Category

CCPA

12 November 2019

Comments Submitted on California Consumer Privacy Act of 2020—Initiative 19-0021

As submitted for the comment period on Initiatives – Active Measures for Initiative 19-0021 on November 8, 2019.

Dear Mr. Mactaggart,

As privacy practitioners, we share your passion and dedication to the development of information privacy and data protection law in the United States. We acknowledge your achievement in pushing for the enactment of the California Consumer Privacy Act (CCPA) and contributing to the ongoing national conversation to advance privacy rights. Your commitment to these issues is clear, and we commend the seriousness of your work in addressing privacy rights in accordance with your vision.

We write in the spirit of constructive development of privacy regulation, and offer the following comments in the hope of contributing to the goal we share with you: improving the quality and effectiveness of U.S. privacy and data protection law while ensuring the continued innovation and flexibility that so benefit our society. Although we often advise the regulated community on privacy and data protection matters, the views expressed here are our own.

At the outset, we note that there are important improvements in your proposed initiative relative to the enacted CCPA. Many of your new initiative’s provisions could serve to move privacy and data security law in a positive direction. In this vein, we note the following: (more…)

EmailShare
31 October 2019

The Final Countdown: What You Need to Know About the CCPA and its Draft Regulations Before January 1

Companies doing business in California or with Californians must be ready to comply with the California Consumer Privacy Act (CCPA) by January 1, 2020 – less than three months away. However, as businesses were putting the finishing touches on their compliance efforts, the California legislature amended the law and the Attorney General proposed a round of very significant regulatory requirements. Now businesses find themselves making last-minute adjustments as the deadline approaches.

Please join us for a discussion that highlights the key takeaways from the recent CCPA amendments and proposed regulations, identifies the steps companies should be taking to meet these new obligations, and provides benchmarks for how companies are addressing key issues surrounding the CCPA.

(more…)

EmailShare
24 October 2019

CCPA In-Depth Series: Draft Attorney General Regulations on Verification, Children’s Privacy and Non-Discrimination

This post is the third in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at verification, children’s privacy and the non-discrimination provisions. Visit the CCPA Monitor for a collection of all our CCPA insights.

INTRO AND BACKGROUND. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

(more…)

EmailShare
23 October 2019

CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Requests

This post is the second in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations:  Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination.  Today we look at consumer requests.  Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.

Intro and Background.  In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time.  Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA.  This abbreviated legislative process produced a bill with numerous gaps and anomalies, however.  Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended.  As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce.  Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date.  Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

(more…)

EmailShare
22 October 2019

CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Notice

This post is the first in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations:  Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination.  Today we look at consumer notice.  Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.

Intro and Background.  In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time.  Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA.  This abbreviated legislative process produced a bill with numerous gaps and anomalies, however.  Businesses, consumer advocates, and privacy watchers thus have been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended.  As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce.  Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date.  Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

(more…)

EmailShare
10 October 2019

California Attorney General Releases Proposed CCPA Regulations

Earlier today, the California Attorney General ended months of anticipation by releasing the text of his proposed California Consumer Privacy Act (CCPA) regulations.  Comments on the proposed regulations are due by December 6, 2019, and the Attorney General’s office will hold public hearings on the regulations on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).

(more…)

EmailShare
17 September 2019

Final California Consumer Privacy Act Amendments Bring Practical Changes (But Your Business May Now Be a California “Data Broker”)

After months of wrangling, the California legislature has finally passed a set of significant amendments to the California Consumer Privacy Act (CCPA), a sweeping data privacy and security law commonly referred to as “California’s GDPR” (Europe’s General Data Protection Regulation). Employee personal information and personal information obtained in business-to-business (B2B) interactions are now mostly out of scope. Personal information in credit reports and other data covered by the Fair Credit Reporting Act is also largely exempt. Only personal information that is “reasonably” capable of being associated with a consumer or household is subject to the act. And aggregate or deidentified information definitively does not qualify as CCPA personal information.

(more…)

EmailShare
12 September 2019

Where Does Privacy Go From Here: California, EU and Indian Data Privacy Laws and Global Compliance Programs

This article first appeared on Thomson Reuters Regulatory Intelligence.

The summer of 2018 may be regarded as a pivotal time in the history of data privacy laws. The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 (and comes into effect on January 1, 2020), and a draft of India’s Personal Data Protection Bill (India DP Bill) was released in July 2018 (and is now under review by India’s government).

These developments, and more generally, the recent proliferation of data privacy laws around the world (notably, in Australia, China, Brazil, Hong Kong, and Singapore) represent a compliance challenge for many multinational organizations.

Read More

EmailShare
21 August 2019

Navigating the CCPA’s ‘Notice and Cure’ Provision

*This article was first published by Bloomberg Law in August 2019

Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”

Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.

(more…)

EmailShare
05 August 2019

New York Enacts Stricter Data Cybersecurity Laws

The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information.  On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies.  Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents.  Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.

(more…)

EmailShare
XSLT Plugin by BMI Calculator