Category

U.S. State Law

14 December 2020

All Buttoned Up: The California AG Proposes Additional CCPA Regulations

On December 10, 2020, the California Attorney General (“AG”) proposed additional edits to the CCPA Regulations. These changes both build upon the updates that were proposed on October 12, 2020, and add some new content. All of the newly proposed changes relate to the right to opt-out of the sale of personal information. For a summary of all changes proposed on October 12, 2020, please see our post here.

(more…)

EmailShare
09 December 2020

CPRA’s Impact on CCPA Enforcement and Compliance

*This article originally appeared the Daily Journal on November 20, 2020

The passage of Proposition 24, the California Privacy Rights Act (CPRA), amends 2018’s California Consumer Privacy Act (CCPA) by creating the nation’s first data privacy enforcement agency and expanding consumers’ rights with respect to their personal information. In this article, Sheri Porath Rockwell and Alexis Miller Buese highlight some of the significant features of the CPRA that are likely to impact consumers and businesses alike.

View Article

EmailShare
29 October 2020

CCPA Update: Comment Period Closes on Third Round of Proposed Modifications to CCPA Regulations; CCPA Litigation Gaining Steam; Consumer Groups and Major Newspapers Urge “No” Vote on California’s Privacy Initiative

New privacy developments continue to come from California, with a new proposed modifications to CCPA regulations, continuing CCPA litigation, and voting beginning on Proposition 24, an initiative to overhaul the CCPA.  We provide insight into each below.

Proposed Third Modified CCPA Regulations

In mid-October 2020, just a few months after the “finalization” of the regulations, the California Office of Attorney General proposed a handful of proposed modifications to regulations implementing the California Consumer Privacy Act.  The abbreviated comment period for the proposed modifications closed on October 28th, which means the Attorney General must now review the comments, draft a response, and either further modify the proposed regulations or submit them in their current form for approval by the California Office of Administrative Law (OAL).

(more…)

EmailShare
14 October 2020

California Amends Privacy Laws Again: CCPA Health Information Amendment and Employee/B2B Exemption Signed into Law; Vetoes for Genetic Privacy and Social Media Parental Consent Bills

California’s Governor Gavin Newsom recently signed into law two bills to amend the California Consumer Privacy Act (“CCPA”).  He also vetoed two other consumer privacy bills based on concerns about potential conflicts with existing state and federal law. Collectively, these four bills represented the most significant privacy legislation that came out of the California Legislature’s 2019-20 term, which came to a close on September 30th.

Only one of the two new CCPA amendments, AB713, includes substantive changes to the law.  It streamlines the CCPA’s health information exception and imposes new obligations on CCPA businesses and others that handle deidentified patient information.

The other CCPA amendment, AB1281, simply extends the CCPA’s employee and B2B exemptions to January 1, 2022 if voters fail to pass Proposition 24 (CPRA or CCPA 2.0) in November.  Those exemptions are currently set to expire on December 31st of this year.

Newsom also vetoed two consumer privacy bills despite expressing support for the goals of each.  SB980 would have expanded consumer rights with respect to genetic information collected by direct-to-consumer genetic testing companies.  Newsom’s veto was motivated by concerns that the law could have “unintended consequences” for the operation of the state’s communicable disease reporting requirements, including those applicable to COVID-19.  The other bill, AB1138, would have imposed additional parental consent requirements on social media network operators.  Newsom vetoed it to avoid potentially overlapping state and federal compliance obligations, citing parallels between the bill and federal regulations under the Children’s Online Privacy Protection Act (“COPPA”).

Here we outline the significant features of each of the new CCPA amendments.

(more…)

EmailShare
29 September 2020

An Early Recap of Privacy in 2020: A US Perspective

*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.

Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.

As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.

