0

The Do’s and Don’ts of DSARs: A Practical Guide for Responding to Data Subject Access Requests

DSAR, EU, GDPR, State Privacy Laws, United States , , , , , ,
Handling data subject access requests (DSARs) isn’t as easy as ticking a compliance checkbox. It can be a test of an entity’s data organization, internal communication, and understanding of legal requirements. Between navigating jurisdictional nuances and meeting strict deadlines, the DSAR response process can quickly unravel without a clear plan. In this guide, we suggest best practices for handling and responding to DSARs, along with tips and common pitfalls to avoid when planning effective responses.

1.    Understand the Individual’s Ask

Under international data privacy laws, including those in the US and EU, individuals may have rights over the personal data collected about them by covered entities. The way individuals generally actualize those rights are through DSARs submitted to the relevant entities. These rights can include, but are not limited to:
  • Accessing Data: Individuals may request access to all or specific categories of their personal data.
  • Ceasing Data Processing: Individuals may request the entity stop processing their personal data.
  • Data Correction or Deletion: Individuals may request rectification of inaccurate or outdated personal data or even request the deletion of their personal data.
  • Processing Information: Individuals may request what their personal data is used for and why.
  • Portability: Individuals may request to receive a copy of their personal data in a portable format.
When an individual makes a request to exercise one of these rights, the entity must then respond to the request within a set time frame determined by the applicable law. These time frames differ between applicable laws, so the first step is ensuring you know the appropriate time frame to apply. Who can submit a DSAR? DSARs may be submitted by individuals whose data is processed by entities under the scope of laws like the GDPR and US state privacy laws. Depending on the jurisdiction, DSARs may also be submitted by employees of the covered entity or by agents appointed by the individual and authorized to submit DSARs on the individual’s behalf. Why are DSARs important? DSARs allow individuals to determine what information a covered entity holds about them, how it’s being used, and why it is being processed. In short, they empower individuals to understand and exert some control over their personal data. Additionally, DSARs serve as a tool to confirm that covered entities are upholding their promises: by using these requests, individuals can check whether entities are adhering to both privacy laws and customer privacy notices. This allows individuals to better hold entities accountable for lawful data processing.

2.    Build A Response Team

Given the complexity of modern data systems, internal collaboration is essential when handling DSARs. Clear communication helps ensure DSARs are handled effectively—especially for more comprehensive requests, like deleting or accessing an individual’s data. To build your response team, start by identifying key players. Privacy officers can help oversee legal and regulatory compliance, data experts can help retrieve and process data securely, and communication teams can help draft clear responses to requests and questions. While the specific structure of each team will vary based on the covered entity’s size and complexity, every member of the team should understand the DSAR requirements and specific responsibilities, and get proper training based on their role. Do: Train Your Team       Training is critical to help every member of the team understand the importance of DSARs and their role in maintaining compliance. This isn’t about knowing the legal jargon—each team member should be able to recognize these requests (even if worded in a vague or informal way) and how to execute the steps required to meet deadlines. Since each DSAR is unique, teams should also have a clear point of contact for guidance and next steps if there is any confusion. Don’t: Delay Decisions Effective responses generally take effective planning. Because of the tight DSAR response deadlines imposed by applicable laws, covered entities should plan for these requests before they arrive. By defining clear rules, covered entities can avoid last-minute confusion and chaos when responding to DSARs.

3.    Prepare A Playbook

The regulatory landscape governing DSARs is far from uniform. Because each law may have its own requirements and response timeline, it is essential to understand jurisdiction-specific obligations. A playbook is a simple way to address these obligations in one place and guide the response team through a step-by-step process. To create a playbook, consider:
  • Legal scope: Identify applicable laws based on where the entity operates and whose personal data they process.
  • Verification requirements: Confirm the verification requirements, if any, under each law to determine what steps are needed to confirm the identity of the individual submitting the DSAR.
  • Data retrieval methods: Determine what tools and workflows are needed to locate and compile data efficiently, and how this information may be transmitted to the individual, if necessary.
  • Template responses: Draft standardized responses for anticipated outcomes, like fulfillment or denial of requests, or requests for additional information.
  • Escalation plans: Provide guidance for handling complex requests.
Playbooks should be regularly reviewed to reflect changes in regulations or operational processes. Do: Note the Nuances of Each Law Laws that provide individuals with rights over their personal data commonly include exemptions, such as data that is covered by other laws. Double-check and note these requirements for each jurisdiction and ensure that the playbook is marked in a way that users can easily understand it. Don’t: Forget to Customize Using the same strategy for every DSAR risks a misstep in responses. Privacy laws are often unique, and failing to adapt to these nuances can lead to delays, incomplete responses, or even regulatory penalties. By making your playbook specific to both your entity’s needs and the requirements of each jurisdiction, you are better preparing your team to handle DSARs.

