- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
December 6th, 2022
Privacy Considerations for 2023
2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) – take effect. Although businesses should be well on their way to compliance, we have compiled some last minute tips in this alert for your consideration before the year’s end.
- Address Data Subject Requests. In connection with addressing new disclosure requirements, businesses should ensure they have tools to address new data subject rights. As mentioned above, California has added new rights to correct and opt-out of the sharing of personal information (the California Consumer Privacy Act (“CCPA”), which the CPRA replaces, already included the rights to know, access, delete, and opt-out of the sale of personal information). Virginia now grants its data subjects the rights to: (a) access, correct, and delete their personal data; and (b) opt-out of the processing of personal data for sales, targeted advertising, and certain types of profiling.
- Respond to Preference Signals. Businesses should implement measures to honor Do Not Sell or Share opt-out preference signals, particularly relating to Global Privacy Control (“GPC”). In August, the California AG brought the first public action under CCPA (which we blogged about) against a business for alleged failure to process Do Not Sell requests via GPC. Characterizing GPC as a “game changer,” Attorney General Bonta has left little doubt that GPC compliance is now a requirement under California law.
- Conduct Data Protection Impact Assessments. Business should have a form ready and begin conducting data protection impact assessments as required by Virginia. Taking a page from GDPR, starting in January, Virginia will require controllers to assess their data practices involving certain processing operations. For example, a controller must conduct a data protection impact assessment where personal data is processed for targeted advertising or an activity that creates a “heightened risk of harm” to data subjects.
- Revise Contracts. Businesses should review and update their contracts (including data processing addendums) to ensure they contain language required by CPRA and VCDPA. For purposes of Virginia, a data processing addendum that complies with GDPR may be sufficient, as long as it incorporates personal data subject to Virginia. However, CPRA requires very specific language that differs from both CCPA and Virginia, and likely involves more comprehensive revisions.
- Evaluate Sensitive Personal Information. Businesses should evaluate whether they process any sensitive personal information, which is a new category of data under California and Virginia law. Sensitive personal information includes Social Security Number, precise geolocation, health data, genetic data, and more. Both laws require specific disclosures around sensitive personal information. In addition, under Virginia, processing of sensitive personal data is opt-in, while under California, processing of sensitive personal information is opt-out under certain circumstances.
If you have questions about California or Virginia privacy law, including the CPRA Regs (which we have written about extensively), or any other comprehensive state privacy laws, such as for Colorado, Connecticut, or Utah, please contact Daniel Goldberg at (310) 579-9616 or firstname.lastname@example.org, Maria Nava at (310) 579-9628 or email@example.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023