Companies that sell data during the course of their business do not always realize that they are considered a “data broker” under some U.S. state laws, and that their data broker activities may require registration with some states. With increased attention being paid to individual privacy rights and the recent enactment of new state privacy laws in the U.S., it is an opportune time for companies to determine whether they are data brokers so that they can focus their compliance efforts on the various requirements, if applicable.

Just as the ink had dried on what we thought was the CA Attorney General’s final set of regulations for the California Consumer Privacy Act (CCPA), a new, fourth draft set was submitted earlier this month, building upon the third draft set issued in October. Both sets of regs have yet to be finalized.

If you are a private-sector company with employees in California, please take note of the following new laws which go into effect as of January 1, 2021 (or earlier, as indicated below). Businesses impacted by these changes should review and update existing policies and procedures, including employee handbooks and records retention policies, independent contractor agreements, and arbitration agreements.

Since our original post, the State of California has released a revised version of the COVID-19 employer playbook, which is now called the “COVID-19 Employer Playbook: Supporting a Safer Environment for Workers and Customers.” According to this updated guidance:

The California Department of Public Health recently released detailed guidance for employers who are trying to understand their obligations during the coronavirus pandemic. The COVID-19 Employer Playbook for a Safe Reopening is intended to help businesses plan and prepare to reopen safely and mitigate the risks for workers and customers.

The novel coronavirus has upended business operations on a global scale, and mitigation efforts continue to be implemented to help organizations stay afloat during this unprecedented pandemic. On March 19th, the European Data Protection Board (EDPB), an informal working group comprised of representatives of each of the national data protection authorities in the EU, issued a statement regarding data processing activities during this public health crisis, emphasizing that while data protection rules should not hinder the fight against COVID-19, it is still imperative that certain prescribed steps be taken to ensure the protection of personal data.

In her latest ACC Docket article, Outside GC's Lakshmi Sarma Ramani discusses the use of prize promotions, such as sweepstakes and contests, by nonprofit organizations, highlighting their obligation to comply with federal and state prize promotion laws despite being exempt from other tax laws.