Federal vs. State Authority

Question 1

Define:

California Consumer Privacy Act (CPPA)

Answer 1

• first state comprehensive privacy law enacted in 2018 with effective date of January 1, 2020
• amended by California Privacy Rights Act (CPRA) in 2023
• created California Privacy Protection Agency (CPPA) dedicated to regulation of privacy protections (akin to EU’s data protection authority under GDPR)

Question 2

Define:

preemption

Answer 2

federal statutes overrides an inconsistent state statute

Question 3

How do states provide privacy protections?

Answer 3

• all states have UDAP statutes which are roughly similar to Section 5 of FTC Act
• express right to privacy in state constitutions
• state common law
• privacy torts right of action
• contract theory
• other specialized statutes protecting privacy

Question 4

Define:

Illinois Biometric Information Privacy Act (BIPA) (2008)

Answer 4

requires companies, including employers, to notify individuals of their biometric practices and to obtain informed consent prior to using individuals’ biometric data as part of these practices

• private right of action

Question 5

Define:

California Age-Appropriate Design Code Act (2022)

Answer 5

legal obligations on businesses that provide online services or products that are likely to be accessed by children under age of 18

• requires covered businesses to make design choices with their services and products that protect children
• mandates restrictions on use of children’s data by covered businesses and extends these requirements to situations that would negatively impact the child’s physical or mental well-being

Question 6

What do state AGs do?

Answer 6

• traditionally enforced privacy protections at the state level
• certain federal statutes allow state AGs to bring enforcement actions along with relevant agency, including HIPAA, GLBA and CAN-SPAM