To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”
Continue Reading

On February 20, 2019, the Privacy & Consumer Protection Committee of the California State Assembly held an informational hearing where panelists representing different interests spoke on changes and clarifications to the California Consumer Privacy Act (CCPA). Panelists included Alastair Mactaggart, the founder of the ballot initiative of the bill, Stacey Schesser of the California Attorney General’s Office (AGO), Sarah Boot from the California Chamber of Commerce, as well as other interested parties including industry representatives, attorneys, consumer privacy advocates and professors.

Assembly member Ed Chau opened the hearing by noting that even with the passage of SB 1121, which amended the CCPA, there is more work to be done and more “cleanup” bills expected. Assembly member Chau emphasized that the law should be refined so that it is true to its legislative intent and workable for both consumers and businesses.
Continue Reading

The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.

The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading

The California Office of the Attorney General (OAG or Office) held the first two of its six public forums on January 8, 2019 in San Francisco and on January 14, 2019 in San Diego to solicit public comments and feedback in preparation for its rulemaking efforts under the California Consumer Privacy Act (CCPA). The OAG specifically welcomed comments across seven rulemaking categories that are included in the responsibility of the OAG:

  1. Categories of “personal information”
  2. Definition of “unique identifier”
  3. Exceptions to the CCPA
  4. Submitting and complying with requests
  5. The uniform opt-out logo or button
  6. What notices and information should businesses be required to provide to consumers
  7. Verification of consumers’ requests

In San Francisco, 14 speakers from businesses, nonprofit organizations, trade associations, universities, Perkins Coie and individual consumers sought clarifications to definitions in, and scope of, the statute and provided specific suggestions. In San Diego, a total of five speakers, including representatives from a trade association and a cybersecurity consulting firm, shared their input.
Continue Reading

Since the passing of the European General Data Protection Regulation (“GDPR”), several states have introduced or passed privacy and data protection legislation. In addition to the California Consumer Privacy Act of 2018 (“CCPA”), the following state laws should be on your radar in 2019.

New Laws

  • Colorado’s H.B. 18-1128 “concerning strengthening protections for consumer data privacy,” which became effective on September 1, 2018, imposes strict obligations on businesses that maintain, own, or license personal information. Such businesses must have written policies governing the disposal of paper and electronic records containing personal information, take reasonable steps to protect such information, and provide detailed notice of a data breach to consumers and, in certain circumstances, the Attorney General.
  • Vermont’s data broker privacy law (H.B. 764), effective January 1, 2019, is the first of its kind in the United States. It regulates businesses that buy and sell personal information about consumers with whom the business does not have a relationship. The law requires data brokers to disclose what data they collect and allow customers to opt out. It also imposes registration, reporting, and security obligations on data brokers and provides for a right of action for consumers.


Continue Reading

Businesses, governmental agencies, and consumers are closely watching the direction the California Office of the Attorney General (“OAG” or “Office”) will take in promulgating regulations clarifying and implementing the California Consumer Privacy Act (“CCPA”). Eleanor Blume, the Special Assistant to the OAG, spoke last week with Perkins Coie and many of its clients to provide insights into the OAG’s approach. Here are some key takeaways:

Start Now. While the CCPA does not go into effect until January 1, 2020 and the deadline for the OAG to issue the regulations is not until July 1, 2020, the Office strongly urges companies to start planning for compliance now. Ms. Blume stressed that the OAG’s task is to clarify the law, not to add or eliminate any provisions, and therefore encouraged companies to familiarize themselves with the statute and begin the process of developing policies, procedures, and structures to comply with its requirements.
Continue Reading

While the California Consumer Protection Act (CCPA) bears a resemblance to the General Data Protection Regulation (GDPR), there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance whatsoever. Among the differences between the CCPA and the GDPR are the following:
Continue Reading

Does your company handle data analytics to target California consumers? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA goes well beyond the General Data Protection Regulation (GDPR); however, if you’ve achieved compliance with the GDPR, you are well on your way to achieving CCPA compliance.

Once in effect, the CCPA will require businesses processing the personal information (PI) of 50,000 or more California consumers (defined as California residents) to comply with new regulations governing the processing of their PI. Businesses will have to respond to eight (8) specific consumer rights, observe restrictions on data monetization business models, and update their privacy notices to provide detailed disclosures about their data collection, sales and business disclosures.
Continue Reading

The California Consumer Privacy Act (CCPA) defines personal information (PI) to include any information that identifies “households,” not just individuals, and to include businesses’ proprietary “inferences” drawn from other information to develop consumer profiles. California consumers may assert eight rights related to handling of their PI under the CCPA (see last week’s Privacy Tip). In responding to these consumer rights requests, businesses should determine:

  • Whether the request is verifiable; and
  • Whether a defense applies, e.g., California law is exempted by a federal law, transaction is not a sale. (Depending on the applicable defense, a business could be exempted from having to fulfill the request or from complying with the CCPA altogether.)


Continue Reading