4.    Respond Effectively

Most data privacy laws require a response within a certain time frame from when the request was received. In other words, once a DSAR is received, a clock usually starts ticking. We suggest the following steps as a starting place for a well-executed response, but your steps should be tailored to the applicable legal requirements:
  1. Acknowledge the Request: Confirm the request and provide a clear timeline for how the request will be handled.
  2. Verify the Identify (as needed): Ensure the individual’s identity is confirmed, if required by the relevant laws.
  3. Locate and Collect Data: Collaborate across departments as needed to gather the relevant information.
  4. Review Data for Exceptions: Identify data that may be exempt from disclosures or require redaction, like data that pertains to another individual.
  5. Respond Clearly: Deliver the response in a clear, accessible format with an explanation of how that response was arrived at.
  6. Record and Learn: Maintain detailed records for accountability and review the process regularly.
 Do: Build a Feedback Loop    The best way to learn is by doing. After developing your playbook, perform a trial exercise to ensure your communication is streamlined and a test request is handled as expected. Then, talk to your team to review what went well and what improvements are needed. By viewing this process as iterative, with modifications and refinements made along the way, the DSAR response team can effectively grow and shift with the volume of requests or any regulatory changes. Don’t: Overlook Redaction and Exemptions Redaction and exemptions can easily be overlooked, but neglecting these steps can lead to non-compliance, or even a breach. Always double-check any information before it is disclosed and verify that all information is accounted for and handled appropriately.   While typically seen as a compliance obligation, DSARs can also present an opportunity for entities to demonstrate data privacy and transparency. Each DSAR is a chance to refine operations, and with a capable response team and a detailed playbook, entities can approach the process with a better understanding of compliance.
0
Photo of a judges gavel and block next to each other.

CCPA Board Meeting: Key Takeaways from November 8, 2024

Adtech, AI & Algorithms, California, CCPA, Cybersecurity, State Privacy Laws, United States , , , , , , , , , , , , , , , , ,

In a vote of 4-1, the California Privacy Protection Agency (CPPA) has decided to move forward with rulemaking of its draft regulations concerning AI, cyber audits, profiling and risk assessments, despite complaints of regulatory overreach.

 

On Friday, November 8, the CCPA held a public meeting to discuss proposed updates to the California Consumer Privacy Act (CCPA) regulations. The hybrid meeting included public comments from a broad range of stakeholders – nearly 45 public comments were heard from business representatives, privacy advocates, and industry experts. While the passing vote would have typically triggered a 45-day public comment period on the draft regulations, Chairperson Urban requested flexibility, considering the upcoming holidays.

 

Legal Challenges

During the meeting, the CPPA stated that it was sued for failing to promulgate regulations, specifically on opt-out rights of information processed by automated decisionmaking tools (ADMTs). At the same time, commentators argued that the breadth of the proposed rules overstepped the intent of the CCPA.

 

Board Member Alastair Mactaggart–who helped draft the CCPA–voiced concerns about the regulations, arguing that the current proposed regulation is excessively broad to the point of being unworkable. He pointed out that these regulations, as written, apply to nearly all businesses that use any kind of software to generate any type of output–whether it’s AI-powered or not. For example, a simple tool like a spreadsheet or a school admission application could fall under these rules, forcing a large swath of low-risk businesses to conduct risk assessments. Mactaggart referred to this as statutory overreach and claimed that regulations should be focused on issues that genuinely impact privacy or security.

 

Economic Forecasts

The CPPA also issued a Standardized Regulatory Impact Assessment (SRIA) which was discussed during the meeting. In this assessment, the CPPA estimates the total cost of this regulatory initiative to be around $3.5 billion for the first year of implementation, with an average of $1 billion each subsequent year for the first ten years. The CPPA justifies this cost, asserting that the direct benefits to California businesses will be $1.5 billion in 2027, and $66.3 billion in 2036.

