Navigating multiple state privacy laws?

With our Privacy Docs module, you get coast-to-coast privacy coverage with a single set of customized compliance documents. Create the privacy notices, data handling polices, and data protection agreements you need to comply and stay up-to-date as laws change.

Latest news on US state data privacy

We are continually updating and expanding the SixFifty Privacy Docs platform to reflect the latest state-specific requirements and emerging best practices. See a snippet of our latest updates below.

August 2023

For more information on these updates login to your SixFifty account or request a demo of our Privacy Docs module.

CPPA Issues Draft Regulations on Audits and Risk Assessments

On August 29, 2023, the California Privacy Protection Agency (CPPA) released preliminary discussion drafts of the next two topics it will issue regulations about: risk assessments and cybersecurity audits.

The risk assessments required in California are generally similar to what other states call Data Protection Assessments, though California’s versions will likely have a broader scope and require even more detail. For example, the need to complete a risk assessment in California will be triggered by (1) monitoring of employees; (2) processing certain personal information in public places; or (3) using personal information to train artificial intelligence—all of these would be unique to California. Companies would need to annually submit an abridged form of their risk assessments along with a certification of completion to the CPPA every year.

The draft regulations would also require annual independent cybersecurity audits for companies that meet certain thresholds, which could include the proportion of revenue derived from selling or sharing personal information; total revenue; number of consumers’ personal information or sensitive personal information processed; and/or number of employees. The audits would have to assess the company’s cybersecurity program and identify any gaps or weaknesses. Companies would have to submit a certification that they completed the audit (or an explanation of why it did not fully comply) every year, beginning two years after the regulations go into effect.

You can read more about the details on Wilson Sonsini’s Privacy and Data Protection blog, and the CPPA Board will discuss the draft regulations during its meeting on September 8, 2023.

Keep in mind that these discussion drafts are very preliminary, not even part of the official rulemaking process. The CPPA will eventually publish official draft regulations on these topics, which will kick off the notice-and-comment process which will eventually lead to the final regulations. But if the CPPA’s prior rulemaking is any guide, these initial regulations should give a good preview of the finished product. Many specifics will change, but the concepts and goals will likely remain largely the same.

Digital Services Act Goes Into Effect in the EU

On August 25, 2023, the Digital Services Act (DSA) in the EU went into effect. It applies to the 19 “Very Large Online Platforms or Search Engines” the European Commission has identified, ranging from household names in the US—Google, Facebook, Twitter (now known as X), Wikipedia, and TikTok—to a few entities less known by Americans, such as foreign online retailers Zalando and Alibaba. The law requires the large companies it covers to provide greater transparency around moderation, algorithms, and advertising, as well as to conduct extensive risk assessments. Companies not on the list of 19 will not be directly affected, though there could be downstream effects for vendors and other companies.