(more…)

EmailShare
19 August 2020

Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

On July 21, 2020, the New York State Department of Financial Services (NYDFS or the Department) issued a statement of charges and notice of hearing (the Statement) against First American Title Insurance Company (First American) for violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (Cybersecurity Regulation or Regulation). The First American Statement of charges alleges six violations of the Cybersecurity Regulation and marks the Department’s first action pursuant to the Regulation, which is enforced by the recently created NYDFS Cybersecurity Division.1

NYDFS’s Statement seeks relief against First American, including civil monetary penalties and an order requiring First American to remediate any defined violations. Although the Statement does not include a calculation of the total penalty, the NYDFS explains that the civil monetary fines against First American are to be assessed pursuant to the Financial Services Law, which provides for a maximum civil monetary penalty of $1,000 per violation of the Regulation.2 Because First American’s violations included the exposure of millions of documents containing nonpublic information (NPI), the total penalty potentially could be substantial. The First American hearing is scheduled to occur on October 26, 2020, at the NYDFS.

(more…)

EmailShare
26 June 2020

The Return of the Mac: CCPA 2.0 Qualifies for California’s November 2020 Ballot and Could Usher In Sweeping Changes to CCPA

The California Privacy Rights Act (CPRA), a proposed initiative to codify far-reaching amendments to the California Consumer Privacy Act (CCPA) and sometimes referred to as “CCPA 2.0”, is back in play and heading to the November 2020 ballot.  A series of dramatic procedural twists and turns culminated with initiative backers successfully obtaining a writ of mandate directing the Secretary of State to direct counties to verify signatures for the ballot proposal by the June 25th Constitutional deadline.  This verification involved each county conducting a random sample of the more than 800,000 signatures that proponents had submitted to place the initiative on the ballot.

Before the California court’s ruling, observers were skeptical that signatures could be verified before the deadline.  Initiative proponents were almost two weeks behind the recommended schedule when they delivered signatures to be verified by California’s 58 counties.  This meant counties had until June 26th to verify signatures — a day after the June 25th Constitutional deadline.  Experience with other initiatives this year had shown that several large counties were waiting until the deadline to complete verifications, so proponents petitioned the court to push the deadline up by a day in order to meet the Constitutional deadline.  The court agreed to do so, finding good cause existed to force counties to complete verifications a day early.  And, as it happened, the extra time was not needed, as counties finished the count two days ahead of their initial deadline.

(more…)

EmailShare
04 June 2020

CCPA Enforcement Date Rapidly Approaching: California Attorney General Proposes Regulations for Final Review With July 1, 2020 Less Than One Month Away

On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”).  This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019.  If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.

(more…)

EmailShare
07 May 2020

In Midst of COVID-19 Pandemic, Senators Propose Privacy Bill Aimed At Businesses’ Use of Consumer Data

On April 30, 2020, four Republican Senators announced plans to introduce the COVID-19 Consumer Data Protection Act.  The four Senators, John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), are all Members of the Commerce Committee, with Wicker the Committee’s chair.

According to the April 30 Senate press release regarding the COVID-19 Consumer Data Protection Act, the legislation would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” for data processing related to fighting the COVID-19 pandemic.  The press release also states that the bill would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” Under the bill, covered purposes include “(1) collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID-19; (2) collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are required by federal, state, or local government order; (3) collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID-19 cases.” (more…)

EmailShare
04 May 2020

Stay At Home Orders May Have Killed California’s Ballot Initiative to Expand CCPA [**Update – But Californians for Consumer Privacy Say Maybe Not**]

UPDATE:  Soon after we published the post below, we learned that the sponsors of the California Privacy Rights Act (CPRA) – i.e., the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA) – intend to push forward with their attempt to get it on the ballot this year.  On May 4th, the initiative’s sponsors, the Californians for Consumer Privacy, announced on Twitter they were submitting to counties across the state.  Whether county election officials can verify the signatures in time to qualify for the November 2020 ballot remains to be seen.  While conventional wisdom is that the recommended April deadline is an important one to make, the approval process may be different this year due to the COVID-19 pandemic and how it might affect the availability of resources to approve initiatives.  We will continue to monitor this situation and provide updates on Data Matters as appropriate.    

The California Privacy Rights Act (CPRA), the ballot initiative that aimed to amend and significantly expand the California Consumer Privacy Act (CCPA), including by creating the California’s very own data protection authority, the nation’s first, appears to be dead–at least for this ballot season.

(more…)

EmailShare
1 2 3 10
XSLT Plugin by BMI Calculator