Data Management Strategy

On March 11, 2020, the California Attorney General published its second modification to the California Consumer Privacy Act (CCPA) proposed regulations (“Second Modified Proposed Regs”). The redline includes the Second Modification language in blue and green as well as the first modification edits that were issued on February 10, 2020 (“First Modified Proposed Regs”). Collectively, the First Modified Proposed Regs and the Second Modified Proposed Regs are referred to below as the “Modified Proposed Regs.” The redlined comparison between the originally proposed regulations and the Modified Proposed Regs can be found here. All citations below are to the Modified Proposed Regs posted on March 11, 2020.  In addition to changes to the regulations, the Attorney General added supporting documents and information, which can be found here.

Continue Reading Updated: Modifications to Proposed CCPA Regulations: 10 Take-Aways

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).

Continue Reading CCPA 12-Month Compliance Series Part 6: Retaining and Deleting Data

Is your business ready for the California Consumer Privacy Act?

The California Consumer Privacy Act (“CCPA”) is a sweeping new law that introduces a host of privacy rights for California consumers, as well as creates a series of robust obligations for certain businesses that collect personal information about those consumers.

Join us for CCPA Week: A series of webinars hosted by Perkins Coie’s Privacy & Data Security practice focused on getting your business ready to comply with this enigmatic statutory scheme. Attendees will receive an overview of the current state of legislative amendments, insight into the high burden of persuasion industries may face, and guidance on leveraging existing compliance and governance programs to build a global privacy program that incorporates responsible data usage and proactive privacy practices.
Continue Reading Perkins Coie’s CCPA Week

It is no secret that artificial intelligence (“AI”) is set to become the next wave in technological innovation. AI is expected to create as many as 133 million new jobs by 2022 and boost the global economy by $13 trillion by 2030. However, successful machine learning depends on large and broad data sets, including personal information, and the extraordinary pace of development is forcing nations to reevaluate their laws in order to compete within the industry.
Continue Reading Promoting and Regulating Artificial Intelligence

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading Six Phases of Compliance for a Comprehensive Privacy Program

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading Incident Response: Have a Plan

You might have heard of data brokers—entities that collect personal information and analyze, append, and repackage it for sale to third parties—from reports such as the FTC’s 2014 study or a 2017 proposed congressional bill that would have imposed breach notification obligations on brokers following the Equifax breach. But you may have never thought that your company’s practices could land you in this category.

Beginning on January 1, 2019, Vermont will be the first state in the nation to regulate data brokers that process personal information regarding its residents. This new law incorporates a very broad definition of “data broker” and requires businesses defined as such to register annually and report on security breaches to the Secretary of State. 
Continue Reading Vermont Data Broker Law – Could You Be a Data Broker?

Does your company use mobile apps, Internet of Things, AI, health tech or other technologies to develop consumer profiles, create products or deliver targeted advertising? If so, you should be aware that the technologies used to perform these tasks are highly regulated and the subject of multiple privacy and data security laws. Specifically, it is worth asking your digital marketing department whether it is using persistent unique identifiers (or IDs) to track users. Persistent IDs are the tools that marketers use behind the scenes to connect consumers with their devices. The information gathered is used for marketing, product development and analytics.
Continue Reading Persistent Identifiers Used in Digital Marketing Are Personal Information and Governed by Multiple Privacy Laws