Tag: Internet

How Many Websites Now Have Cookie Banners?

A “cookie banner” refers to a pop-up notice on a website that discusses the site’s use of cookies. There is little standardization concerning how cookie banners are deployed. For example, websites can position them in different places on the screen (e.g., across the top of the screen, across the bottom of the screen, in a corner of the screen, or centered on the screen). Cookie banners also utilize different language to describe what cookies are and use different terms to describe options consumers may have in relation to the deployment of cookies. Some cookie banners require that a consumer interact with the banner (e.g., accept, cancel, or click out of) before the consumer can visit a website; other cookie banners are designed to disappear from view after several seconds.

As of October 2022, 45% of Fortune 500 websites were utilizing a cookie banner.[1] That represents an 11-point increase since 2021.[2]

[1] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprises companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.

[2] Greenberg Traurig LLP conducted a survey in December 2020 which showed that 34.2% of websites had cookie banners.

Article By David A. Zetoony of Greenberg Traurig, LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

ANOTHER TRILLION DOLLAR CASE:? TikTok Hit in MASSIVE CIPA Suit Over Its Business Model of Profiting from Advertising by Collecting and Monetizing User Data

Data privacy lawsuits are EXPLODING and one of our country’s most popular mobile app — TikTok’s privacy issues keep piling up.

Following its recent $92 million class-action data privacy settlement for its alleged violation of Illinois Biometric Information Privacy Act (BIPA), TikTok is now facing a CIPA and Federal Wire Tap class action for collecting users’ data via its in-app browser without Plaintiff and class member’s consent.

The complaint alleges “[n]owhere in [Tik Tok’s] Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that installs JavaScipt code into the external websites that users visit from the TikTok app which then provides TikTok with a complete record of every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked. “

Despite being a free app, TikTok makes billions in revenue by collecting users’ data without their consent.

The world’s most valuable resource is no longer oil, but data.”

While we’ve discussed before, many companies do collect data for legitimate purposes with consent. However this new complaint alleges a very specific type of data collection practice without the TikTok user’s OR the third party website operator’s consent.

TikTok allegedly relies on selling digital advertising spots for income and the algorithm used to determine what advertisements to display on a user’s home page, utilizes tracking software to understand a users’ interest and habits. In order to drive this business, TikTok presents users with links to third-party websites in TikTok’s in-app browser without a user  (or the third party website operator) knowing this is occurring via TikTok’s in-app browser. The user’s keystrokes is simultaneously being intercepted and recorded.

Specifically, when a user attempts to access a website, by clicking a link while using the TikTok app, the website does not open via the default browser.  Instead, unbeknownst to the user, the link is opened inside the TikTok app, in [Tik Tok’s] in-app browser.  Thus, the user views the third-party website without leaving the TikTok app. “

The Tik-Tok in-app browser does not just track purchase information, it allegedly tracks detailed private and sensitive information – including information about  a person’s physical and mental health.

For example, health providers and pharmacies, such as Planned Parenthood, have a digital presence on TikTok, with videos that appear on users’ feeds.

Once a user clicks on this link, they are directed to Planned Parenthood’s main webpage via TikTok’s in-app browser. While the user is assured that his or her information is “privacy and anonymous,” TikTok is allegedly intercepting it and monetizing it to send targeted advertisements to the user – without the user’s or Planned Parenthood’s consent.

The complaint not only details out the global privacy concerns regarding TikTok’s privacy practices (including FTC investigations, outright ban preventing U.S. military from using it, TikTok’s BIPA lawsuit, and an uptick in privacy advocate concerns) it also specifically calls out the concerns around collecting reproductive health information after the demise of Roe v. Wade this year:

TikTok’s acquisition of this sensitive information is especially concerning given the Supreme Court’s recent reversal of Roe v. Wade and the subsequent criminalization of abortion in several states.  Almost immediately after the precedent-overturning decision was issued, anxieties arose regarding data privacy in the context of commonly used period and ovulation tracking apps.  The potential of governments to acquire digital data to support prosecution cases for abortions was quickly flagged as a well-founded concern.”

