California Formally Adopts New Privacy Rules; Three New States in the U.S. Nearly Finalize Privacy Laws

Following a rulemaking process that began in mid-2022, the California Office of Administrative Law has formally approved the California Privacy Protection Agency’s regulations implementing portions of the California Privacy Rights Act of 2020 (CPRA). The new rules are effective immediately, but enforcement of various elements of the new rules will not begin until July 1, 2023.

The new regulations include restrictions driven by the CPRA on the collection and processing of personal information. A business’s collection, use, retention, and sharing of a consumer’s personal information must be reasonably necessary and proportionate and the purposes for which the personal information was collected or processed and must be consistent with the reasonable expectations of the consumer. Disclosures and communications to consumers must be easy to read and understandable to consumers, and they must be reasonably accessible to consumers with disabilities.

Businesses are also prohibited from using ‘dark patterns’ that are confusing to the consumer and can manipulate them into making choices that are less privacy-protective. The new rules also govern the new rights that the CPRA gives consumers to have their data corrected, new restrictions on the use and disclosure and sensitive personal information, restrictions on the use of consumers’ personal information for cross-context behavioral advertising, and adherence to global opt-out preference signals.

In addition, three new states in the U.S. are now a small step away from adopting comprehensive privacy laws. Lawmakers in Indiana, Montana, and Tennessee have passed laws that would make these states the seventh, eighth, and ninth states in the U.S. to enact comprehensive privacy laws, following California, Virginia, Colorado, Connecticut, Utah, and Iowa.

The laws in these states specify certain thresholds for their applicability to businesses, depending on the volume of the business’s processing of personal information, or the annual revenues of the business. Generally, the laws would only apply to businesses that have a significant consumer base in these states.

All three laws require that businesses provide privacy notices to data subjects with certain content, and data subject rights such as deleting and correcting personal information, opting out of targeted ads, and receiving a copy of the personal information that the business processes about the consumer. None of the three laws provide a private right of action to individuals whose rights have been violated. Enforcement of these laws vests exclusively with the attorney generals of the three states.

If signed into law by the governors, the laws will take effect on October 1, 2024 (Montana), July 1, 2025 (Tennessee), and January 1, 2026 (Indiana).

Click here to read the California Consumer Privacy Act Regulations.

Click here to read the Indiana Act on Consumer Data Protection.

Click here to read the Montana Consumer Data Privacy Act.

Click here to read the Tennessee Information Protection Act.