California followed Colorado’s lead last month when it amended the CCPA to add protections for “neural data,” which the law defines as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system.” The amendment adds neural data to the definition of “sensitive personal information” under the CCPA, so businesses that collect it will have to disclose that fact to consumers in their privacy notice and comply with the CCPA’s other requirements around “sensitive personal information.”

Notably, the amendment is effective immediately, so businesses that collect neural data should amend their privacy documentation as soon as possible. SixFifty has already updated our US and California Privacy products to account for this change, so you can get new, compliant documentation up in no time.

The California Privacy Protection Agency (“CPPA”) recently rescheduled an October 4 board meeting where it had planned to discuss advancing the next set of CCPA regulations through the rulemaking process. The regulations, which we have discussed in a previous monthly update, would place limits on how businesses use “automated-decision-making technology” (e.g., algorithms) and flesh out the CCPA’s requirement for businesses to conduct periodic cybersecurity audits and risk assessments.

The CPPA will now meet to vote on advancing the regulations on November 8, a little over three months after it voted to delay the rulemaking process in July over board member concerns that the regulations were not yet polished enough to become law. The CPPA hasn’t publicly released an updated draft of the regulations, so it’s unclear whether there have been enough changes to satisfy the board’s stated concerns. Regardless of what happens, SixFifty will be keeping an eye on the issue, and we’ll update you in future monthly updates.

On October 10, the European Data Protection Board (“EDPB”) announced that it will be focusing its 4th Coordinated Enforcement Action (“CEA”) on businesses that don’t properly recognize and process consumer requests to delete their data. For any who don’t know, a Coordinated Enforcement Action is essentially a directive from the EDPB that European privacy enforcers (known as “Data Protection Authorities” or “DPAs”) should focus their enforcement efforts for the upcoming year on a particular topic. DPAs are still free to enforce all aspects of the GDPR, but they will pay more attention to violations around that topic. The CEA does not begin until January 2025, so this is a good opportunity for businesses to review their internal processes for receiving and handling consumer requests from European citizens to ensure they are compliant when coordinated enforcement begins.

The E.U.-U.S. Data Privacy Framework (an agreement between the U.S. and E.U. that allows businesses to more easily transfer personal data from Europe to the U.S.), celebrated its first birthday this fall. As part of the festivities, the European Commission conducted a review of the DPFs efficacy over its first year, focused on how well the framework was functioning and whether it has provided adequate protection for European data.

The Commission concluded that by and large, the DPF has been effective as “U.S. authorities have put in place the necessary structures and procedures to ensure that the Data Privacy Framework functions effectively.” This is good news for US businesses that have relied on the DPF to transfer data to the US, as it indicates the framework will remain in place for the foreseeable future. If your business regularly transfers European data to the US, but you haven’t yet signed up for the DPF, you can find more information on how to participate in SixFifty’s in-depth guide that walks you through everything you need to do.

On October 8, the European Data Protection Board (“EDPB”) issued a draft set of guidance for businesses explaining when and how they can process personal data in furtherance of a “legitimate interest” as permitted by Article 6(1)(f) of the GDPR. The guidance was issued in response to a recent European Court of Justice decision holding that the previous interpretation of Article 6(1)(f) incorrectly prevented businesses from relying on commercial interests as a basis for processing data.

The new guidance, if it is ultimately adopted, would allow businesses to rely on any type of interest as long as it is lawful, clearly articulated to the consumer, and not overly speculative. The draft guidance also goes into detail on how businesses should determine when a certain type of processing is necessary to serve a legitimate interest, and how to evaluate the processing’s impact on consumer rights and freedoms.

The EDPB is currently accepting public comment on the draft through November 20. Once the comment period closes, the EDPB will make any necessary revisions and release a final version, likely sometime in mid-2025.