The Brazilian General Data Protection Law (LGPD) has been effective for almost six months.  Since then, there have been movements to form the National Data Protection Authority responsible for enforcing the law (ANDP), guidance on best practices for data security has been published and private enforcement of the LGPD is underway.  This quick tip will shed some light on how Brazil’s landmark privacy legislation has made way despite the continuing COVID-19 pandemic.
Continue Reading LGPD Updates: Six Months Out

Yesterday, California Attorney General Xavier Becerra announced a $17.5 million multi-state settlement with The Home Depot, Inc. regarding a data breach affecting point-of-sale systems at the retailer’s facilities. The breach affected the payment card information of approximately 40 million consumers and 53 million email addresses. The settlement includes both monetary and injunctive relief, pursuant to

In the latest chapter of the discussions about Brazil’s LGPD, on August 26, 2020, the Senate rejected the article in the Executive Order (‘Medida Provisória’ – MP) which provided for the extension of its implementation to May 3, 2021. Accordingly, the MP will lose effect in relation to that article, and the LGPD will go into force promptly, pending only the presidential sanction. The implementation of the LGPD articles covering the administrative penalties remains set for August 1, 2021, as per the amended Law enacted on June 10, 2020.
Continue Reading In a Surprise Move, the Brazilian Landmark Privacy Law, LGPD, Is About to Be in Effect

The Schrems II decision issued on July 16, 2020, is seismic.

In invalidating the Privacy Shield program, it immediately jeopardizes the portion of the $7.1 trillion in commerce between the European Union and United States that is in part underpinned by the Privacy Shield program.

But it does not have to be seismic for

On March 11, 2020, the California Attorney General published its second modification to the California Consumer Privacy Act (CCPA) proposed regulations (“Second Modified Proposed Regs”). The redline includes the Second Modification language in blue and green as well as the first modification edits that were issued on February 10, 2020 (“First Modified Proposed Regs”). Collectively, the First Modified Proposed Regs and the Second Modified Proposed Regs are referred to below as the “Modified Proposed Regs.” The redlined comparison between the originally proposed regulations and the Modified Proposed Regs can be found here. All citations below are to the Modified Proposed Regs posted on March 11, 2020.  In addition to changes to the regulations, the Attorney General added supporting documents and information, which can be found here.

Continue Reading Updated: Modifications to Proposed CCPA Regulations: 10 Take-Aways

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).

Continue Reading CCPA 12-Month Compliance Series Part 6: Retaining and Deleting Data

Is your business ready for the California Consumer Privacy Act?

The California Consumer Privacy Act (“CCPA”) is a sweeping new law that introduces a host of privacy rights for California consumers, as well as creates a series of robust obligations for certain businesses that collect personal information about those consumers.

Join us for CCPA Week: A series of webinars hosted by Perkins Coie’s Privacy & Data Security practice focused on getting your business ready to comply with this enigmatic statutory scheme. Attendees will receive an overview of the current state of legislative amendments, insight into the high burden of persuasion industries may face, and guidance on leveraging existing compliance and governance programs to build a global privacy program that incorporates responsible data usage and proactive privacy practices.
Continue Reading Perkins Coie’s CCPA Week

Does your company use chatbots to interact with customers online? If so, California’s new Autobot Law, Cal. Bus. & Prof. Code § 17940, et seq. (SB 1001) goes into effect July 1, 2019 and may affect your business. As the nation’s first autobot regulation, SB 1001 makes it unlawful “to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

Continue Reading I Am Robot: California’s New Law Requires Disclosure of Use of Bots

I wanted to take this opportunity to share the key takeaways from yesterday’s Senate Judiciary Committee hearing on The State of Data Privacy Protection: Exploring the California Consumer Protection Act and its European Counterpart (see video), where I presented my thoughts regarding a path forward for data management that involves transforming our view of data and reimagining data as a pre-tangible asset in this post-data world. Here are my takeaways from the hearing:
Continue Reading CCPA- Key Takeaways from the California State Senate Judiciary Informational Hearing on the State of Data Privacy Protection: Exploring the California Consumer Protection Act and its European Counterpart

To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.”
Continue Reading CCPA 12-Month Compliance Series Part 2: Know Your Data