 

However, the California Chamber of Commerce states that “[b]usinesses, consumers and governments in California will suffer net losses from the proposed rules pending before the [CPPA] this week.” This statement stems from a report prepared for the Chamber of Commerce by Capitol Matrix Consulting, which concludes that the regulations are likely to “result in a substantial net losses to businesses, consumers, and governments in this state, both in the near and long term.”

 

Industry groups including TechNet, the Civil Justice Association of California, and the Interactive Advertising Bureau voiced concern about the heavy compliance burden that regulations place on businesses–especially small businesses that may not have the recourses to implement the required risk assessments or redesign their services to accommodate opt-out provisions.

 

Behavioral Advertising & Opt-Out Provisions

Another key point of contention during the meeting was the opt-out provision for consumers related to decisions made by AI systems.

 

The draft regulations govern a large range of AI. Under the draft, AI is defined as a “machine-based system that infers, from the input it receives, how to generate outputs that can influence physical or virtual environments.” Additionally, the draft defines ADMTs as “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.”

 

Together, these definitions are more expansive than the definition of the high-risk automated processing addressed in Article 22 of the EU’s GDPR, the source of the original opt-out language. Under Article 22, a consumer has the right to opt out of decisions made by solely automated systems. The intent of this provision is to give consumers the ability to opt out of decisions that may be made on solely automated processes, such as targeted advertising.

 

However, critics argue that including the opt-out language in the draft in combination with an expansive definition of AI and ADMTs could have unintended consequences, especially for small businesses. Mactaggart, for instance, is concerned that applying this opt-out rule too broadly could lead to a breakdown of essential services. For example, online booking services for airlines and automated reservation software for hotels may rely on software that would be categorized as “AI” under this definition. Allowing users to opt out of using AI when asking for these services may be untenable, which could cause friction in these industries and ultimately could cause harm to consumers by limiting access to these services or increasing costs.

 

Risk Assessments

A central component of the draft regulation is for businesses who use AI, as defined above, to conduct risk assessments. While the goal of this requirement is to ensure that businesses are aware of and mitigate any potential privacy risks that arise from these technologies, critics believe the regulations go too far by applying the requirement to low risk, everyday activities.

 

For example, a representative from the California Grocery Association expressed concerns about how the opt-out provision would impact a chain of small rural grocery stores with whom she conducts business. While these AI tools could be used to help consumers save money, the cost of compliance to integrate these tools might not be within reach, especially given the thin profit margins within the grocery industry.

 

Again, Mactaggart questioned the scope of the draft. He and other advocates called for a narrower focus for risk assessments that centers on significant decisions–such as those that deny individuals access to essential goods and services. This could include the denial of a loan application, exclusion from an online platform, or an adverse employment decision. One commenter stated that there have been no public comments against regulating high-risk systems, and by focusing on these issues, the CPPA could better mitigate potential harms. At the same time, this would free low-risk systems from potential overregulation.

 

Additionally, a commentor suggested that risk assessments should be streamlined and aligned with other state standards to reduce compliance costs.  Mactaggart notes that accepting risk standards from other US jurisdictions could help businesses avoid duplicative efforts, cut compliance costs, and reduce the overall regulatory burden.

 

AI Training

The ability to opt out of training for AI datasets was of lesser concern but was still addressed by a number of commentors. For example, a representative from the Software and Data Industry Association argued that requiring an opt-out from consumers from AI dataset training could create a substantial burden on small businesses who already have trouble accumulating representative training data. Other commentors shares concerns that these opt-outs could compromise the quality and effectiveness for AI systems.

 

Ultimately, California faces a delicate balance in regulating AI and ADMT. On one hand, the state must work toward protecting consumers from privacy risks, potential discrimination, and other adverse impacts of AI. At the same time, the CPPA must ensure that rulemaking does not stifle innovation, create excessive compliance costs, or diminish competition between businesses that rely on AI.

 

As formal rulemaking moves forward, it will be crucial for the CPPA to consider feedback from the public comment period and to refine the regulations to ensure that they strike a balance between privacy concerns and costs to consumers and businesses alike.

