What a Week. Lots to Unpack.
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 23, 2024
Published: February 15, 2024
Hello all, and happy Thursday!
On February 9th, the California Privacy Protection Agency (CPPA) made a(nother) surprise announcement. It won its appeal and CPRA enforcement is effective now—not as of March 29, 2024, but as of July 1, 2023.
For those of you who haven’t been following the shifting timeline of CPRA enforcement, here’s a quick (but admittedly complicated) overview.
Most of the CPRA came into force on January 1, 2023. However, only the statutory requirements of the CPRA and the regulatory requirements of the previous California Consumer Privacy Act (CCPA) were enforceable; that is, those requirements defined in the text of the law itself and the regulations developed around the earlier CCPA.
Some issues (like data privacy) are too expansive and complicated to effectively manage with just one fixed set of requirements defined in the text of a law. In these cases, another state or federal authority makes rules that comprise the law’s regulatory requirements. In regard to the CPRA, that authority is the CPPA. This agency has been making additional rules to ensure the CPRA comprehensively and effectively regulates data privacy in California.
Unfortunately, the CPPA was late finalizing its rules and only wrapped them up in March of 2023. The California Chamber of Commerce sued, arguing that enforceability was always meant to kick in a year after rulemaking was finalized, so California courts delayed enforcement to March 29th, 2024. The CPPA filed an appeal at the time.
Again, this refers to the regulatory enforcement of the CPRA; not the statutory enforcement of the CPRA or the regulatory enforcement of the CCPA. That’s why the Sephora enforcement action could take place, even though CPRA enforcement hadn’t fully kicked in. Enforcement of the additional requirements developed by the CPPA had been delayed until March 29th, 2024. Until recently, that is.
We were all geared up for the CPRA to finally be fully enforceable in all respects as of March 29th, but California's Third District Court of Appeal threw us for a loop and granted the CPPA’s appeal. As a result, not only is the CPRA enforceable as of today, but it has been enforceable as of July 1, 2023—the original date when enforcement was meant to kick in.
Okay. That’s a lot of nitty-gritty about the legislative process, lawmaking, and court systems (not to mention a lot of acronyms that start with the letter C).
The big picture is this: The CPRA is in full effect now! The best time to become compliant with California’s privacy law was yesterday; the second best time is today.
Best,
Arlo
P.S. It’s your last chance to register for Osano and KPMG’s webinar on data mapping! If you’ve seen this in time, the webinar is happening TODAY at 1 PM EST. Register on the IAPP’s website here.
California's Third District Court of Appeal has sided with the California Privacy Protection Agency (CPPA) and California Attorney General Rob Bonta in the case of the California Privacy Protection Agency v. Superior Court (California Chamber of Commerce). The court held that the CPPA’s authority to enforce its amended regulations should have been effective on July 1, 2023—rather than be delayed until March 29th, 2024. Today’s decision restores this authority and overturns a lower court decision.
The Federal Trade Commission (FTC) recently released an article warning against businesses surreptitiously changing the terms of their privacy policy so that they are no longer restricted in the ways they can use their customers’ data. In particular, the FTC calls out AI companies, who stand to benefit significantly by maximizing data collection and usage at the expense of user privacy.
A class-action lawsuit claims Temu is excessively collecting and using customer data through "deceptive" and "unscrupulous" practices. The complaint was filed in Illinois by the Hagens Berman law firm on behalf of seven named plaintiffs from Illinois, California, Massachusetts, and Virginia—as well as unnamed others similarly situated. Specifically, the plaintiff’s lawyers allege that expert reviews of the Temu app found the "app is purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices."
Recently, the FCC declared that calls using AI-generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (TCPA). Thus, callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice.
Danish privacy regulator Datatilsysnet has ruled that cities in Denmark need considerably more assurances about privacy to use Google services that may expose children’s data. The agency found that Google uses student data from Chromebooks and Google Workplace for Education “for its own purposes,” which isn’t allowed under European privacy law. Municipalities will need to explain by March 1st how they plan to comply with the order to stop transferring data to Google, and won’t be able to do so at all starting August 1st, which could mean phasing out Chromebooks entirely.
By now, many organizations are familiar with basic compliance activities, like managing consent and subject rights requests. But other activities, like regularly conducting privacy impact assessments, are not as well understood. What are PIAs, and how can you conduct one?
If you’re interested in working at Osano, check out our Careers page! Right now, we’re looking for a Lead Privacy Architect—check out the job description here to see if you’d be a good fit.
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.