In California Privacy Protection Agency et al. v. The Superior Court of Sacramento County (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection Agency (CPPA) to enforce the regulations promulgated under California’s groundbreaking consumer data privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)). 

The California Chamber of Commerce had challenged the CPPA’s timeline for enforcing its newly finalized regulations, arguing that the agency had missed statutory deadlines, which, in their view, should delay the enforcement start date a full year after their promulgation—to March 29, 2024. The regulations in question, which address aspects such as privacy notice requirements and the handling of browser signals for opt-out requests, are part of the broader framework established by the CCPA. The lower court agreed and temporarily stripped the CPPA of its enforcement capabilities.

The appellate court overturned that decision. The court found no explicit mandate in the law that would necessitate delaying enforcement until a year after the finalization of the regulations, as the Chamber had contended. Consequently, the CPPA can now immediately begin enforcing the regulations finalized last March without the previously imposed delay.

Continue Reading California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

The California Privacy Protection Agency (CPPA) released its draft regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently regulated by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”).

The proposed regulations generally require comprehensive disclosures and opt-out provisions for California consumers and employees regarding the use of ADMT.

Continue Reading California Proposes New AI & Automated Decision-Making Technology Regulations

In today’s rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting it for countless cost-effective purposes. As nonprofit executives, you may wonder how AI intersects with intellectual property and data privacy law and how it could affect your organization. While the full extent of the implications will only be fully understood after some history with the use of AI, some of the issues are already predictable.

For more information:

  1. Read the article “Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns” here.
  2. Listen to the EO Radio Show podcast “Nonprofit Data and Artificial Intelligence” here.

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on June 30, 2023 pushing enforcement of CPRA regulations from July 1, 2023 to March 29, 2024. Continue Reading Enforcement of CPRA Regulations Delayed

ChatGPT got the early press, and every day we learn of new generative artificial intelligence products that can create new and creative visual and text responses to human input. Following on ChatGPT’s fame, Google’s Bard and Microsoft’s Bing are now grabbing some of the spotlight, but these are merely a few of the hundreds if not thousands of generative artificial intelligence products currently available or in development—there is no question that generative AI is here to stay. Indeed, social media and other platform companies—TikTok (using AI to create or add effects to images), Instacart (to create shopping lists and answer food questions), and Shopify (to generate product descriptions), to name a few—are already integrating AI into their services.

Among all the questions begged by this innovative technology are some critical issues concerning privacy. While only time will tell the extent of the privacy issues, some of the concerns are already clear. Continue Reading I Always Feel Like AI Is Watching Me: Artificial Intelligence and Privacy

It was my pleasure to join Farella exempt organizations partner and host of the EO Radio Show podcast, Cynthia Rowland, for a discussion on privacy laws and how they affect information collection and online activities by nonprofits.

We begin our conversation with some basic background on when a nonprofit needs a privacy policy on its website and how to think about what should be posted on the website, and where.

The current privacy requirements in California do not currently apply to most nonprofit organizations. But there are a number of reasons a nonprofit might want to think about collecting and protecting the data as if it were subject to such privacy requirements. Continue Reading Privacy Policy Best Practices for Nonprofits

Shortly before Privacy Day, California Attorney General (Cal AG) Rob Bonta announced a California Consumer Privacy Act (CCPA) enforcement sweep that targeted mobile applications.

The sweep focused on popular apps in the retail, travel, and food service industries, which allegedly failed to comply with consumer opt-out requests. The sweep also included businesses that failed to comply with requests submitted by consumers’ authorized agents, including those sent by Permission Slip, a mobile app that allows consumers to send opt-out and deletion requests on the consumer’s behalf. Continue Reading California Attorney General Announces Enforcement Sweep of Mobile Applications

The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over 2.5 million customers. The FTC’s proposed order is unusual in that applies to Rellas personally. The order requires Rellas to implement various data security practices at any company he owns or oversees in the next decade, even if Rellas moves to a company unrelated to Drizly.

Let’s take a look at the data security breaches that led to the FTC’s enforcement action and some of the key takeaways that result from the FTC’s unusual proposed order. Continue Reading Cybersecurity Regulation: Key Takeaways From an Unusual FTC Order That Will Follow CEO for a Decade

Governor Newsom recently signed into law AB 2273, the California Age-Appropriate Design Code Act (CA AADCA), making California the first state to pass broad privacy protections for children.

The CA AADCA is modeled after the UK’s Age-Appropriate Design Code (UK AADCA) which came into effect last year. While the two acts are not identical, businesses that conformed to the UK AADCA will see many similarities with the CA AADCA. Both laws seek to provide higher default privacy protections for children and set forth various requirements for covered businesses. Continue Reading California Passes Landmark Privacy Protections for Children With Big Implications for Online Providers

On October 5, 2022, after a monthlong jury trial, former Uber Chief Information Security Officer Joseph Sullivan was found guilty of obstructing proceedings of the Federal Trade Commission (FTC) and misprision of a felony related to failure to disclose two data breaches in 2014 and 2016. Sullivan remains on bond pending his sentencing, where he faces a maximum sentence of five years for the obstruction charge and three years for the misprision charge.

Sullivan was hired by Uber in 2015 and handled the company’s response to the FTC regarding the 2014 breach. Sullivan supervised Uber’s responses to the FTC, testified under oath to the committee regarding the company’s data protections, and supported a preliminary settlement entered into by Uber and the FTC in the summer of 2016.

However, shortly after Sullivan’s testimony in 2016, Uber fell victim to another cyber-attack. Continue Reading Uber’s Former Chief Security Officer Found Guilty of Obstruction for Coverup of Data Breaches