enforcement action could take place, even though CPRA enforcement hadn’t fully kicked in. Enforcement of the additional requirements developed by the CPPA had been delayed until March 29th, 2024. Until recently, that is.
We were all geared up for the CPRA to finally be fully enforceable in all respects as of March 29th, but California's Third District Court of Appeal threw us for a loop and granted the CPPA’s appeal. As a result, not only is the CPRA enforceable as of today, but it has been enforceable as of July 1, 2023—the original date when enforcement was meant to kick in.
Okay. That’s a lot of nitty-gritty about the legislative process, lawmaking, and court systems (not to mention a lot of acronyms that start with the letter C).
The big picture is this: The CPRA is in full effect now! The best time to become compliant with California’s privacy law was yesterday; the second best time is today.
Best,
Arlo
P.S. It’s your last chance to register for Osano and KPMG’s webinar on data mapping! If you’ve seen this in time, the webinar is happening TODAY at 1 PM EST. Register on the IAPP’s website here.
California's Third District Court of Appeal has sided with the California Privacy Protection Agency (CPPA) and California Attorney General Rob Bonta in the case of the California Privacy Protection Agency v. Superior Court (California Chamber of Commerce). The court held that the CPPA’s authority to enforce its amended regulations should have been effective on July 1, 2023—rather than be delayed until March 29th, 2024. Today’s decision restores this authority and overturns a lower court decision.
The Federal Trade Commission (FTC) recently released an article warning against businesses surreptitiously changing the terms of their privacy policy so that they are no longer restricted in the ways they can use their customers’ data. In particular, the FTC calls out AI companies, who stand to benefit significantly by maximizing data collection and usage at the expense of user privacy.
A class-action lawsuit claims Temu is excessively collecting and using customer data through "deceptive" and "unscrupulous" practices. The complaint was filed in Illinois by the Hagens Berman law firm on behalf of seven named plaintiffs from Illinois, California, Massachusetts, and Virginia—as well as unnamed others similarly situated. Specifically, the plaintiff’s lawyers allege that expert reviews of the Temu app found the "app is purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices."
Recently, the FCC declared that calls using AI-generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (TCPA). Thus, callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice.
Danish privacy regulator Datatilsysnet has ruled that cities in Denmark need considerably more assurances about privacy to use Google services that may expose children’s data. The agency found that Google uses student data from Chromebooks and Google Workplace for Education “for its own purposes,” which isn’t allowed under European privacy law. Municipalities will need to explain by March 1st how they plan to comply with the order to stop transferring data to Google, and won’t be able to do so at all starting August 1st, which could mean phasing out Chromebooks entirely.
By now, many organizations are familiar with basic compliance activities, like managing consent and subject rights requests. But other activities, like regularly conducting privacy impact assessments, are not as well understood. What are PIAs, and how can you conduct one?
If you’re interested in working at Osano, check out our Careers page! Right now, we’re looking for a Lead Privacy Architect—check out the job description here to see if you’d be a good fit.