The rush for California to get all of the “rules of the road” ready for next year has seemed to cause a bit of confusion with California’s privacy law. Draft regulations were published the same day the Governor signed into law a series of amendments to the underlying law. It is all a bit confusing, However, now that the Governor has signed the last raft of amendments, and the dust has somewhat settled, the question on everyone’s mind is: What changed in the California Consumer Protection Act (“CCPA”)? How does this effect the draft regulations that the Attorney General published?

Fortunately, there are a number of significant changes which help clarify the CCPA, as well as materially change the scope of the CCPA – even if the AG didn’t include some of these changes into the initial draft regulations announced earlier this month. The most impactful changes across industries are as follows:

Business employees

To start off, the issue of employee coverage under the CCPA has been a fractious one. On one hand, business has rightly claimed that the relationship with an employee is not the same as the relationship with a customer. On the other hand, privacy advocates have claimed that employees shouldn’t give up privacy rights just because they are employees. Continue Reading CCPA Amendments – What did California Actually Do?

Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.

Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress. Continue Reading And the Wait for CCPA Rules is Over …. Kind Of

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills – including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing. Continue Reading CCPA Amendments – Employees and the Loyalty Program Change Nobody is Talking About

On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law.  In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust and meaningful national consumer privacy bill to provide uniform privacy protections for all Americans.”  The coalition said that a “comprehensive federal privacy law that establishes a single technology and industry-neutral framework for our economy” is necessary because “consumers’ privacy protections should not vary state by state.”  The coalition noted that “a uniform federal framework” would “provide certainty for businesses and consumers alike.”

The coalition’s letter was likely spurred by congressional hearings on data privacy and the growing number of states considering data privacy legislation following the European Union’s implementation of the GDPR.  California Maine, Nevada, and Vermont recently enacted laws governing collection, use, or sharing of consumer data, and similar legislation is pending in Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, Texas, and Washington.  Privacy bills introduced in Louisiana, Maryland, Mississippi, Montana, New Mexico, and North Dakota failed to pass but could be reintroduced in upcoming legislative sessions.

To keep abreast of developments and for compliance webinars, sign up at the links below.

Consumer Class Defense Blog

The Global Privacy Watch

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

Cross-Posted from Carpe Datum Law Blog

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer privacy interest groups and plaintiff-oriented trial lawyers, who were banking on even more lucrative individual consumer violation claims after January 1, 2020.

The original proposed amendment would have expanded the private cause of action to any violation of the CCPA, and eliminated the 30-day cure period for alleged violations. California Attorney General Xavier Becerra had earlier expressed his support of Senate Bill 561, reportedly in order to relieve the enforcement burden of the Attorney General’s office (and despite the fact that the CCPA sets up a fund to finance enforcement activity by the Attorney General). The original proposed bill and its potential impact were discussed in an earlier post on this site.

Businesses should celebrate this development as a more reasoned and balanced approach to individual rights under the CCPA with the goal of appropriate and fair governmental enforcement. Organizations and businesses dealing with California residents should be on the lookout for the California Attorney General’s enforcement rules announcement this Fall.

In prior posts, we’ve commented on the California Consumer Privacy Act (“CCPA”), likening it, and its Texas ‘flavored’ variant(s), to ‘elephants in the room’. Here, we’ve opted to expand our coverage and talk about what we’re seeing other states do (or, let’s expand the elephant metaphor to: elephants, elephants everywhere.)

It seems that all of a sudden, consumer privacy is THE hot topic and everyone’s jumping on the CCPA bandwagon! Consumers have woken up to what is happening with their personal information and are demanding government protective action! These are sensationalist statements, to be true, but are they accurate statements? Well, as is usually the case it is a bit more nuanced and it is important to set some things straight. Continue Reading 2019: Is This The Year of Consumer Privacy (or, Elephants, Elephants Everywhere)

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.

