Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time.  We have set out some updates in the form of questions, with some links where you can find more information. Answers are below.

1.         Colorado issued a revised draft of its privacy regulations, which added a list of what could be “substantial or material changes” to a privacy policy, which would require notice communicated to consumers in the manner by which the controller usually interacts with consumers.  Which one is NOT on the list?  Changes to: 

a.         the act of sharing of Personal Data with Third Parties; ‘

b.         categories of Personal Data Processed;

c.         a Controller’s identity

d.         the country in which Processing occurs

e.         the identity of Affiliates, Processors, or Third-Parties Personal Data is shared with

f.          methods by which Consumers can exercise their Data Rights request; or

g.          Processing purposes.

2.         The Colorado revised draft regulations also would require disclosures in the privacy policy if a Controller Processes Personal Information for Profiling that results in the provision or denial of all of these EXCEPT:

a.         access to essential goods or services;

b.         credit;

c.         criminal justice;

d.         educational enrollment or opportunity;

e.         employment opportunities;

f.          financial or lending services;

g.         health-care services;

h.         housing; or

i.          insurance.

3.         Does an insurance policy that covers direct physical loss or damage to media cover the situation where ransomware renders downloaded software useless because it could not be decrypted?  (Keep in mind that the wording of the policy will control.)

            a.         Yes, because software is a “good”

            b.         Yes, because the server on which it was loaded had to be destroyed

            c          No, because software has no physical existence

            d.         No, because there was no “media” that was damaged

4.         If your social media site sends unsolicited birthday text messages to registered users, with automated technology that dials the numbers provided by the users, is that an “automated telephone dialing system” that’s prohibited by the Telephone Consumer Protection Act (TCPA)?

            a.         Yes, because the automated technology does the dialing

            b.         Yes, because TCPA prohibits unsolicited text messages

            c.         No, because the automated technology dials but does not generate the number

            d.         No, because the site’s privacy policy disclosed that text messages would be sent

5.         We’ve started seeing an increase in wiretapping lawsuits against websites using technology that records user keystrokes and other commands.  Do the California wiretapping laws prevent a website from capturing and storing a user’s consent with respect to cookies?  (Choose all that apply.)

            a.         Yes, because the law is content-neutral

            b.         Yes, because the website hired the vendor to record the consents

            c.         No, because the law does not apply to a party’s own communications (here, the website)

            d.         No, because a third party did not intercept and use the data for itself

6.         In December, New York amended its “do not call” law, which will take effect on March 6, 2023, to add which disclosure requirement for telemarketers to tell the called person:

            a.         The identity of the goods or services for which a fee will be charged

            b.         The option to be automatically added to the seller’s entity-specific do-not-call list

            c.         The purpose of the call

d.         The telemarketer’s name and the name of any third party on which behalf the solicitation is being made

            e.         Whether the call is being recorded

7.         If your organization is regulated by the New York Department of Financial Services (NYDFS), and a phishing scam unrelated to your organization resulted in your customers losing money, do you need to report that to NYDFS pursuant to the Cybersecurity Regulation?

            a.         Yes

            b.         No

9.       California’s amendments to CCPA went into effect on January 1, 2023, and included a new option for some users to request that the website not “share” their information to a third-party for cross-context advertising purposes.  For websites that “share,” the new law gives websites a choice:  include a “Do not Sell or Share” link or use a “single, clearly-labeled link on the business’s internet homepage(s), in lieu of” that link.   (Cal. Civ. § 1798.135(a).)  As of January 2, 2023, a review of the websites of the 2022 Fortune 50® found, with respect to the “Do Not Share” requirement:

            a.         2% used the “Do Not Sell or Share” link and 5% chose the single, clearly-labeled link

            b.         8% used the “Do Not Sell or Share” link and 12% chose the single, clearly-labeled link

            c.         20% used the “Do Not Sell or Share” link and 20% chose the single, clearly-labeled link

            d.         4% used the “Do Not Sell or Share” link and 50% chose the single, clearly-labeled link


1.         d. Colorado’s privacy law does not have any “data localization” or “international data transfer” requirements.  The list appears in proposed rule 6.04.A. 

2.         b.  Profiling is not prohibited for purposes of granting credit.  The list appears in proposed rule 9.03.A.

3.         c.  EMOI Servs., L.L.C. v. Owners Ins. Co., No. 2022-Ohio-4649 (Ohio Dec. 27, 2022).

4.         c.  Brickman v. United States, — F.4th —- (9th Cir. Dec. 21, 2022) (2022 WL 17826875.

5.         c. and d.  Williams v. What If Holdings, LLC, No. C-22-03780 WHA (N.D. Cal. Dec. 22, 2022),

6.         b.  New York Senate Bill 8450-B added the requirement that the telemarketer must offer the called party the option to be automatically added to the seller’s do-not-call list.  The other four requirements were already present in New York’s General Business Law § 399-z.

7.         a (Yes).  In the Matter of Coinbase, Consent Order, ¶ 67 (Jan. 4, 2023). (“Coinbase was required by 23 NYCRR § 500.17 to report this event to the Department within 72 hours of its being discovered.”)

8.       b.   Four websites had “Do Not Sell or Share” links and six used alternate language such as “Privacy Choices” or “Privacy Center.”