State Privacy Updates - 9/20

Welcome to The Patchwork Dispatch, a sometimes fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states (though in the summer months, mostly just California). Here's everything you need to know since our last issue:

1. California Age-Appropriate Design Code Enjoined

Since the very first edition of the Patchwork Dispatch, we have brought you updates from the NetChoice litigation against the California Age-Appropriate Design Code Act (AB 2273 ), a far-reach children and teens online privacy, content, and design regulatory framework modeled on a similar code of conduct from the United Kingdom. This week, Northern District of California Judge Beth Labson Freeman issued a preliminary injunction of the entire law, finding that NetChoice is likely to succeed on its claim that the AADC violates the First Amendment.

It has been obvious to most legal observers that the AADC would have a difficult time passing Constitutional muster, especially its provisions requiring "age estimation" and granting the state Attorney General power to second guess whether organizations' content moderation decisions conform with their posted policies. However, what is most striking about this holding is that across 45 pages the Judge systematically determines that essential every affirmative obligation of the AADC is unlikely to survive commercial speech scrutiny: Data Protection Impact Assessments (DPIAs); Age Assurance; High Default Privacy Settings; Age-Appropriate Policy Language; Internal Policy Enforcement; Knowingly Harmful Use of Children's Data; Restriction on Profiling Children By Default; Restriction on Collecting, Selling, Sharing, and Retaining Children's Data; Unauthorized Use of Children's Personal Information; and provisions on Dark Patterns.

Due to the sweeping analysis under this holding, many observers are already calling the injunction a "monumental moment" for the state privacy landscape. While the AADC diverges from typical state privacy requirements in a litany of respects (particularly in its DPIA requirements, which the AADC directly uses as a means to regulate "potentially harmful content"), at a high-level, many of the provisions reviewed by Court including DPIA requirements, data minimization, and restrictions on so-called "dark patterns" are common elements of both online safety and privacy laws across the U.S. The Court was also "troubled" that the AADC only targeted certain speakers (a segment of for-profit companies) while omitting governmental and non-profit entities; a characteristic of essentially every state privacy law (though Colorado, Oregon, and Delaware's laws do apply to some non-profits). As a result, expect this holding to feature heavily in debates about AADC copycat and inspired bills, social media age verification laws, and broad-based commercial privacy laws of general applicability.

Of small comfort to advocates for the AADC - the Court's "initial view" is that NetChoice's preemption claims involving the Children's Online Privacy Protection Act and Section 230 of the Communications Decency Act do not support the request for preliminary injunction. Also of note, the Ninth Circuit did recently overturn a privacy-related case from Judge Freeman that interpreted COPPA-preemption broadly. An Attorney General appeal of the present holding also seems likely and the Dispatch will continue to bring you all the latest.

2. California Regulators Discuss Forthcoming Rules

On September 8th the California Privacy Protection Agency board held a 6+ hour meeting that included a discussion of the New Rules Subcommittee's draft regulations for risk assessments and cybersecurity audits . The substance of these draft regulations was already covered in the last issue of the Dispatch, so we will just highlight the Board's key discussion themes here:

• Rulemaking Process: As expected, the Board did not launch formal rulemaking procedures on the draft regulations, but expressed optimism that it will be able to do so by its next meeting in November. It is also possible that draft regulations governing access and opt-out rights with respect to Automated Decisionmaking Technology will be ready by then.
• Cybersecurity Audits: The bulk of the discussion involved the question of what applicability thresholds should rigger a requirement to conduct an audit (number of customers, revenue, number of employees, processing activities, or some combination(s) thereof)? Chairperson Urban stressed for audit thresholds the "lodestar must be risk" and Board Member Mactaggart was interested in mechanisms that, over time, could expand the number of entities subject to cybersecurity audit requirements.
• Artificial Intelligence: The draft regulations on risk assessments include an broad definition of "Automated Decisionmaking Technology," covering any "process" that uses personal information and computation to so much as "facilitate" human decisionmaking. Board Member MacTaggart raised concerns that this definition would sweep in basic technology like a carburetor or thermostat. Board Member Le responded that there will be 'other limitations that contain the breadth of this definition.'
• Risk Assessments: Similar to cybersecurity audits, the Board's major consideration for risk assessments was determining which processing activities should trigger an assessment requirement. Board Member Le shared that the thresholds and triggers for risk assessments were strongly influenced other jurisdictions such as Colorado and the EU, with some California-specific additions such as the law's applicability to employee data. The Board was also open to removing the processing of personal information of consumers under the age of 16 from the list of risk assessment triggers given the Age Appropriate Design Code's DPIA requirements (though this obligation has subsequently been enjoined, see above).