0
Photo of American flag and California flag on a flagpole with a palm tree in the background.

California Wraps Its 2024 Legislative Session with Data Privacy & AI Bills

AI & Algorithms, California, CCPA, State Privacy Laws, United States , , , , ,
California’s legislative session closed on August 31, 2024 with a series of data privacy and AI bills. Over the course of September, Governor Newsom signed 17 bills covering AI technologies. This wave of legislation comes a year after Governor Newsom signed an Executive Order to help ensure California is ready for next wave of AI technologies.   Below is an overview of new and noteworthy AI and data privacy bills, beginning with six amendments to the California Consumer Privacy Act (CCPA) followed by a range of signed and vetoed AI-related bills.   Passed CCPA Amendments  
  1. SB 1223and AB 1008: Neural Data, Personal Information and AI Systems
What Does the CCPA Require? Currently, the CCPA requires a business collects that collection personal information about a consumer to limit its use of the consumer’s sensitive personal information. “Sensitive personal information” includes biometric information for the purposes of identifying a consumer, but not neural data. Additionally, the CCPA does not specify if personal information can exist in various formats.   What Changes? Under SB 1223, the CCPA’s definition of “sensitive personal information” would be expanded. It would include consumer’s neural data, or “information that is generated by measuring the activity of the consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”   Under AB 1008, the CCPA would also specify that “personal information can exist in various formats,” including physical, digital or abstract information, which may be in the form of encrypted files, metadata, or AI systems capable of outputting personal information.   Governor Newsom signed SB 1223 and AB 1008 into law on September 28, 2024. Both laws will become applicable on January 1, 2025.  
  1. AB 1824: Opt-Out Right, Mergers
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. However, the Act does not specify the requirements for honoring those requests upon a merger or acquisition.   What Changes? Under this bill, if a business transfers personal information to another business as part of a merger, acquisition, bankruptcy or other transaction, they must comply with the original opt-out requests of the transferring business.   Governor Newsom signed AB 1824 into law on September 29, 2024. This law takes effect on January 1, 2025.  
  1. AB 3286: Monetary Thresholds, Grants
What Does the CCPA Require? The CCPA grants the Attorney General rights to adjusting monetary thresholds to reflect an increase in the Consumer Price Index.   What Changes? This bill removes the responsibility of adjusting monetary thresholds from the Attorney General and places it on the California Privacy Protection Agency, among other minor changes.   Governor Newsom signed AB 3286 on July 15, 2024, and the law goes into effect on January 1, 2025.     Vetoed CCPA Amendments  
  1. AB 1949: Collection of Personal Information of a Consumer Less than 18 Years of Age
What Does the CCPA Require? The CCPA provides a consumer with specific rights regarding their personal information. Currently, the CCPA prohibits a business from selling or sharing personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years old, unless they or their parent or guardian have properly consented.   What Changes? This bill would raise that age from 16 to 18 years old, meaning that a business shall not sell or share the personal information of one who is between 13 and 18 years old unless the consumer or their parent or guardian consents. A business shall not share or sell information of a child younger than 13 years old unless their parent or guardian consent.   Additionally, this bill would require a business to treat a consumer as younger than 18 years old if the consumer transmits a signal indicating they are younger than 18. The bill retains the CCPA’s “actual knowledge or willful disregard” standard for violations.   Finally, the bill requires California’s Attorney General to adopt regulations that include technical specifications for an opt-out preference signal that allows the consumer to specify if they are less than 13 years old, or between 13 and 18 years old.   Governor Newsom vetoed AB 1949 on September 28, 2024.  
  1. AB 3048: Opt-Out Preference Signals
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. To send opt-out preference signals now, users have to download plugins for major browsers which may vary by browser type.   Currently, the only opt-out preference signal recognized by the CCPA per Attorney General Rob Bonta’s FAQ page and supporting resources by the California Privacy Protection Agency (CPPA)  is the Global Privacy Control (GPC). However under the CCPA, the GPC is intended only to communicate with Do Not Sell requests for a global privacy control. Still, this is an enforced area of privacy law: In 2022, a Final Judgment and Permanent Injunction against Sephora ordered the company to pay $1.2 million to resolve claims that Sephora did not process opt-out requests set through privacy controls.    What Changes? This bill is targeted at businesses who develop or maintain browsers, mandating that they must include settings that enable consumers to send an opt-out preference signal to businesses they interact with on the browser. After rulemaking and agency adoptions, the bill would also prohibit a business from developing or maintaining a mobile operating system that does not include opt-out preference signal settings. These provisions would go into effect beginning January 1, 2026.   Governor Newsom vetoed AB 3048 on September 20, 2024.   Passed AI Bills  
  1. SB 2013: Generative Artificial Intelligence, Training Data Transparency
Who Does This Apply to? This bill applies to “generative artificial intelligence” systems or services, which is defined as AI that can “generate derived synthetic content…that emulates the structure and characteristics of the [AI’s] training data.” There is no consumer use or monetary threshold, such that this definition seems to be far-reaching.   What Changes? This bill requires that the developers of all covered generative AI systems available to Californians must post information on their website. This information must include the data used to train the AI system or service, and a high-level summary of the datasets used in the system.   Bill SB 2013 was signed by Governor Newsom on September 28, 2024. This law will go into effect on January 1, 2026.  
  1. AB 2885: Artificial Intelligence, Definition
Who Does This Apply to? According to the preamble of the bill, the definition applies to actions taken by the Department of Technology, local agencies, the California Online Community College, and social media companies, under requirements of existing laws.   What Changes? The term “artificial intelligence” for these purposes would be altered to include an “engineered or machine-based system that varies in its level of autonomy” and can generate output based on inferences made from its input.   Bill AB 2885 was signed by Governor Newsom on September 28, 2024. Provisions of this law will go into effect on January 1, 2025.  
  1. SB 942: California AI Transparency Act
Who Does This Apply to? This bill applies to “covered providers,” which includes persons that create, code or otherwise produce generative AI systems with over 1 million monthly visitors and are within California state.   What Changes? Under this bill, covered providers would be required to make publicly accessible AI detection tools. They would also be required to provide the user an option to include a disclosure, as well as provide a latent disclosure in content created or altered by the generative AI system.   Governor Newsom signed SB 942 into law on September 19, 2024, along with other bills addressing concerns around AI:  
  • SB 926prohibits creating and distributing sexually explicit realistic images of a person when those images are intended to cause serious emotional distress of the person. This bill is targeted at AI-generated sexually explicit content. Similarly, AB 1831 expands the existing child pornography statutes to include content created or altered by generative AI.
 
  • SB 981requires social media platforms to provide Californians with a mechanism to report digital identity theft on platform. Following the aim of Bill 926, this would include reporting AI images of a certain person whose identity has been stolen appearing to be engaged in certain sexual acts.
 
  1. AB 3030: Health Care Services, Artificial Intelligence
Who Does This Apply to? This bill applies to health facilities, clinics, physician’s offices, or other health group practices that use generative AI for communications about patient clinical information. “Patient clinical information” is defined as information relating to the health status of a patient, and specifically excludes administrative matters, such as appointment scheduling, billing, or “other clerical or business matters.”   What Changes? Under this bill, generative AI which pertains to clinical information must include: 1) a disclaimer that indicates the communication was generated by AI at the beginning of the interaction, and 2) clear instructions on how that patient can contact the appropriate person.   Governor Newsom signed AB 3030 into law on September 28, 2024. The law goes into effect immediately.   Similarly, SB 1120 was passed on September 28, 2024 and provides specific restrictions for health care service places or disability insurers who use AI in their decisionmaking. Under this law, health service plans must have specific policies and procedures in place, and must be overseen by a medical director with an unrestricted license to practice medicine in the state of California.  
  1. AB 1836: Use of Likeness, Digital Replica
Who Does This Apply to? This bill is intended to protect intellectual property, and applies to those creating digital replicas of another’s likeness. A “digital replica” means a “computer-generated, highly realistic electronic representation” that one can readily identify as a likeness of the person being replicated.   What Changes? This bill makes a person who makes or distributes a digital replica of a deceased personality’s voice or likeness, without that person’s consent, liable for the greater of $10,000 or the amount actually suffered.   Governor Newsom signed AB 1836 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2602 into law on the same date. This law prohibits personal or professional service contracts that contain provisions for the use of a digital replica or likeness for a general purpose, unless the individual is represented by legal counsel. Instead, the contract must contain a reasonably specific description of the intended uses of the digital replica.  
  1. SB 2355: Political Advertisements, Artificial Intelligence
Who Does This Apply to? This bill applies to committees who create, publish or otherwise distribute political advertisements. These advertisements include all political ads that contain any image, audio, or video that is “generated or substantially altered” using AI.   What Changes? Under this bill, there are specific requirements for each format of ad. For example, a video advertisement shall include disclosures at the beginning or end of the advertisement and must be displayed for five or ten seconds, depending on the length of the ad.   Governor Newsom signed AB 2355 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2655 and AB 2839 into law on September 17, 2024.   AB 2655, known as the Defending Democracy from Deepfake Deception Act of 2024, requires large online platforms (those with at least 1 million California users) to: 1) remove deceptive and digitally modified election content from their platforms, or 2) to label that content before and after the election if the content has been reported to the platform.   AB 2839 prohibits the knowing distribution of advertisements or other election communication that contains materially deceptive content within 120 days of an election in California, and in some cases, 60 days after an election.   Vetoed AI Bills
  1. SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act
Who Does This Apply to? This bill is directed toward high-complexity AI models, such as those whose floating operations exceed $100,000,000. Other than requirements in state data privacy laws and the Colorado AI Act, there are no AI laws of this scale enacted in the U.S.   What Changes? For these covered models, the bill has various requirements, including a written safety and security protocol, submission of that protocol to the Attorney General, and implementing the ability to promptly enact a shutdown.   Under this bill, the Attorney General may bring a civil action for a violation that causes death or harm to people or property, or that constitutes an imminent risk to public safety. Notably, this penalty is calculated by computing power. For the first violation, the penalty will be no more than 10% of the cost of the quantity of computing power used to train the covered model, and subsequent violations may not exceed 30% of that value.   Governor Newsom vetoed SB 1047 on September 29, 2024. In his decision, Governor Newsom considered that “California is home to 32 or the world’s 50 leading AI companies.” He noted that the bill applies only to these extensive and large-scale models, while “[s]maller, specialized models may emerge as equally or even more dangerous than the models targeted by SB- 1047 – at the potential expense of curtailing the very innovation that fuels advancement in the favor of public good” by these large-scale models.
Image of computer coding. Some of the coding is blurred.

