California Consumer Privacy Act

The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data.

By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte

On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).

Florida’s law introduces novel provisions that depart from existing US state privacy laws, which businesses will need to carefully consider.

By Jennifer C. Archie, Clayton Northouse, Joseph C. Hansen, and Austin L. Anderson

Key Takeaways:

  • On June 7, 2023, Florida’s governor signed the Digital Bill of Rights into law, set to go into effect on July 1, 2024.
  • Unique to Florida, the law mainly targets very large enterprises, adopting a revenue threshold of at least $1 billion gross annual revenue for many of its requirements, and regulating companies engaged in specific enumerated digital lines of business.
  • The law also imposes obligations on all for-profit businesses (regardless of revenue threshold) that do business in the state and “sell” the sensitive personal data of Florida consumers.
  • Many of the law’s requirements are modeled off of Virginia’s privacy law, but covered businesses will need to pay special attention to unique requirements around consumer rights, privacy policy disclosures, and restrictions on data obtained from consumers under the age of 18.
  • The Florida Attorney General has exclusive enforcement authority, and penalties can reach up to $150,000 for certain violations, including failure to correct or delete a consumer’s personal data.
  • Favorably, the law provides a discretionary 45-day right to cure.

Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws.

By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert

On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy law (SF 262) (Iowa Privacy Law) was passed unanimously by the state House and Senate, and signed by Governor Kim Reynolds.

The Iowa Privacy Law imposes requirements similar to those already required by other state privacy laws—most notably, Utah. The key task for companies subject to the law will be to ensure that their existing measures cover personal data collected about Iowa residents, for example, by extending their privacy notices, contracts, and user rights mechanisms to include Iowa consumer personal data.

The Act represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA.

By Jennifer C. Archie, Michael H. Rubin, Marissa R. Boynton, and Alexander L. Stout

On March 2, 2021, Virginia Governor Ralph Northam signed comprehensive state privacy legislation titled the Consumer Data Protection Act (CDPA). Previously, the Virginia Senate unanimously passed the bill on February 5, 2021, and the Virginia House of Delegates followed suit in a special legislative session on February 18, 2021. The law will take effect on January 1, 2023. This post addresses some key provisions.

While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA.

By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones

Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, compliance with the California Consumer Privacy Act. Key developments include narrowing the definition of “personal information,” changing the use limitations on