Companies around the world should start preparing for the Iowa Consumer Data Protection Act with respect to personal data of consumers in Iowa. With the Iowa Act, Iowa follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes consumers acting in a commercial or employment context. Businesses that have implemented measures to comply with the CCPA and other US state privacy laws can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Iowa Act. The Iowa Act becomes effective January 1, 2025 and does not include a look-back period for violations.

If you sell goods and services to consumers through automatically renewing payment plans, free or discounted trials that convert into full plans, or other “negative option features” that interpret a consumer’s silence as permission to keep charging them, you should monitor and consider submitting comments on the Federal Trade Commission’s proposed Negative Option Rule. The proposed rule would impose detailed transparency, consent, simple cancellation and annual reminder requirements on companies that use any medium to offer recurring subscriptions for products or services, and allow the FTC to seek civil penalties of over USD 50,000 per violation and consumer redress for violations.

US laws have traditionally given online services significant leeway to moderate user-generated content however they see fit. In particular, there is a long history of US courts relying on Section 230 of the Communications Decency Act (CDA 230) to reject a wide range of claims seeking to hold online services providers liable for hosting, displaying, removing or blocking third-party content, including under contract, defamation, tort and civil rights laws. CDA 230 does not protect online services providers from all claims related to third-party content. For example, there are statutory exceptions for IP infringements and criminal violations. But many commentators credit CDA 230 as one of the most important laws in the development of the internet by allowing online services providers to focus on growing their user base without having to discharge unduly burdensome duties to continuously review, assess and moderate user-generated content.

In brief Finalized regulations under the amended California Consumer Privacy Act (“CCPA”) are one step closer to becoming a reality. On February 3, 2023, the California Privacy Protection Agency (the “Agency”) voted to submit its proposed regulations to the Office of Administrative Law, which is one of the last steps before the…

Through The Employer Report blog, our lawyers provide legal updates and practical insights to help clients understand, prepare for and respond to the latest domestic and cross-border Labor and Employment issues affecting US and multinational employers.

Having to click through a gauntlet of screens to cancel recurring subscriptions. Being told you are foolish if you decline a service. Discovering you were charged extra fees that were not clearly brought to your attention earlier. Finding it hard or confusing to configure your privacy settings to high. These and similar experiences arise when you encounter “dark patterns”, a term that US authorities are increasingly using to refer to interface design strategies that manipulate users into making choices they likely wouldn’t have otherwise made and that may cause harm.

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020, but excludes employee and business representative data from its scope.

On 1 January 2023, the California Consumer Privacy Act as revised by the California Privacy Rights Act will take effect fully in the job applicant and employment context.
And with respect to job applicants and personnel, businesses subject to the California Consumer Privacy Act will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply.

Businesses that have implemented measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the Colorado Privacy Act (CPA). However, the CPA, and the recently published proposed CPA Rules, contain certain unique and prescriptive requirements that may warrant taking a CPA-specific approach to compliance. How the finalized CCPA regulations and CPA Rules look will largely dictate whether companies will need to expand or change the scope of their privacy compliance measures to meet the obligations set forth under both California’s and Colorado’s privacy regimes.

California recently enacted the California Age-Appropriate Design Code Act (“Act”) with the stated intention of requiring businesses to consider the best interests of minors under the age of 18 when designing, developing and providing online services. If your business currently offers online services that are likely to be accessed by minors in California, you should consider starting to prepare Data Protection Impact Assessments in accordance with the Act as soon as possible because the law will require covered businesses to undertake such assessments before offering these services to the public, and it will take time to address the risks identified by the assessments before the Act fully takes effect on 1 July 2024.