Esh. The allegations are alarming and the 76 page complaint can be read here: TikTok.

In any event, the class is alleged as:

“Nationwide Class: All natural persons in the United State whose used the TikTok app to visit websites external to the app, via the in-app browser.

California Subclass: All natural persons residing in California whose used the TikTok app to visit websites external to the app, via the in-app browser.”

The complaint alleges California law applies to all class members – like the Meta CIPA complaint we will have to wait and see how a nationwide class can be brought related to a CA statute.

On the CIPA claim, the Plaintiff – Austin Recht – seeks an unspecific amount of damages for the class but the demand is $5,000 per violation or 3x the amount of damages sustained by Plaintiff and the class in an amount to be proven at trial.

We’ll obviously continue to keep an eye out on this.

Article By Puja J. Amin of Troutman Firm

For more communications and media legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

ADA Compliance for Law Firm Websites in 2022

Legal reasoning involves applying the law to the facts to determine the rights and duties of those involved in a situation. Lawyers frequently take the position that the application of rules should settle disputes and that policies will be considered, if at all, only when there is a high degree of uncertainty surrounding the applicability of the rule. The lawyer might take the position that it is always preferable to seek the result that would further the underlying policies, even if that result would be contrary to the clear language of the rules.

But what if no explicit rules currently exist?

That is the issue with website compliance under the Americans with Disabilities Act (ADA). The Act does not offer specific guidelines to follow; however, websites are expected to be easily accessible to everyone, including those who are disabled. The failure to create an ADA-compliant website could expose an organization to discrimination lawsuits, financial liabilities, and severe damage to its reputation.

What is the ADA?

The ADA compels certain businesses, including banks, hotels, restaurants, public transit, law firms, and others to make accommodations for people with disabilities. According to the National Law Review, the Act is divided into three parts:

  • Title I prohibits employers from discriminating against employees based on disability and requires them to provide reasonable accommodation to certain employees under specific circumstances.
  • Title II covers state and local governments.
  • Title III covers “places of public accommodation,” which the ADA does not define, but are generally private businesses or organizations that provide goods, services, facilities, privileges, or accommodations to the public. These places commonly include schools, restaurants, health care providers, social service agencies, law firms, and more.

The ADA is commonly associated with physical locations and the accommodations that certain businesses must make for people with disabilities, which include wheelchair accessibility, reserved parking, and service animals. Companies that fall under ADA Title I and operate 20 or more weeks per year with at least 15 full-time employees, or Title III – those that fall under the category of public accommodation – must be ADA-compliant.

Although physical “brick-and-mortar” locations are nearly always considered places of public accommodation, the debate is ongoing as to whether a business’s website is a place of accommodation. If so, the digital content must be accessible to all users.

A law firm website must be designed so that those who are disabled can access it easily to comply with ADA requirements. While there are no well-defined regulations that describe precisely what an ADA-compliant website should include, businesses that fall under ADA Title I or ADA Title III are required to develop a website that offers “reasonable accessibility” to people with disabilities.

Compliance Tools & Plugins

Because the ADA doesn’t offer specific guidelines for website compliance, many organizations follow the Web Content Accessibility Guidelines 2.0 (WCAG), updated to 2.1 in 2018. While WCAG isn’t a legal requirement, its requirements have been followed in the European Union and other nations since 1999 and still serves as a reference for businesses that want to improve accessibility to their website.

Under WCAG 2.1, website accessibility concerns generally fall into four groups. These include issues that are:

  • Perceivable – issues that affect users’ ability to locate and process the information on a website, e.g., many visually-impaired individuals use screen readers to distinguish between the text and the background to help them navigate online content.
  • Operable – challenges that impair users’ ability to navigate a site, e.g., functions and navigations such as online forms should be accessible via keyboard-only commands, and users who need additional time to complete them should be allowed to do so.
  • Understandable – users should be able to comprehend the information on the site, e.g., error messages that provide an explanation and directions for correcting an error should be offered.
  • Robust – can be interpreted by various devices and platforms according to the varying needs and abilities of users, e.g., the alt text that should pop up to let users know what it is when read by assistive technology when they hover over an image.

