Arnall Golden Gregory LLP is pleased to provide you with the Compliance News Flash, which includes current news briefs relevant to background screening, immigration and data privacy, for the benefit and interest of our clients as well as employers and consumer reporting agencies generally.
- Virginia enacted the Virginia Consumer Data Protection Act (CDPA), making it the second state, after California, to pass comprehensive data privacy legislation. The CDPA will take effect January 1, 2023. The CDPA is similar in many respects to the California Consumer Privacy Act (CCPA), though it has some notable differences. The CDPA grants consumers the right to access, correction, deletion, data portability, and opt-out of targeted advertising, sale of personal data, and certain profiling activities. The CDPA imposes obligations on businesses, such as the obligation to provide a privacy notice that contains certain content; enter into data processing agreements with vendors; and obtain consumer consent before processing sensitive data. The CDPA will be enforced by the Virginia Attorney General, and it does not provide a private right of action. The CDPA contains an exemption for activities regulated and authorized under the Fair Credit Reporting Act (FCRA). To access the text of the CPDA, click here.
- California announced its appointments to the inaugural five-member board of the California Privacy Protection Agency (CPPA). The CPPA is established by the California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA). The CPPA is the first agency dedicated solely to data privacy protection in the United States. The CPPA is tasked with drafting implementing regulations supporting the CPRA and will share enforcement authority of the CPRA with the California Attorney General. The inaugural CPPA board appointees are Jennifer M. Urban, John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le. Click here to read more about the appointees.
- The California Office of Administrative Law approved the latest set of modifications to the CCPA regulations. The final CCPA regulations were approved and went into effect on August 14, 2020; this new set of modifications were approved and went into effect on March 15, 2021. These new modifications: (i) clarify that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers by an offline method of their right to opt-out of the sale of their personal information; (ii) provide a uniform opt-out icon businesses may use in addition to, but not in lieu of, posting the notice of right to opt-out or a “Do Not Sell My Personal Information” link; (iii) prohibit the use of “dark patterns” to obscure the opt-out process by requiring businesses to make submitting requests to opt-out “easy for consumers to execute”; and (iv) clarify that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit a request. Click here to access the text of the new regulations.
- On May 14, 2021, U.S. Citizenship and Immigration Services (USCIS) will dispose of SAVE records that are more than ten years old, which are those dated on or before December 31, 2010. SAVE users have until May 10th to download case information from the Historic Records Report if they want to retain information about these SAVE cases. Click here to access the instructions for downloading the Historic Records Report.
- The European Commission published a draft adequacy decision in favor of personal data flows from the European Union (EU) to the United Kingdom (UK). The next steps are for the European Data Protection Board (EDPB) to issue an opinion on the draft decision and then for the EU Member State representatives to approve the decision. In the meantime, data flows between the EU and the UK continue based on an interim agreement called the EU-UK Trade and Cooperation Agreement, which is set to expire on June 30, 2021. Click here to access the draft adequacy decision. The European Commission also adopted a draft adequacy decision regarding the EU’s Law Enforcement Directive which pertains to the processing of personal data for law enforcement purposes.