August 2023 Update
As this publication was going to press, enforcement of the California Privacy Rights Act of 2020’s (CPRA’s) final regulations, which had been scheduled to commence on July 1, 2023, was stayed until March 29, 2024. See §10A.1.
Ten states have now enacted or passed data privacy legislation. In addition, the State of Washington enacted a health data privacy law, and Utah enacted social-media legislation aimed at protecting children. See §1.3.
California has enacted the California Age-Appropriate Design Code Act, requiring businesses that provide an online service, product, or feature likely to be accessed by children to comply with specified requirements, including default privacy settings, use of language suited to the age of children, and restrictions on the use of children’s personal information. See §§3.43D, 5.68A, 6.68.
New California laws address the sending of unsolicited obscene material by electronic means, and distribution of unauthorized obscene materials. See §4.12.
There have been significant developments in California Invasion of Privacy Act (CIPA) caselaw. See §§4.36, 4.39, 8.58, 8.64, 8.65, 8.69, 12.46.
The California Supreme Court responded to a certified question regarding an insurer’s duty to defend against a claimed violation of the Telephone Consumer Protection Act (TCPA). See §5.64.
A new discussion of minors’ privacy rights under federal and California law has been added to chap 6.
On February 1, 2023, the Federal Trade Commission (FTC) announced its first enforcement action against a digital health company that allegedly made unauthorized disclosures of health information to third parties and failed to notify consumers of the disclosures. See §7.15A.
The California Department of Health and Human Services (CalHHS) released the Data Exchange Framework in July 2022. See §7.41B.
California enacted privacy protections regarding reproductive rights. See §§7.74, 12.52A. For related federal privacy regulations under the Health Insurance Portability and Accountbility Act (HIPAA) Privacy Rule, see §7.89.
In a Notice of Proposed Rulemaking released November 28, 2022, the Office for Civil Rights (OCR) in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA) proposed revisions to 42 CFR pt 2 to better align the requirements for substance use disorder records with those in effect under HIPAA. See §7.97A.
There have been many significant developments in international personal data protection and cross-border data transfers. See discussions throughout chap 9.
With many provisions of the California Privacy Rights Act of 2020 (CPRA) taking effect January 1, 2023, there have been extensive updates and revisions to both the California Consumer Privacy Act of 2018 (CCPA) and, consequently, to chap 10A.