Data Management Strategy

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).

Continue Reading

Is your business ready for the California Consumer Privacy Act?

The California Consumer Privacy Act (“CCPA”) is a sweeping new law that introduces a host of privacy rights for California consumers, as well as creates a series of robust obligations for certain businesses that collect personal information about those consumers.

Join us for CCPA Week: A series of webinars hosted by Perkins Coie’s Privacy & Data Security practice focused on getting your business ready to comply with this enigmatic statutory scheme. Attendees will receive an overview of the current state of legislative amendments, insight into the high burden of persuasion industries may face, and guidance on leveraging existing compliance and governance programs to build a global privacy program that incorporates responsible data usage and proactive privacy practices.
Continue Reading

It is no secret that artificial intelligence (“AI”) is set to become the next wave in technological innovation. AI is expected to create as many as 133 million new jobs by 2022 and boost the global economy by $13 trillion by 2030. However, successful machine learning depends on large and broad data sets, including personal information, and the extraordinary pace of development is forcing nations to reevaluate their laws in order to compete within the industry.
Continue Reading

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading

You might have heard of data brokers—entities that collect personal information and analyze, append, and repackage it for sale to third parties—from reports such as the FTC’s 2014 study or a 2017 proposed congressional bill that would have imposed breach notification obligations on brokers following the Equifax breach. But you may have never thought that your company’s practices could land you in this category.

Beginning on January 1, 2019, Vermont will be the first state in the nation to regulate data brokers that process personal information regarding its residents. This new law incorporates a very broad definition of “data broker” and requires businesses defined as such to register annually and report on security breaches to the Secretary of State. 
Continue Reading

Does your company use mobile apps, Internet of Things, AI, health tech or other technologies to develop consumer profiles, create products or deliver targeted advertising? If so, you should be aware that the technologies used to perform these tasks are highly regulated and the subject of multiple privacy and data security laws. Specifically, it is worth asking your digital marketing department whether it is using persistent unique identifiers (or IDs) to track users. Persistent IDs are the tools that marketers use behind the scenes to connect consumers with their devices. The information gathered is used for marketing, product development and analytics.
Continue Reading