Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1

(more…)

Regulatory Update: NAIC Summer 2022 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Summer 2022 National Meeting (Summer Meeting) August 9–13, 2022. This post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include a proposal for a new consumer privacy protections model law, continued discussion of considerations related to private equity ownership of insurers, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and initiatives to address climate risks in the insurance sector.

(more…)

Utah Joins the Comprehensive Privacy Law Club

Utah has become the fourth state, following California, Virginia and Colorado, to enact a comprehensive consumer data privacy law.  The Utah Consumer Privacy Act (“UCPA”), formerly known as Senate Bill 227, passed the Utah Senate and House with no opposition, and was signed by Governor Cox on March 24, 2022.

The UCPA shares many similarities with Virginia’s Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“CPA”), and some similarities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). That said, the UCPA is somewhat narrower and more business friendly than other state privacy law analogs. The UCPA will go into effect on December 31, 2023. (more…)

California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims

In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request.  The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity.  We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement. (more…)

California Privacy Agency: CPRA Regs Not Likely Until Late 2022

Final regulations implementing the California Privacy Rights Act (CPRA) may not be issued until Q3 or Q4 2022, as reported by Executive Director Soltani of the California Privacy Protection Agency (“CalPPA”) at its February 17th Board meeting.  This means that businesses subject to CPRA will not have regulatory guidance on how to implement the CPRA until just months, or possibly weeks, before the law goes into effect on January 1, 2023, assuming the regulations are finalized before the effective date.  This is a significant departure from the CPRA’s stated timeline of July 1, 2022 for the adoption of final regulations.  While enforcement under CPRA cannot begin until July 1, 2023, and at that time enforcement can only address violations alleged to have occurred on or after that date, businesses are not well-served by the prospect of implementing the significant regulations required by the CPRA in half the statutorily allotted time. (more…)

CPRA Law + Tech Series

WEBINAR

Sidley Senior Managing Associate Sheri Porath Rockwell (Chair, California Lawyers Association Privacy Law Section) and Stacey Gray, Director of Legislative Research & Analysis at the Future of Privacy Forum, will be leading a multi-session webinar series, CPRA Law + Tech, that focuses on the technologies and data practices at the heart of emerging state privacy legislation, including the California Privacy Rights Act (CPRA). (more…)

NAIC Insurance Data Security Law Annual Certifications: Is Yours Due By February 15?

Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.

(more…)

California Privacy Law Overhaul – Proposition 24 Passes

The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24.  The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020.  And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.

(more…)

CCPA Marches On: California Attorney General Proposes Further Revisions to CCPA Regulations, Industry Pleads for Enforcement Delay Amid COVID-19 Crisis

While the world seems to have ground to a halt in so many ways, time still marches on, and along with it, the California Consumer Privacy Act (“CCPA”) enforcement date (July 1, 2020) inches ever closer.   On March 11, 2020, the California Attorney General (“AG”) released the third turn of proposed California Consumer Privacy Act (“CCPA”) regulations.  The AG’s revisions make only moderate changes to the last round of regulations issued in February 2020.  Businesses will not need to dramatically change compliance plans as the proposed revised regulations seek to refine requirements in prior drafts rather than introduce any wholesale changes to the regulatory framework.  (more…)

CCPA In-Depth Series: Draft Attorney General Regulations on Verification, Children’s Privacy and Non-Discrimination

This post is the third in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at verification, children’s privacy and the non-discrimination provisions. Visit the CCPA Monitor for a collection of all our CCPA insights.

INTRO AND BACKGROUND. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

(more…)