The California attorney general recently released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The attorney general also released a notice of proposed rulemaking and an initial statement of reasons that provide drafting insights and outline considerations that will likely continue to guide the rulemaking process. The proposed regulations provide clarifications for businesses and consumers in five key CCPA areas, including privacy notice requirements.
The California legislature recently debated several amendments to the California Consumer Privacy Act, eventually passing five bills which now await the governor's signature. Collectively, these bills do not provide the sweeping changes sought by businesses. Instead, the amendments make minor tweaks and postpone for one year some of the more challenging requirements. The passed bills address a range of topics, including providing for a partial, temporary one-year exception for applicant and employee data.
Senate Bill 220 was recently signed into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. However, the new privacy law is significantly narrower than the California Consumer Privacy Act (CCPA). For example, it applies only to online activities, defines 'consumer' and 'sale' more narrowly and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act.
The Federal Trade Commission recently issued notices seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and the Privacy Rule. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule focus on technical changes to align the rule with changes in law over the past decade.
The Federal Trade Commission (FTC) recently announced that it had settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children's Online Privacy Protection Act. This action was notable not just for the penalty's size, but also because of the joint statement by two democratic commissioners that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.