Hashed & Salted | A Privacy and Data Security Update
As we head toward the end of the year, the Jan. 1, 2023, enforcement date for the California Privacy Rights Act (CPRA) looms large. Will the implementing regulations be finalized in time?
It doesn’t look like it.
The California Privacy Protection Agency (CPPA) is still working to issue the first round of modifications to their proposed regulations, and it is clear that we won’t have final regulations until January 2023 (at the earliest). Despite the timing issues, between the proposed modifications and the public discussion held in October, we have a good sense of where we are headed. At this point, there is no reason to wait for final regulations to begin implementing the unchanged requirements. The CPPA has indicated that it will consider the delayed timing in its enforcement efforts, but they are also expecting companies to make a good-faith effort to comply.
At the same time, Colorado is taking comments to its draft regulations and will hold its hearings in February 2023. A common theme in both sets of regulations is the focus on purpose limitations and GDPR-like requirements for consent to “secondary uses,” which may prompt significant changes to the way companies communicate with consumers. While these regulations may require more consent and more communications, they also impose restrictions on the use of dark patterns that businesses will need to navigate when designing the consumer experience. Lawyers, marketers and user experience/design teams will need to be in conversations about these new requirements as they work to update the consumer journey.
Coming out of the first round of CPPA meetings on the draft regulations, it is also clear that the rulemaking process is one with no clear ending. The CPPA indicated their intent to monitor the marketplace and update the regulations as needed to address changes in technology and business practices. These updates are in addition to the regulations that we expect to see on the assessments needed for automated processing and additional guidance on employee and business-to-business data.
Privacy is a journey, and it is clear that the landscape and requirements will continue to develop.
In this issue’s deeper dives, associate Dani Spencer looks at dark patterns and how regulators around the United States and the EU are ramping up efforts to discourage and prosecute these consumer interface practices. As the midterm elections approach, senior counsel Robyn Mohr explores the almost entirely state-driven regulatory environment for political advertising. And in our Team Member Spotlight, associate Ryan Gallagher talks about how he moved from working on data breach response and investigations to privacy, why he believes non-fungible tokens (NFTs) are primed to revolutionize the internet—well beyond their use as digital art—and how his real-life career before becoming a lawyer could be “as seen on TV.”
- If You Don’t Read This Article About Dark Patterns, You’re Missing the Opportunity of a Lifetime
- Upcoming Midterm Elections Highlight Regulatory Risks of Online Political Advertising
- Team Member Spotlight: Ryan Gallagher
- Event Spotlight
- In Case You Missed It: California Children’s Privacy and Online Safety Bill Becomes Law: What Does It Mean for Businesses?
With the midterm elections fast approaching, political advertising spend is on the rise. The advertising stakes couldn't be higher, with millions of dollars on the line. Unfortunately for advertisers and online platforms, the regulations governing online political advertising aren’t always clear.
How many times has this happened to you? You get a pop-up that guilts you into providing an email address to sign up and save (“No, I like paying full price.”). Or the highlighted button to move forward in a selection actually sends you back to the previous screen. Or a box is prechecked to opt you in to marketing. Or you notice that a warranty extension has been added to your cart without your request. These are examples of dark patterns—user interfaces designed to manipulate consumers to keep them from opting out of their intended choice.
- How did you develop your area of focus?
I began my career as an attorney in data breach response and investigations during some of the industry’s most chaotic years, diving into practice right as ransomware and data exfiltration attacks seemed to be at their highest levels. Having experienced the turbulent side of data security, I was ready to move away from the transient nature of breach work into a practice area that would allow me to develop longer-lasting relationships with my clients and, as a result, better understand the businesses with which I work every day. At Loeb, I work on a wide range of evolving data privacy and security issues, including policy and program development, regulatory compliance, and various matters involving emerging technologies like blockchain and Web3 platforms.
- What’s exciting you/grabbing your attention right now?
Despite the current state of the market for digital items, I strongly believe non-fungible tokens (NFTs) are primed to revolutionize the internet as we know it. The potential in this sector is far broader than the obvious case for ownership of digital art. As the infrastructure for NFT economies matures, businesses will realize significant value in database and records management platforms, gaming, finance, and an endless number of products that immutable digital identity will bring to market.
- What’s one thing most people would be surprised to know about you?
Before starting my career as an attorney, I worked in law enforcement. I left college and enlisted in the U.S. Navy shortly after the ’08 recession and found myself working out of a Naval Criminal Investigative Service (NCIS) office in the Washington, D.C. area. About half of my time was dedicated to criminal investigations, but our office was also tasked with protecting high-profile people in government, business and media during their visits to the region. While the experience cemented that I did not want to pursue a long-term career in the government sector, it was the catalyst for attending law school and left me with a few stories to tell.
Loeb & Loeb LLP is proud to sponsor the Privacy + Security Forum: Fall, taking place Nov. 2–4, 2022. Privacy, Security & Data Innovations Chair Jessica Lee and of Counsel Eyvonne Mallett will be speaking on the panel “Fintech and Financial Privacy: U.S. Regulatory Developments and Considerations” on Nov. 3.
In Case You Missed It: California Children’s Privacy and Online Safety Bill Becomes Law: What Does It Mean for Businesses?
AB 2273, also known as the California Age-Appropriate Design Code Act (ADCA), was signed into law on Sept. 15 and will become effective on July 1, 2024. The ADCA, which is modeled after the U.K.’s Age Appropriate Design Code that came into force in September 2020, will impose new requirements for and prohibitions on a broad range of businesses beyond those that are included in the Children’s Online Privacy and Protection Act.
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.