The attorney general’s office has posted a set of FAQs and corresponding responses on its California Consumer Privacy Act (CCPA) site. While aimed at providing guidance to consumers about the CCPA, the FAQs can also serve as a quick reference for businesses regarding their CCPA compliance obligations. Below are the highlights.

  • Right to Opt Out of Sale: California residents have the right to request that businesses stop selling their personal information (PI), which is an “opt-out request” that can be submitted via the “Do Not Sell My Personal Information” link that businesses must conspicuously provide on their websites and privacy policies. Businesses cannot require residents to create an account to submit opt-out requests, and if businesses ask for PI to complete these requests, they can only use such information to verify the consumers’ identities. Upon receipt of an opt-out request, a business must stop all sales of the consumer’s PI and wait 12 months before prompting the consumer to opt back in. Common exceptions to this opt-out right include sales that are necessary to comply with legal obligations and certain exempted medical or credit report information. Opt-out requests should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to such requests. Businesses can only sell PI of a child under the age of 16 if they have received affirmative “opt-in” consent. If the child is under the age of 13, that consent must come from the child’s guardian.

Continue Reading The AG Publishes Its FAQs on the CCPA

The Schrems II decision issued on July 16, 2020, is seismic.

In invalidating the Privacy Shield program, it immediately jeopardizes the portion of the $7.1 trillion in commerce between the European Union and United States that is in part underpinned by the Privacy Shield program.

But it does not have to be seismic for your company.

Standard contractual clauses are still valid under the decision.

If your company relies on Privacy Shield to transfer data from the European Union and United States,  you should, immediately identify the programs at issue and update your data protection addenda to add standard contractual clauses. The European Court of Justice placed a greater onus on data exporters in the European Union to assess the adequacy of privacy protections for the data importer [e.g., U.S. company].  Therefore U.S. companies should anticipate a greater degree of questions from customers and E.U. employees regarding the adequacy of the controls. In addition, we suggest the following additional steps for in-house teams:

  • First Step: Leverage your Article 30 inventory to identify data flows impacted by the decision
  • Second Step: Collaborate with your procurement and IT teams to assess impact
  • Third Step: Discuss with your senior leadership to align on risk tolerance
  • Fourth Step: Document the basis for the decision
  • Fifth Step: Develop your long term action plan (e.g., regionalized data centers, development of a cross-functional team)

Schedule a meeting to discuss your specific situation.

Please see our July 20 update for full analysis of the decision.

CCPA Enforcement: Enter the AG

Dominique Shelton Leipzig (Perkins Coie) moderated the IAPP Keynote, “CCPA Enforcement: Enter the AG,” on July 9, 2020. The discussion featured Supervising Deputy Attorney General Stacey Schesser and Travis LeBlanc (Cooley) who shared their personal insights and views on the California Consumer Privacy Act (CCPA) and its enforcement.

View the video here

Key takeaways include:

  • The CCPA regulations will not be enforceable or effective until they are approved by the Office of Administrative Law and published by the Secretary of State.
  • Beginning on July 1, 2020, the California Attorney General’s office (AG) started its enforcement of the CCPA, but the enforcement is currently limited to the “four corners” of the statute.
  • The AG has sent out notices of violation and corresponding 30-day opportunity to cure (NOVs) to businesses that are not complying with the CCPA.
  • The AG has not focused on a particular industry or sector, but has looked at consumer complaints submitted to the AG, along with publicly available information such as complaints on social media (Twitter).
  • The NOVs were sent to online businesses and involved issues relating to CCPA disclosures and mechanisms.
    • An important CCPA right is the right to opt out of sale. If a business is selling personal information, they must have the Do Not Sell link on the home page.
    • The CCPA expressly seeks to protect minors by requiring, among other things, a much clearer authorization (i.e., opt in).
    • Protecting health data has been and continues to be a priority. Companies should keep this in mind in connection with COVID-19 data collection.
  • Companies are advised to take a comprehensive approach to privacy and data security (e.g., comply with California Online Privacy Protection Act, implement reasonable data security measures, etc.).
  • AG’s past enforcement actions may provide insights into the types of issues that are of the greatest concern to the AG (e.g., Equifax).
  • If a business receives a NOV, it should communicate and engage with the AG right away.
  • The exclusive enforcement of the CCPA resides with the AG, except for the limited private right of action for a data breach.
  • The CCPA is not an easily understood law. It is lengthy, nuanced, and complex. Businesses need to thoroughly understand both the statute and the regulations.
  • Our key takeaway from this discussion: Companies wishing to avoid receiving NOVs should consider updating their websites to include Do Not Sell links if they have third-party cookies that can track users across multiple sites.

Alastair Mactaggart on the CPRA

Watch the video here.