Here are more suggestions regarding what to include to help ensure ADA website compliance:

  • “Alt” tags for every media file and map
  • Descriptive HTML tags for online forms
  • Hyperlinks with descriptive anchor text
  • “Skip navigation” links on all website pages
  • Heading tags to organize text
  • Accessible PDF files
  • Subtitles, transcripts, and audio descriptions for videos
  • Accessible fonts for all applications
  • HTML tables with column headers, row IDs, and cell information
  • Captions written in English for audio files
  • Call-to-action buttons with easily accessible names and ARIA labels
  • A website accessibility policy
  • Easy to find contact information

Meeting these guidelines will make a firm’s website more accessible to those with vision or hearing impairments, as well as cognitive, language, or learning disabilities.

Court Rulings Regarding Website ADA Compliance

According to the American Bar Association (ABA), the number of accessibility-related lawsuits filed against websites has increased dramatically in recent years. Plaintiffs are basing these lawsuits on two legal theories:

  1. Title IIIs “equal access and general nondiscrimination mandate
  2. A requirement that places of public accommodation must provide auxiliary aids and services as necessary (for no extra charge)

Although neither Title III nor its regulations mention websites and mobile applications, the phase “auxiliary aids and services” includes “accessible electronic and information technology,” which covers websites and mobile apps.

ADA Title III Lawsuits Filed Each Year Graph
Image by Seyfarth via adatitleiii.com

A recent ABA analysis of court filings related to ADA website compliance found:

  • Federal courts across the country were inundated with more than 8,000 website accessibility lawsuits between 2017 and 2020.
  • In 2020, three states – New York, Florida, and California – brought more than 85 percent of all the ADA website compliance lawsuits.
  • Since 2018, website and mobile app accessibility disputes have accounted for approximately 20 percent of all ADA Title III cases initiated in federal courts, which now regularly exceed 10,000 suits each year.

These statistics do not consider a significant number of website and mobile app cases pursued in state courts, cases settled before filing in court, and DOJ enforcement proceedings that are resolved prior to court filing.

Here are some examples of court rulings related to ADA compliance and websites:

Gil v. Winn-Dixie Stores Inc.

In June 2107, a Florida court ruled in favor of a blind plaintiff who brought an ADA violation lawsuit against Winn-Dixie. The man claimed that aspects of the supermarket chain’s site weren’t compatible with screen readers, leaving him unable to order his medications online or download rewards cards. The trial court agreed that the website was inaccessible to those with impaired vision and ordered that it be brought into compliance with the WCAG 2.0 Level AA.

Although Winn-Dixie complied with the court order, in April 2021, the Eleventh Circuit Court of Appeals overturned the trial court’s decision, finding that Winn-Dixie was not in violation of the ADA because it did not need accessibility aids to conduct business. After that, however, Winn-Dixie posted an accessibility statement on its website that commits to adhere to WCAG 2.0 AA by using testers from the disability community to check the accessibility of their website periodically.

Robles v. Domino’s Pizza

Domino’s Pizza lost a website accessibility lawsuit in 2019 after years of exhaustive litigation when a federal district court in California granted the plaintiff’s motion for summary judgment after it determined that the website was indeed not fully accessible. The court ordered Domino’s to make its website compliant with the WCAG 2.0 to connect customers to the goods and services of Domino’s physical restaurants.

The court held that the ADA applied to Domino’s website and app because the Act requires places of public accommodation, like Domino’s, to offer auxiliary aids and services to make visual materials available to blind individuals. Although customers primarily access the Domino’s website and app outside its physical restaurants, the court found that the Act pertains to the services of public accommodation, not services in a place of public accommodation.

Andrews v. Blick Art Materials

In 2017, Victor Andrews, who is blind, filed a lawsuit against Blick Art Materials for website inaccessibility. Andrews alleged that because Blick’s website was inaccessible, he could not navigate and purchase items on the defendant’s website independently. When Blick made a motion to dismiss the lawsuit, Judge Jack Weisenstein denied it and made this statement:

Today, internet technology enables individuals to participate actively in their community and engage in commerce from the comfort and convenience of their home. It would be a cruel irony to adopt the interpretation of the ADA espoused by Blick, which would render the legislation intended to emancipate the disabled from the bonds of isolation and segregation obsolete when its objective is increasingly within reach.

The ruling in this case and others illustrates that businesses need to consider their websites equivalent to a place of public accommodation, which puts them at risk of being sued, even without explicit web accessibility regulations.

Latest DOJ Guidelines

In 2010, the Department of Justice (DOJ) launched a rulemaking process to address ADA requirements for website accessibility, including technical standards for accessible websites. However, that effort stalled for seven years during the Obama administration (even though the administration continued to pursue investigations and enforcement actions against businesses with inaccessible websites).

The Trump administration abandoned the process to interpret the ADA entirely in 2017. In 2018, the DOJ revealed that it would not give official guidance regarding website accessibility under the Act, releasing this statement:

The Department is evaluating whether promulgating regulations about the accessibility of Web information and services is necessary and appropriate. Such an evaluation will be informed by additional review of data and further analysis. The Department will continue to assess whether specific technical standards are necessary and appropriate to assist covered entities with complying with the ADA.

Since the DOJ’s withdrawal, the number of lawsuits involving website accessibility increased dramatically, raising awareness regarding website accessibility among businesses but also causing confusion surrounding what features an ADA-compliant website should include. As a result, numerous website accessibility consulting companies emerged promising inexpensive solutions. However, some have been challenged in court.

In June 2018, some bipartisan members of the U.S. House of Representatives sent a letter to Attorney General Jeff Sessions encouraging the DOJ to release clear website accessibility regulations to diminish the unclear nature of current legislation. On September 25, 2018, the DOJ responded by stating that, at this time, the DOJ would not be issuing web accessibility regulations under the ADA: “The Department has consistently taken the position that the absence of a specific regulation does not serve as a basis for noncompliance with a statute’s requirements.”

In March 2022, the DOJ issued further web accessibility guidance under the ADA. The “new” guidance references both the WCAG – which are voluntary – and Section 508 standards, which set standards for federal websites, and indicates that the DOJ supports the notion that sites of public accommodation must be accessible, and in the absence of explicit regulations, websites can be flexible in how they choose to comply with the ADA’s requirements. However, the guidance does not clarify what such flexibility or choice entails and– not necessarily the direction regulation-seekers are looking for, since it provides no substantially new information regarding the vagueness of website accessibility requirements under the ADA.

Final Thoughts

As accessibility regulations for websites remain unclear, it can be easy for organizations to assume that they cannot be sued for noncompliance. However, with no specific standards to follow, law firms and other businesses must do their best to interpret the ADA, practice website accessibility as they see fit, and try to avoid website accessibility-related lawsuits.

One more thing to consider: ambiguity runs both ways, and even though an organization might think its website is accessible, a disabled person might think otherwise, providing the grounds for a lawsuit. Organizations aren’t granted immunity simply because of a lack of clarity in legislation. Instead, uncertainty allows for interpretation by anyone, including the courts.

This article was authored by Jan Hill of Lawmatics.

For more business of law legal news, click here to visit the National Law Review.

©2022 — Lawmatics

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

The Top 10 Do’s and Don’ts of Selling a Cell Lease

When you sell a cell lease, in addition to assigning the lease and rents to the purchaser, you also sell the purchaser the right to put communications antennas on your property for 50 years or more. Done properly, this can be very advantageous, but if done improperly, the right, coupled with its lengthy term, can be harmful, especially for valuable properties.

While the intricacies of such sales should be left to professionals (the sale documents are often 15-20 pages long to protect the property owner), here is a short list of items unique to cell lease sales which property owners should keep in mind. This list is based on years of experience helping clients sell over 100 leases.

