Many digital advertising arrangements that companies commonly use may qualify as “selling” or “sharing for cross context behavioral advertising” personal information under the California Consumer Privacy Act in California and laws in a few other US states (Nevada, Virginia, Colorado, Connecticut, Utah). Businesses state in their online privacy disclosures whether they sold or shared personal information in the last 12 months and whether they will sell or share personal information. Businesses that “sell” or “share” personal information, or use or disclose consumers’ sensitive personal information for non-exempt purposes have to treat user-enabled global privacy controls as a valid opt-out request.

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes employee and business representative data from its scope.

On 1 January 2023, the California Consumer Privacy Act as revised by the California Privacy Rights Act will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the California Consumer Privacy Act will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply.

Businesses that have implemented measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Colorado Privacy Act (CPA). However, the CPA, and the recently published proposed CPA Rules, contain certain unique and prescriptive requirements that may warrant taking a CPA-specific approach to compliance. How the finalized CCPA regulations and CPA Rules look will largely dictate whether companies will need to expand or change the scope of their privacy compliance measures to meet the obligations set forth under both California’s and Colorado’s privacy regimes.

Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing compliance mechanisms designed to comply with the CCPA to satisfy requirements under the Utah Consumer Privacy Act, which will become operative on 31 December 2023.

Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing vendor contract terms, website disclosures and data subject right processes to satisfy requirements under Nevada’s Revised Statutes Chapter 603A. Most companies will not need to expand the scope of CCPA-focused privacy notices because the Nevada laws are much more narrowly framed. But, companies may find it operationally efficient to broaden the scope of opt-out rights if they engage in data sharing practices that qualify as “selling” of personal information, for example, in the context of digital advertising.

Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

The California Privacy Rights Act of 2020 (CPRA) amended the California Consumer Privacy Act of 2018 (CCPA) with most changes taking effect on 1 January 2023 with a twelve-month look-back. Limited exceptions concerning the personal data of employees and business contacts will expire. The new California Privacy Protection Agency (CPPA) has published draft regulations that will, once finalized, expand on the rules in the statute and existing regulations from the California Attorney General.

Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

On “Privacy Day” – California Attorney General Rob Bonta announced an investigative sweep targeted at the data collection practices of businesses running consumer loyalty programs in California and issued notices of non-compliance to a number of “major corporations” in the retail, home improvement, travel, and food services industries. Such loyalty programs offered financial incentives to consumers (e.g., discounts, free items, and other rewards) in exchange for their personal information.