Issue 6: California forbids privacy pros from sleeping

Oh hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you. Did you post a hot take you want included? Tag it #PrivacyBeatNews and see if it makes it into the next edition!

Personally, I’m exhausted. Aren’t you? Like I know we make a joke about #hotprivacysummer but it’s actually just #hot all the time now. I CAN’T KEEP UP WITH IT! And I really want to keep up with it so I can keep you up with it, you know?

Here’s the problem: California won’t slow down. I don’t have children, in part, because I’m not interested in never sleeping. Regardless, now I’m not sleeping because California is so busy protecting the children! I’m still upset with it for passing the CCPA when I was in Shenandoah National Park that July. And now this.

California passes kids’ privacy law, mandates privacy by design

It covers for-profit entities captured under CCPA and CPRA that attract users under the age of 18 to their products and services. The bill responds to widespread criticism over how social media companies impact children’s mental health and personal safety. Industry is losing its collective mind over the bill, officially called the Age-Appropriate Design Code, which would become effective July 1, 2024. It now needs only California Gov. Gavin Newsom’s signature to become law.

California passed what many call the “Kids’ Code” earlier this week. The bill will require websites, platforms, apps and others with content that may attract children to set the strongest privacy settings by default.

And it’s no joke, either. The penalties for violation are steep: the California Attorney General is authorized to fine companies $2,500 per child affected if they’re negligent about it. If you intentionally violate the law, you’re paying $7,500 for each child affected.

For more details on the code and what it looks like, see my recent chat on this here. Hint: the DPIAs are gonna be brutal.

Exemptions for employee and B2B data = dead

For those anxiously awaiting Jan. 1, 2023, optimists hoped California would extend the exemption period on employee and B2B data beyond the start of next year.

Though 2020’s CCPA mandated companies offer employees the same rights as consumers, many enjoyed the breathing room the law granted: You don’t have to operationalize that until 2023.

As Lisa Sotto said in Bloomberg once, “To the extent you work in a company, your footprints as an employee are everywhere – in online systems, in hard copy documents, in many different departments. For a company to try and fulfill an access request for one person alone is difficult.”

Buckle up!

The ADPPA = officially dead (mostly)

As we collectively closed the coffin door on the American Data Privacy And Protection Act, it did that thing where its chest heaved and we all jumped: stunned and confused. At least that’s how I saw it happen, but I always like to interpret news like movie scenes.

House Speaker Nancy Pelosi, who was supposed to talk to her California cohorts about their disdain for the ADPPA’s pre-emption provisions, said she wasn’t going to do it. And she was the last hope.

Optimists on Twitter are reading a lot into the final sentence of her public statement on ADPPA. “In the days ahead, we will continue to work with Chairman Pallone to address California’s concerns.”

Does that mean ADPPA lives to see another day? Who knows. It’s up to Frank Pallone, sounds like.

Here we go, Frank!

Thanks for reading, and we'll see you next week!