The California Consumer Privacy Act (CCPA) imposes new transparency and disclosure obligations on businesses’ use, sale, and disclosure of consumer information. Businesses will need to honor requests from consumers to access their personal information, delete their personal information, and opt out of the sale of their personal information. “Personal information” is more broadly described in the CCPA than in any prior statute: that is, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Continue Reading

At the core of complying with the CCPA is knowing how to deal with consumer’s requests with respect to any of the eight rights regarding their personal information (PI), which are:

  1. An abbreviated right to disclosure regarding PI collected (§1798.100)
  2. An expanded right to disclosure regarding PI collected (§1798.110(a))
  3. Right to disclosure regarding PI sold or disclosed for a business purpose (§1798.115)
  4. Right to opt-out of sale of PI (§1798.120)
  5. Right to opt-in for sale of minor’s PI (§1798.120(c))
  6. Right to deletion of PI collected (§1798.105)
  7. Right to access PI (§1798.100(d))
  8. Right to not be discriminated against (§1798.125)


Continue Reading

Does your company use chatbots to interact with customers online? If so, California’s new Autobot Law, Cal. Bus. & Prof. Code § 17940, et seq. (SB 1001) goes into effect July 1, 2019 and may affect your business. As the nation’s first autobot regulation, SB 1001 makes it unlawful “to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

Continue Reading

A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:

  • A description of a consumer’s right to disclosure regarding the personal information (“PI”) that the business has collected about the consumer, a consumer’s right to disclosure regarding the business’s sale of her or his PI, and a consumer’s right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
  • Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
  • Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].


Continue Reading

On April 9, 2019, the California Senate Judiciary committee voted to advance SB 561, which would expand the private right of action to any violation of the CCPA (not just for negligent breaches) and would eliminate a business’s 30-day right to cure. (Video available here.) During the hearing, several senators expressed serious concerns with the bill as currently drafted and made clear they expect to see changes to the bill or will not vote to move the bill forward. The bill will next be heard by the appropriations committee, followed by a Senate floor vote, before it moves on to the House.
Continue Reading

The GDPR and the CCPA have made headlines for their wide scope and impact on privacy practices. On the issue of data security, they take somewhat different approaches, but the bottom line for companies is quite similar: data security measures tailored to the company’s risk profile and actual practices are essential for both legal compliance and the protection of the company and its customers.

The GDPR makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32). As stated in the GDPR, such measures include: pseudonymization and encryption; ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services; ability to timely restore availability and access to personal data in the event of a physical or technical incident; and processes for regularly testing, assessing, and evaluating the technical and organizational measures to ensure the security of processing. Comprehensive internal policies and procedures are thus crucial for all companies controlling or processing EU personal data. Recent enforcement brings home this point, as the Portuguese supervisory authority (CNPD) fined a hospital for using software that provided inadequate patient protections, even though the hospital asserted that it used the software provided by the Portuguese Health Ministry.
Continue Reading

I wanted to take this opportunity to share the key takeaways from yesterday’s Senate Judiciary Committee hearing on The State of Data Privacy Protection: Exploring the California Consumer Protection Act and its European Counterpart (see video), where I presented my thoughts regarding a path forward for data management that involves transforming our view of data and reimagining data as a pre-tangible asset in this post-data world. Here are my takeaways from the hearing:
Continue Reading

To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”
Continue Reading

On February 20, 2019, the Privacy & Consumer Protection Committee of the California State Assembly held an informational hearing where panelists representing different interests spoke on changes and clarifications to the California Consumer Privacy Act (CCPA). Panelists included Alastair Mactaggart, the founder of the ballot initiative of the bill, Stacey Schesser of the California Attorney General’s Office (AGO), Sarah Boot from the California Chamber of Commerce, as well as other interested parties including industry representatives, attorneys, consumer privacy advocates and professors.

Assembly member Ed Chau opened the hearing by noting that even with the passage of SB 1121, which amended the CCPA, there is more work to be done and more “cleanup” bills expected. Assembly member Chau emphasized that the law should be refined so that it is true to its legislative intent and workable for both consumers and businesses.
Continue Reading

The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.

The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading