The New State Privacy Laws Group

The webinar recording is now available!

The webinar's unanswered questions will be posted in the coming week.

Please utilize this group to network and discuss anything Privacy-related.

Any major enforcement actions recently?

Answer – Particularly interesting recent privacy actions – not all of them under the new state laws (most of which have not yet become enforceable by regulators) are:

California v. Sephora – California Attorney General action alleging failure of web retailer to institute sufficient “do not sell” or targeted advertising “opt out” methods;

FTC v. HomeAdvisor – FTC action alleging mischaracterization of business lead-generation data (and imposing $7.2 million fine);

FTC v. Kochava – FTC action alleging that sale of geolocation data without filtering out “sensitive” locations dismissed by federal court (with leave to replead claims).

How do we know the person making a request is really that person and not someone else who may or may not have authorization from the actual person we are being given?

Answer – This was answered in greater detail in the webinar – likely after this question was posed in the chat. The short answer is that you generally should require (and in California must require) verification of identity before releasing personal data, i.e., responding to a data “access” request. You don’t have to do this for a mere opt-out request, and for practical reasons most (but not all) companies don’t require a verification for an opt-out request – but you should always impose a “captcha”-type requirement in order to prevent bot traffic from mischievously generating false opt-outs.

Can we comply with the most restrictive state (CA?) and automatically be in compliance with all state regulations?

Answer – No, not quite. That would get you more than halfway there. But California’s disclosures are in some ways stricter than other states, and in other ways more lenient (and in still other ways simply idiosyncratic). For instance, California does not impose consent requirements on “sensitive” data. The CCPA’s disclosures are also labeled somewhat different that Colorado’s (though there are ways to reconcile the two), and its definition of “cross-contextual” advertising is in some ways slightly narrower than the definitions of targeted advertising elsewhere.

Can you provide an example of sites that "freely share data" so we can look at them?

Answer – I’m not exactly sure what this question or the quoted terms refer to. That said, websites that sell site data to multiple third parties or that permit site data to be used for cross-contextual (targeted) advertising need (at a minimum) to comply with the various state law disclosures we discussed during the webinar. In California (and possibly other states, depending on the outcome of currently pending lawsuits) additional disclosure banners may be recommended or required, for certain use cases – for instance, those that are not reasonably expected or implicitly consented to by consumers. (But this is an area of the law that is evolving, and there are a range of ways that websites are addressing these potential risks.)