Key takeaways include:

  • The CPRA is popular.
  • Mactaggart’s goal is to treat privacy as a human right. He hopes to attain an adequacy determination from the European Union for California as a territory.
  • Mactaggart believes that “cross-contextual behavioral advertising” requires a Do Not Sell link.
  • The CPRA will add new rights including:
    • Right to correct data.
    • Right to limit use of sensitive data.
    • Right to opt out of sharing of PI.

The California Consumer Privacy Act of 2018 (CCPA) regulates a company’s offerings of financial incentives and price or service differences related to the collection, retention, or sale of personal information. Cal. Civ. Code Section 1798.125(a)(2); Final Text of CCPA Regulations, 999.301(j), 999.307, 999.336. Although the CCPA became effective on January 1, 2020, the regulations were not issued in final form until June 1, 2020. As a result, many companies are still in the process of developing their approach to complying with the CCPA’s requirements–particularly those that relate to financial incentives. If your company offers programs that may fall within the definition of “financial incentives” or “price or service differences,” you should be aware of the CCPA’s requirements related to those types of offerings, including the requirement to provide notice of the financial incentive and disclose a good faith estimate of the value of the consumer’s data that forms the basis of the offering. The California Attorney General is expected to begin enforcing the CCPA on July 1, 2020.

Continue Reading CCPA Compliance: Financial Incentives Requirements

Commercial landlords and tenants are preparing to safeguard their employees and customers from COVID-19 risks. Thermal cameras to measure temperatures, facial recognition, Bluetooth, Wi-Fi, and GPS are all being leveraged to track and trace the contagion. We can help. The attached checklist provides information regarding privacy notice requirements as well as security controls necessary to avoid privacy pitfalls.

The California Consumer Privacy Act (CCPA) went into effect three months ago, on January 1, 2020. Although enforcement by the California attorney general cannot begin until July 1, private plaintiffs have been able to bring claims under the law’s limited private right of action since the beginning of the year.

The CCPA is already having an impact on litigation. Two high-profile cases filed after January 1 directly allege violations of the CCPA and have attracted attention. Other cases that either allege CCPA violations or otherwise cite to the statute have received less notice. Even if the cases do not result in decisions that are binding on future litigants, the arguments are worth a look because they may signal trends for which privacy litigators should be prepared. To that end, this privacy quick tip aims to paint a broader picture of how the CCPA has been referenced in litigation and identify a few potential trends to keep an eye on. Continue Reading CCPA in Litigation: 2018 to Present

COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1. In a pandemic environment, companies, employers, and public institutions are grappling, outside the HIPAA context, with unique privacy, data security, and cybersecurity implications of their responses to the coronavirus. From a compliance perspective, businesses are considering under what circumstances they can disclose consumer or employee health conditions or geolocation information in the service of greater public health. Other companies —and governmental institutions at every level—are confronting the very real, and often opportunistic threats to data security posed by aggressive thieves who use crises as cover to commit an assortment of cybercrimes. Privacy and security requirements vary by jurisdiction, so businesses should be mindful of potentially divergent and overlapping approaches and responsibilities as the situation continues to evolve.

We offer a few updates and practical tips for best practices to promote compliance with privacy and data security requirements.

Continue Reading CCPA & COVID-19: A Practical Guide to Addressing Privacy and Data Security Implications of the Coronavirus

On March 11, 2020, the California Attorney General published its second modification to the California Consumer Privacy Act (CCPA) proposed regulations (“Second Modified Proposed Regs”). The redline includes the Second Modification language in blue and green as well as the first modification edits that were issued on February 10, 2020 (“First Modified Proposed Regs”). Collectively, the First Modified Proposed Regs and the Second Modified Proposed Regs are referred to below as the “Modified Proposed Regs.” The redlined comparison between the originally proposed regulations and the Modified Proposed Regs can be found here. All citations below are to the Modified Proposed Regs posted on March 11, 2020.  In addition to changes to the regulations, the Attorney General added supporting documents and information, which can be found here.

Continue Reading Updated: Modifications to Proposed CCPA Regulations: 10 Take-Aways

The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new privacy statute that grants rights to consumers and imposes corresponding obligations on subject businesses. The CCPA defines consumers to mean California residents, and generally defines “business” as for-profit entities that meet certain threshold requirements. Cal. Civ. Code § 1798.140(g) (consumer), (c) (business). The CCPA went into effect on January 1, 2020. Continue Reading Business Solutions for CCPA Compliance

The California Consumer Privacy Act (CCPA) officially went into effect on January 1, 2020. For a full discussion of how the CCPA and the Attorney General’s proposed regulations will impact businesses, see here. To comply with the law, businesses must implement technical solutions to the CCPA’s various notice, submission, verification, and opt-out of sale requirements. Here are a few technical updates to facilitate compliance with the CCPA. Continue Reading The CCPA Is Live: Here Are the Technical Updates You Can Make to Comply