Further, subject to certain ‘pipeline’ exceptions (i.e. merely processing PII to transmit it across a network), it only applies to collection of PII over the Internet or any other digital network, or through a computing device that is associated with or reasonably linked to a specific end user. Under the TXPPA, no processing is authorized without explicit permission received from the individual from whom the information pertains (or the processing is required by law). Already, this last statement makes compliance pretty challenging. A literal interpretation is that to process PII, a business will need either explicit permission or legal basis.

Additionally, a business may only process PII if it is relevant to accomplish the purposes for which it is to be processed; the purposes are specifically disclosed by the business in the notice, made prior to the collection, and processing is only to the extent necessary to achieve a purpose. Finally, processing is only authorized if it does not violate state or federal law, doesn’t infringe on another’s rights or privileges under the US Constitution, and the business follows the procedures should automated processing be used.

Contrary to the TXCPA (and more in line with the CCPA), the TXPPA requires an impacted business to establish and maintain a “comprehensive data security program that contains… safeguards for personal identifying information.” The TXPPA is light on specifics and does not provide for a private cause of action or class action for the breach of the duty to safeguard personal information.

While all of this seems to present a bit of a challenge to businesses, the TXPPA does establish a safe haven of sorts quite similar to the TXCPA. Unfortunately, it does not apply to violations made by a service provider. The safe harbor is limited to a third party (not service providers – they are different) violation of their processing authority, provided the business has no actual knowledge or reasonable belief that the third party intends to violate the TXPPA. It doesn’t cover a violation of the initial business’ processing authority. So, if a business has a service provider the makes a mistake, the business would still be on the hook for the service provide’s actions.

Finally, the TXPPA provides that the Texas Attorney General may bring an action against a business or third party for violations and recover civil penalties in an amount not more than $10,000 per violation, not to exceed a total of $1 million.

The Texas Attorney General, just like his California counterpart, is delegated enforcement authority under this Texas bill and must adopt rules necessary to implement, administer, and enforce it.  Unlike the CCPA, the TXPPA does not mandate public stakeholder input in drafting those rules. What does that mean? It’s vital to not only watch and participate (if possible) in the Texas regulatory drafting process in the appropriate timeframe, but also monitor and review the CCPA rules the California Attorney General drafts, due in several months. This, along with the reasonable expectation that the Texas Attorney General will follow basic privacy principles present in every other privacy system out there, provide the strongest indicators as to what Texas rules may look like.

It should be noted, that both Texas bills have the usual carve outs to attempt to avoid a Federal preemption claim. Processing that is subject to HIPAA, GLB, FCRA, or FERPA is exempted from the scope of the TXPPA. However, those are fairly narrow exceptions.

Like we asked in Part 1 – is writing about the Texas Privacy Protection Act premature? In a word, no. As of this writing, there have been privacy impacting bills introduced in 31 state legislatures and this doesn’t include attention at the federal level. Most of these state bills are influenced by the CCPA, distinguished importantly by the degree of that influence. Given the attention garnered by security and privacy issues the last two years and more importantly, legislative responses to those issues, one thing is virtually certain: there will be privacy regulation for Texas businesses to comply with and it will very likely share elements found in the CCPA. Monitoring developments on the front end is imperative given the nature of the subject matter, but equally important is to begin thinking strategically about how business compliance can be balanced with business operations – something which can benefit from sound legal counsel.

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act. Continue Reading And Texas Joins the Privacy Fray – Part 1 (or, the Elephant in the room just got a LOT bigger…)

Seyfarth has released the results of its fourth annual Real Estate Market Sentiment Survey, which polled commercial real estate executives around the country from all sectors. Of interest to our readers, this year’s survey revealed that 69% of respondents are concerned about a cyberattack hitting their business in 2019, a significant increase compared to last year (46%).

View the full survey results

Cybersecurity isn’t just for technology companies anymore. More and more, we are seeing other critical infrastructure participants becoming targets of cybersecurity attacks. Transportation, construction, and other real property-heavy industries are starting to catch the eye of sophisticated hacking teams – both criminal as well as nation-state sponsored groups.

There are two different threat models in the real estate market: the builder and the manager. Continue Reading Cyberattacks a Growing Concern for Commercial Real Estate Executives