Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Bret Cohen

Posts by Bret Cohen
Posted in Consumer Privacy

California Privacy Rights Act to Appear on November 2020 Ballot

It’s official. The California Privacy Rights Act has received enough valid signatures to appear on the November 2020 ballot. And if polling from late last year remains accurate, California voters are likely to approve it. If voters approve the initiative, the CPRA would significantly expand the CCPA, establish the California Privacy Protection Agency, remove the CCPA’s cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements. The substantive provisions of the CPRA would take effect January 1, 2023.

Posted in Consumer Privacy

California AG Submits CCPA Regulations for Approval – Requests Expedited Review Ahead of July 1 Enforcement Deadline

On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.

Posted in Consumer Privacy

California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative

The California Privacy Rights Act is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The CPRA would significantly amend the CCPA. Included in this blog post is a summary of key additions and modifications to the CCPA’s existing obligations.

Posted in Consumer Privacy, News & Events

Second Modified CCPA Draft Regulations Released—Comments Due March 27

On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.

Posted in Consumer Privacy

Modified CCPA Regulations Released—Comments Due February 25 (Updated)

On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.

Posted in Consumer Privacy

California’s Data Broker Registration Deadline Looming

Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202, the nation’s second “data broker” registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General. AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.

Posted in Consumer Privacy

Washington State to Try Again for a Comprehensive Privacy Law

Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.

Posted in Consumer Privacy

IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA

On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019.

Posted in Consumer Privacy

California AG Releases Proposed CCPA Regulations

On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.

Posted in International/EU Privacy

New Bill Imposing Increased Fines for Violations of Russian Data Protection Laws Under Consideration

On June 13, 2019, a new draft bill imposing multi-million ruble fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.

Posted in Consumer Privacy

NIST Seeking Input on AI Technical Standards by May 31, 2019

On May 1, 2019, the National Institute of Standards and Technology (NIST) announced a Request for Information (RFI) in the Federal Register regarding ongoing efforts to develop technical standards for artificial intelligence (AI) technologies and the identification of priority areas for federal involvement in AI standards-related activities. Responses to the RFI are due by May 31, 2019.

Posted in Consumer Privacy

Beyond FERPA: The California Consumer Privacy Act’s New Rules for Privacy in the Education Sector

In June of 2018, California passed the California Consumer Privacy Act, which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective January of 2020 and may impact companies in the education sector, including the larger education technology companies. While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020.

Posted in International/EU Privacy

Action Required: Privacy Shield Participants Must Update Privacy Policies for Brexit

With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information. This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.

Posted in Consumer Privacy

California DoJ Sets March 8 Deadline for CCPA Pre-Rulemaking Comments

The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline. Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking.

Posted in Consumer Privacy

FTC Release Staff Recap of Informational Injury Workshop

The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop.  Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered.  The paper noted that several important points emerged from the workshop.

Posted in Consumer Privacy

FTC’s Privacy Shield Enforcement Actions Show Broader Enforcement Lens

On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016 and it also introduced a couple of new FTC models of Privacy Shield enforcement.

Posted in Cybersecurity & Data Breaches

New Obligations Under the NYDFS Cybersecurity Regulation Came Online in September

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation came into effect March 1, 2017. Various provisions under the regulations have been implemented on a staggered implementation timeline since that date. As of September 4, 2018, covered entities are required to be in compliance with additional requirements. As you finalize your organization’s preparations for compliance, we have highlighted key aspects of these obligations that came into effect in September.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPA

As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.

Posted in Consumer Privacy

National Science Foundation Seeks Comments on Artificial Intelligence, Continuing Policy Makers’ Focus on AI

The National Science Foundation is seeking public comment on US policy for artificial intelligence, according to the Federal Register Notice of Request for Information (RFI) filed in September 26, 2018.  Specifically, the RFI requests input from the public as to whether the National Artificial Intelligence Research and Development Strategic Plan (AI Strategic Plan) should be updated or improved.  Comments to the RFI are due to the National Science Foundation by October 26, 2018.

Posted in Consumer Privacy

NTIA Seeks Comment on New, Outcome-Based Privacy Approach

The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on a new consumer privacy approach that is designed to focus on outcomes instead of prescriptive mandates. The RFC presents an important opportunity for organizations to provide legal and policy input to the administration, and comments are due October 26.

Posted in Consumer Privacy

Now Available: California Consumer Privacy Act: What you need to know now webinar recording and slides

On July 24, members of the Hogan Lovells global privacy team presented a webinar on the new California Consumer Privacy Act, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. In this post, we provide links to the recorded webinar and slide deck.

Posted in News & Events

Webinar Invitation — California Consumer Privacy Act: What You Need to Know Now

On June 28, 2018, California’s governor signed Assembly Bill 375, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. Particularly in light of California’s status as the world’s 5th largest economy, many are wondering how the new California Consumer Privacy Act will affect them. Please join members of the Hogan Lovells global privacy team for a live webinar on July 24 to learn what you should be focusing on now.

Posted in International/EU Privacy

Russia Partially Releases 2018 Data Privacy Inspection Plans

Two weeks ago, certain territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2018 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including with Russia’s data localization requirement. The inspection plans contain a number of prominent multi-national and Russian companies.