THE CALIFORNIA AGE-APPROPRIATE DESIGN CODE

California Privacy Law , ,

Image Credit: Markus Spiske from Unsplash

***Update: On September 15, 2022, Governor Newsom signed AB 2273, establishing the California Age-Appropriate Design Code Act.

Who It Covers, What It Requires & How It Compares to the UK

Effective July 1, 2024, the California Age-Appropriate Design Code imposes obligations on businesses[1] that provide an “online service, product, or feature” that is “likely to be accessed by children.”[2] Children are defined as California residents[3] “who are under 18 years of age.”[4] The law provides factors for whether an online service, product, or feature (S/P/F) is “likely to be accessed” by California residents under the age of 18:[5]

  • It is directed to children as defined by COPPA.[6]
  • It is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children, or it is substantially similar to an online S/P/F that meets this factor.
  • It displays advertisements marketed to children.
  • It has design elements known to be of interest to children, including games, cartoons, music, and celebrities who appeal to children.
  • Based on internal research, a significant amount of the audience is children.

An online S/P/F is defined by what it is not, and the definition notably exempts the “delivery or use of a physical product.”[7] This exemption diverts from the UK version of the law, which covers “connected toys and devices.”[8]

Compared to the UK’s Common-Sense Approach

The US version of the law provides no guidance on what it means for a “significant number of children” to “routinely access[]” the online S/P/F. However, the law makes clear in its legislative findings that covered businesses may look to guidance and innovation in response to the UK version when developing US-covered online S/P/F.[9]

ICO states that the term “likely to be accessed by” is purposefully broad, covering “services that children [are] using in reality,” not just those services specifically targeting children.[10] However, ICO recognizes that the term is not so broad as to “cover all services that children could possibly access.”[11] The key difference is whether it is “more probable than not” that an online S/P/F will be accessed by children, and businesses should take a “common sense approach to this question.”[12]

To illustrate this point:

Read More
Map of the United States - State Privacy Laws

And Then There Were Five…

California Privacy Law, CCPA, Colorado Privacy Act, CPRA, CTDPA, Privacy Law, UCPA, VCDPA , , , , ,

Image Credit: Free-Photos from Pixabay.

Just last summer, in July of 2021, Colorado joined California and Virginia, and became the third U.S. state with a comprehensive consumer privacy law. The Colorado Privacy Act is set to take effect in July 2023.

Hot on its heels, and within just two months of each other, first Utah in March of 2022, now Connecticut in May of 2022, passed privacy bills which will become effective in 2023.

So far, California remains the only state which allows for a private right of action in connection with its privacy bill. For more information, please see our comparison of the current U.S. state consumer privacy laws below.

For our unofficial redline of the CPRA, click here.

Follow these links for the official text of the CPRA, CPA, CTDPA, UCPA, and VCDPA.

To view and download a PDF version of this chart, click here.

1 2 3 4