  1. Sell the cell lease first if you will be selling the property with the lease. Recently, leases have sold for around 20 times annual revenues. Done properly, a lease sale will add dollar for dollar to the sales price of the property it’s on.
  2. Don’t use the documents from the purchaser without extensively revising them (we often toss them out and use our own documents). They are usually so overreaching that using them “as is” can reduce or destroy the value of the property with the lease.
  3. Include provisions protecting the future use, development and value of the property with the lease.
  4. Have a relocation provision so you can require the leased area to be moved to another location on the property if needed for the maintenance, repair or redevelopment of the property.

The following items are particularly important for areas where the leased space is on a building rather than for a tower on open land. Buildings are generally much more valuable than open land (so the potential harm from bad terms is greater), there often are two or more parcels being leased (equipment on the ground, antennas on the roof, cables in between) and property owners need to be specific on the rights being sold and retained.

  • Clearly describe, with engineering drawings if needed, the areas of the building the purchaser can use.
  • Spell out the types of communications uses the purchaser can conduct and the equipment it may place in these areas.
  • Also spell out the rights the building owner and tenants retain to use these same areas (as well as other parts of the building) for their antennas, HVAC, elevators, etc.
  • Describe the types of communications uses and radios that the building owner, residents and tenants have retained and do not violate the sale.
  • Attach engineering drawings showing the equipment currently on the building.
  • Require landlord approval of changes to the preceding and the reasons the approval can be withheld.

Article By John W. Pestle and Peter A. Schmidt of Varnum LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

California Law Prohibits Cooperation with Out-of-State Entities Regarding Lawful Abortion

In response to Dobbs v. Jackson Women’s Health Organization, California Governor Gavin Newsom recently signed AB 1242 into law, which “prohibits law enforcement and California corporations from cooperating with out-of-state entities regarding a lawful abortion in California.”

In particular, AB 1242 prohibits California companies that provide electronic communication services from complying with out-of-state requests from law enforcement regarding an investigation into, or enforcement of, laws restricting abortion.

Sponsored by California Assembly member Rebecca Bauer-Kahan and California Attorney General Rob Bonta, AB 1242:

takes an innovative legal approach to protect user data. The bill prohibits California law enforcement agencies from assisting or cooperating with the investigation or enforcement of a violation related to abortion that is lawful in California. This law thereby blocks out-of-state law enforcement officers from executing search warrants on California corporations in furtherance of enforcing or investigating an anti-abortion crime. For example, if another state wants to track the movement of a woman traveling to California seeking reproductive health care, the state would be blocked from accessing cell phone site tower location data of the woman by serving a warrant to the tech company in California. In addition, if another state wants Google search history from a particular IP address, it could not serve an out-of-state search warrant at Google headquarters in CA without an attestation that the evidence is not related to investigation into abortion services. Although the first state to enact such a law, as California often is when it comes to privacy rights, we anticipate that other states will follow suit and that these laws will be hotly contested in litigation.

Article By Linn F. Freedman of Robinson & Cole LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

Article By Kristin L. Bryan, Jeffrey L. Turner, and Kyle R. Fath of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Judge Approves $92 Million TikTok Settlement

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

The class action claimants alleged that TikTok violated BIPA by collecting users’ faceprints without their consent and violated the VPPA by disclosing personally identifiable information about the videos people watched. The settlement agreement also provides for several forms of injunctive relief, including:

  • Refraining from collecting and storing biometric information, collecting geolocation data and collecting information from users’ clipboards, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Not transmitting or storing U.S. user data outside of the U.S., unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • No longer pre-uploading U.S. user generated content, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Deleting all pre-uploaded user generated content from users who did not save or post the content; and
  • Training all employees and contractors on compliance with data privacy laws and company procedures.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.

Article By Eva J. Pulliam, Christine Chong, and Destiny Planter of ArentFox Schiff LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review. 

© 2022 ArentFox Schiff LLP