Monday, California Attorney General Xavier Becerra submitted of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations. Continue Reading The CCPA Regulations Are Finally Here

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.) announced on Friday, May 1, a bill proposing the enactment of the “COVID-19 Consumer Data Protection Act,” which would apply to American health, geolocation, and proximity information.

This comes as various tech giants rush to develop an opt-in functionality or application that would allow users to trace their whereabouts to determine potential exposure to the deadly virus. The proposed Act aims to heighten protection for Americans’ data by imposing requirements on businesses similar to those seen in the CCPA and GDPR, such as providing notice to consumers at the point of collection regarding how data will be handled, how long it will be maintained, and to whom it may be transferred. Businesses would also need to allow consumers to opt out of the collection, processing, or transfer of applicable data under the Act. Further, businesses regulated by the FTC would be required to obtain affirmative consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for purposes of tracking the spread of COVID-19. We also see the concepts of data de-identification, data minimization, data security requirements, which all similarly sound very familiar.

While this proposed legislation applies only to health, proximity, and geolocation data, the burning question becomes whether, if enacted, this Act will pave the path toward Federal US Privacy Legislation.

While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence. Continue Reading Europe’s Privacy Law is Coming – Just Not Via California

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned.  This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA.  While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts General Becerra has already produced. Continue Reading What We Can Expect from the CCPA Regulations

In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.

With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.

It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.

Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements. Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers

The rush for California to get all of the “rules of the road” ready for next year has seemed to cause a bit of confusion with California’s privacy law. Draft regulations were published the same day the Governor signed into law a series of amendments to the underlying law. It is all a bit confusing, However, now that the Governor has signed the last raft of amendments, and the dust has somewhat settled, the question on everyone’s mind is: What changed in the California Consumer Protection Act (“CCPA”)? How does this effect the draft regulations that the Attorney General published?

Fortunately, there are a number of significant changes which help clarify the CCPA, as well as materially change the scope of the CCPA – even if the AG didn’t include some of these changes into the initial draft regulations announced earlier this month. The most impactful changes across industries are as follows:

Business employees

To start off, the issue of employee coverage under the CCPA has been a fractious one. On one hand, business has rightly claimed that the relationship with an employee is not the same as the relationship with a customer. On the other hand, privacy advocates have claimed that employees shouldn’t give up privacy rights just because they are employees. Continue Reading CCPA Amendments – What did California Actually Do?

Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.

Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress. Continue Reading And the Wait for CCPA Rules is Over …. Kind Of

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills – including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing. Continue Reading CCPA Amendments – Employees and the Loyalty Program Change Nobody is Talking About

On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law.  In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust and meaningful national consumer privacy bill to provide uniform privacy protections for all Americans.”  The coalition said that a “comprehensive federal privacy law that establishes a single technology and industry-neutral framework for our economy” is necessary because “consumers’ privacy protections should not vary state by state.”  The coalition noted that “a uniform federal framework” would “provide certainty for businesses and consumers alike.”

The coalition’s letter was likely spurred by congressional hearings on data privacy and the growing number of states considering data privacy legislation following the European Union’s implementation of the GDPR.  California Maine, Nevada, and Vermont recently enacted laws governing collection, use, or sharing of consumer data, and similar legislation is pending in Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, Texas, and Washington.  Privacy bills introduced in Louisiana, Maryland, Mississippi, Montana, New Mexico, and North Dakota failed to pass but could be reintroduced in upcoming legislative sessions.

To keep abreast of developments and for compliance webinars, sign up at the links below.

Consumer Class Defense Blog

The Global Privacy Watch

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific