The California Privacy Rights Act (CPRA), a proposed initiative to codify far-reaching amendments to the California Consumer Privacy Act (CCPA) and sometimes referred to as “CCPA 2.0”, is back in play and heading to the November 2020 ballot. A series of dramatic procedural twists and turns culminated with initiative backers successfully obtaining a writ of mandate directing the Secretary of State to direct counties to verify signatures for the ballot proposal by the June 25th Constitutional deadline. This verification involved each county conducting a random sample of the more than 800,000 signatures that proponents had submitted to place the initiative on the ballot.
Before the California court’s ruling, observers were skeptical that signatures could be verified before the deadline. Initiative proponents were almost two weeks behind the recommended schedule when they delivered signatures to be verified by California’s 58 counties. This meant counties had until June 26th to verify signatures — a day after the June 25th Constitutional deadline. Experience with other initiatives this year had shown that several large counties were waiting until the deadline to complete verifications, so proponents petitioned the court to push the deadline up by a day in order to meet the Constitutional deadline. The court agreed to do so, finding good cause existed to force counties to complete verifications a day early. And, as it happened, the extra time was not needed, as counties finished the count two days ahead of their initial deadline.
*Article first appeared in The Hill on June 13, 2020.
Concerns over the use of location tracking and contact tracing of infected individuals to help mitigate the spread of COVID-19 have once again placed “privacy” at the forefront of public attention. And even though Congress declared privacy to be a fundamental right in 1974, it established no cabinet office or institutional framework to focus on the role of data protection and digital technology in our society. Consequently, during these days of COVID-19, there is no senior government official responsible for taking account of and balancing the trade-offs between privacy and public health.
On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”). This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019. If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.
While the world seems to have ground to a halt in so many ways, time still marches on, and along with it, the California Consumer Privacy Act (“CCPA”) enforcement date (July 1, 2020) inches ever closer. On March 11, 2020, the California Attorney General (“AG”) released the third turn of proposed California Consumer Privacy Act (“CCPA”) regulations. The AG’s revisions make only moderate changes to the last round of regulations issued in February 2020. Businesses will not need to dramatically change compliance plans as the proposed revised regulations seek to refine requirements in prior drafts rather than introduce any wholesale changes to the regulatory framework. (more…)
The COVID-19 crisis has created significant cybersecurity risks for organizations across the world, particularly arising from remote working, scams and phishing attacks, and weakened information governance controls. These risks warrant attention by legal counsel and information security officers in light of potentially significant adverse legal, financial and reputational consequences that could arise – all while the organization is dealing with effects of a global pandemic.
In addition to identifying the cybersecurity risks, we also consider key measures that organizations can consider adopting to reduce such risks, including measures recommended by the UK’s National Cybersecurity Centre (NCSC), EU’s Agency for Cybersecurity (ENISA) and the US Federal Bureau of Investigation. The speed at which the COVID-19 crisis has evolved has meant that many organizations have not been able to deploy effective risk-reducing measures in a timely manner.
This post seeks to help parties navigate issues arising from COVID-19 risks from an employment and privacy law perspective in both the United States and Europe.
Novel coronavirus (COVID-19) presents significant issues for employers to navigate and significant consequences for employees across industries as COVID-19 reduces consumer spending, disrupts supply chains and presents challenges for managing workforces globally. Employers should be aware of their responsibilities and proactively put in place action plans to address this growing problem. Designing these plans, and addressing requested or mandated leaves and other restrictions on employee work, presents myriad employment law issues that may vary by jurisdiction. Employers are also likely to confront privacy questions as they seek information on employees’ and others’ health and travel across jurisdictions. In developing a plan, employers will want to consider these issues in a holistic and coordinated manner.
Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.
With issues around the collection and handling of personal data becoming the focus of increased scrutiny among regulators, policymakers, and consumers, interest has continued to grow among organizations to better understand and address privacy risk. Seeking to support innovation in the market and to accommodate the increasingly global nature of data processing ecosystems, the National Institute of Standards and Technology (“NIST”) released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (“NIST Privacy Framework”) on January 16, 2020. The recent publication aims to outline an adaptable approach to privacy risk for organizations of all sizes by providing a “framework for privacy management, not just a checklist of tasks.”
The NIST Privacy Framework is a voluntary tool intended to assist organizations in managing privacy risks that may arise due to system, product, or service operations that involve personal data, or in connection to new regulatory regimes such as the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”). As noted in the Executive Summary, the NIST Privacy Framework is intended to “enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.” Notably, the Federal Trade Commission (“FTC”), recognized by many as the U.S. government’s top privacy watchdog, had applauded the preliminary draft of the NIST Privacy Framework in Fall 2019 – indicating that the finalized publication could potentially serve as a credible benchmark for organizations seeking to address privacy risk across the data processing lifecycle.
As submitted for the comment period on Initiatives – Active Measures for Initiative 19-0021 on November 8, 2019.
Dear Mr. Mactaggart,
As privacy practitioners, we share your passion and dedication to the development of information privacy and data protection law in the United States. We acknowledge your achievement in pushing for the enactment of the California Consumer Privacy Act (CCPA) and contributing to the ongoing national conversation to advance privacy rights. Your commitment to these issues is clear, and we commend the seriousness of your work in addressing privacy rights in accordance with your vision.
We write in the spirit of constructive development of privacy regulation, and offer the following comments in the hope of contributing to the goal we share with you: improving the quality and effectiveness of U.S. privacy and data protection law while ensuring the continued innovation and flexibility that so benefit our society. Although we often advise the regulated community on privacy and data protection matters, the views expressed here are our own.
At the outset, we note that there are important improvements in your proposed initiative relative to the enacted CCPA. Many of your new initiative’s provisions could serve to move privacy and data security law in a positive direction. In this vein, we note the following: (more…)
UK ICO Commissioner Liz Denham, who serves as Conference Chair, welcomed attendees at the public session and provided a brief summary of what transpired at the Commissioners’ closed door sessions. She noted that “privacy” has gone “mainstream.” People around the world expect more information about how their data is used. She stressed the importance of future international collaboration and regulatory cooperation to develop shared strategies and tactics “to protect people from big companies.”
Commissioner Denham also highlighted the increased focus on the role of data protection as a relevant consideration in competition analysis by international regulators. She noted that the International Privacy Commissioners’ Conference, and the ongoing assembly of global regulators, resolved to be more transparent in the future with respect to the regulated community and other interested parties. Finally, she hinted that a new name for the group would be announced before the 2019 conference concludes.