Dec. 11, 2024

Deciphering the New CPPA Proposed Regulations for Data Brokers

The California Privacy Protection Agency (CPPA) Board is closely watching data brokers. In the past month, it voted to adopt proposed regulations (Proposed Regs) that expand upon and clarify key provisions of the Delete Act, broadening the definition of data broker, and reached settlements with two data broker companies about a week after it had announced that it was beginning a public investigative compliance sweep. This article, with insights from experts at Frankfurt Kurnit, Troutman Pepper and WilmerHale, examines how the Proposed Regs expand upon some of the Delete Act’s central requirements and offers practical measures for data brokers on how to meet their compliance obligations. See “Outgoing CPPA Board Member Discusses Rulemaking and Looming Privacy Issues” (Sep. 25, 2024).

Preparing for U.S. State Law Privacy Compliance in 2025

The new year will see eight new state consumer data privacy laws taking effect – some as soon as January 1. Since 2023, the number of such laws has grown significantly, and nearly a dozen more are expected in the next two years, said Jodi Daniels, founder of data privacy consulting firm Red Clover Advisors, during a year-end presentation with Husch Blackwell partner David Stauss. To help companies navigate this ever-growing landscape and prepare for the parade of new laws and regulations, this article distills insights shared by Daniels and Stauss on the laws soon taking effect, other relevant state law amendments and rulemaking to consider, and how companies can prepare to comply with them. See “Measures for Complying With 19 (and Counting) State Privacy Laws” (Jun. 26, 2024).

DOJ’s 2024 Edits to the ECCP: Speaking Up, Compliance Resources and Lessons Learned

The edits to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) that were announced in September 2024 (2024 Edits) were broad, touching on many aspects of compliance programs. The first article of this three-part series about the 2024 Edits discussed the changes related to AI, and the second examined the many edits related to data analytics. This last installment covers changes regarding bread-and-butter elements of a compliance program that are less sexy to discuss but equally important. See “What to Know (and Do) About DOJ’s Efforts to Identify and Prosecute Cybersecurity Fraud Under the False Claims Act” (Oct. 30, 2024).