- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
June 21st, 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. On July 1, California’s new privacy law, the California Privacy Rights Act (CPRA), becomes enforceable. That same day, Colorado and Connecticut’s new privacy laws, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA), take effect and become enforceable. And, on July 5, New York City’s new automated decision-making law, New York City Local Law 144 (AI Law), becomes enforceable. We’ve identified five key action items to help you prepare for enforcement under these various laws. This list is not comprehensive, and you should speak with a lawyer about your obligations under the law.
1. Review Your CPRA Compliance.
Although we’ve been talking about CPRA compliance for what seems like forever, July 1 is the first day that the California Attorney General and the California Privacy Protection Agency (CPPA) can enforce violations of CPRA. All actions brought to date – whether public, as in this case, or the many that have been prosecuted behind closed doors– have been based on alleged violations of CCPA, the precursor to CPRA. With CPRA enforcement starting, California regulators are no longer required by law to give businesses 30 days to cure alleged violations. That means we can expect public enforcement of CPRA this year. Now is the time to review your CPRA compliance. (For a list of additional CPRA action items, see our prior posts here and here.)
2. Harmonize Colorado and Connecticut Compliance with Prior Virginia Compliance.
Let’s start with some good news. You probably don’t need to start from the bottom with your CPA and CTDPA compliance. These laws share much in common with Virginia’s privacy law, the Virginia Consumer Data Protection Act (VCDPA), which took effect and became enforceable in January. For example, all three laws set out similar disclosures, consumer rights, obligations around sensitive personal data, contractual obligations for controllers and processors, and more. If you already worked toward VCDPA compliance last year or earlier this year, you should be able to build upon that compliance to help address these laws. (If you haven’t worked toward VCDPA compliance, it’s not too late to begin.) We expect harmonization to become increasingly important for businesses as various comprehensive state privacy laws take effect over the next several years, including laws from Indiana, Iowa, Montana, Tennessee, Texas, and Utah.
3. Consider the New Obligations under Colorado and Connecticut.
Now some bad news. Although CPA and CTDPA share much in common with VCDPA, they aren’t the same. For example, CPA and CTDPA both add a requirement that businesses must honor opt-out preference signals. Businesses do have some additional time to address certain requirements – CPA and CTDPA both include a delayed enforcement date for preference signals (until 2024/2025). And there is a 60 day right to cure (through the end of 2024). Nevertheless, we’ve heard that both the Colorado AG and Connecticut AG intend to aggressively enforce their laws, so businesses should aim for compliance by July.
4. Address the Colorado Regulations.
5. Review the Tools You Use to Make Hiring Decisions.
New York City’s AI Law is one of the first laws in the US to regulate AI and automated-decision making. Under the AI Law, any business that uses “automated employment decision tools” in screening candidates for hiring or promotion within New York City must provide notice to the candidates and conduct a bias audit prior to using those tools. Audit requirements are set out in the law and the published regulations. The law establishes civil penalties of at least $500 and no more than $1500 per violation, enforceable by the New York City’s corporation counsel, the New York City Division of Human Rights, or through a private right of action. Businesses should carefully review the tools they use, and associated contracts and data flows, for compliance with the AI Law. Given the recent buzz around AI and automated-decision making, we expect many AI and automated-decision making laws to follow in the coming months. For example, California regulators have already indicated that the next set of CPRA regulations will include obligations around automated decision making.
If you have questions about privacy law, harmonizing your data practices, or automated-decision making, please contact Daniel M. Goldberg at (310) 579-9616 or email@example.com, Rick Borden at (212) 705-4884 or firstname.lastname@example.org, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023
CPRA Regs: 8 New Obligations You Need to Know
On February 14, the CPPA, California’s new privacy regulatory agency, filed the first part of its proposed final CPRA Regs with California’s Office of Administrative Law (OAL). Read more.
February 21 2023