3. California DELETE Act Clears Legislature

California Senate Bill 362 cleared the State Senate by a 31-9 vote on September 14th, sending the proposal to Governor Newsom's desk. At a high level, the proposal will transfer authority over California's data broker registry from the State AG to the California Privacy Protection Agency; require data brokers to make additional disclosures; and charge the CCPA with establishing a one-stop-shop mechanism through which an individual (or their agent) can request the deletion of their personal information from every registered data broker. Notably, the State AG's office did support the reallocation of its authority over the registry. Also, while early drafts of the proposal would have created a drastically different deletion standard than exists under California's consumer privacy law, these divergences have been largely resolved through the amendment process.

Easing the burdens of privacy self-management is one of the most pressing needs and intractable issues for modern privacy laws, and California must be commended for forging ahead on this issue once again (the current trend towards Universal Opt-Out Mechanisms is rooted in the California AG's original CCPA rulemaking). Nevertheless, significant policy and operational questions remain for how the new deletion mechanism will function in practice, including what information will be necessary to collect and share in order to enable a diverse range of businesses to verify requests and associate them with a particular consumer profile. The Act gives the Agency until January 1, 2026 to establish the deletion mechanism and permissive (though not mandatory) rulemaking authority to do so.

4. Litigation Involving the CCPA Effective Date Moves Forward

As frequent readers of the Dispatch know well, in June the Sacramento Superior Court delayed enforcement of the California Privacy Protection Agency's CCPA regulations, finding that the CCPA's provision that the "timeline for adopting final regulations required by the Act... shall be July 1, 2022" was intended to grant businesses a one-year runway to come into compliance with any new regulations.

In August, the CPPA and State AG's office petitioned California’s Third District Court of Appeal to overturn the order. As of this week, the Court of Appeals has taken up the matter , setting a filing deadline for the regulators of October 2, and 15 days following the petitioners' submission for the respondent California Chamber of Commerce. Surely more to come here soon ??.

5. Delaware Makes A Dozen

On Monday September 11, Governor Carney signed HB 154 , the Delaware Personal Data Privacy Act into law, making the Diamond State the twelfth in the U.S. to enact broad-based consumer privacy legislation. (While some observers count Florida as a 'comprehensive' privacy law, the Dispatch has made an editorial decision to omit Florida's law as it only directly applies to very large entities engaged in particular lines of business).

For a full review of the DPDPA see here , (not to be confused with India's recently enacted national privacy law, the DPDPA ). At a high-level Delaware's new law follows the Connecticut model with a handful of unique wrinkles, of note:

• Sensitive data: includes "status as transgender or nonbinary" and specifically identifies pregnancy as a health condition.
• Adolescent Data: Opt-in requirements for targeted advertising and sale of teen data applies to individuals between the ages of 13-17, rather than 13-15.
• Data Brokers: Delaware does not provide the common exception to deletion requests for data collected from third party sources (if the controller does not further use the data for non-exempt processing activities). The full significance of this modification will likely depend depend on interpretation and enforcement.

Our state privacy patchwork quilt has been updated accordingly:

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the?Future of Privacy Forum .