The Office of the Attorney General of Washington (the “AG”) has updated the Frequently Asked Questions (the “FAQs”) for the Washington My Health My Data Act (the “Act” or “Washington Act”) to provide guidance on the AG’s position concerning whether businesses must publish standalone consumer health data privacy policies under the Act. The update, first […]
California Privacy Protection Agency Releases Draft Regulations on Risk Assessments
On August 28, 2023, the California Privacy Protection Agency (the “Agency”) released two sets of draft regulations under the California Consumer Privacy Act (the “CCPA”), one for risk assessments and another for cybersecurity audits, as part of the Agency’s informal rulemaking process. We discuss the draft cybersecurity audits in California Proposes Annual Audits to Assess […]
Oregon Enacts Comprehensive State Privacy Law
On July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (SB 619)(“OCPA”) into law, making Oregon the eleventh state to enact a comprehensive state privacy law. OCPA will take effect on July 1, 2024, however the effective date for covered non-profits is delayed until July 1, 2025. While OCPA aligns with […]
NIST Cybersecurity Framework 2.0 Released for Public Comment
On August 8, 2023, the National Institute of Standards and Technology (NIST) released the initial draft of its Cybersecurity Framework 2.0 and draft Implementation Examples for public comment. This marks the first significant update to the NIST Cybersecurity Framework (“Framework”) since its initial release in 2014, which is intended to address current and future cybersecurity […]
California Attorney General Launches CCPA Investigative Sweep for Employers
On July 14, 2023, California Attorney General Rob Bonta launched investigations into large California employers regarding their compliance with the California Consumer Privacy Act (the “CCPA”) as it relates to their processing of employee and job applicant personal information. Attorney General Bonta’s investigative sweep is the first CCPA enforcement activity related to employee data. The […]