GDPR – Post Effective Date

Is your business ready for the California Consumer Privacy Act?

The California Consumer Privacy Act (“CCPA”) is a sweeping new law that introduces a host of privacy rights for California consumers, as well as creates a series of robust obligations for certain businesses that collect personal information about those consumers.

Join us for CCPA Week: A series of webinars hosted by Perkins Coie’s Privacy & Data Security practice focused on getting your business ready to comply with this enigmatic statutory scheme. Attendees will receive an overview of the current state of legislative amendments, insight into the high burden of persuasion industries may face, and guidance on leveraging existing compliance and governance programs to build a global privacy program that incorporates responsible data usage and proactive privacy practices.
Continue Reading

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading

The GDPR and the CCPA have made headlines for their wide scope and impact on privacy practices. On the issue of data security, they take somewhat different approaches, but the bottom line for companies is quite similar: data security measures tailored to the company’s risk profile and actual practices are essential for both legal compliance and the protection of the company and its customers.

The GDPR makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32). As stated in the GDPR, such measures include: pseudonymization and encryption; ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services; ability to timely restore availability and access to personal data in the event of a physical or technical incident; and processes for regularly testing, assessing, and evaluating the technical and organizational measures to ensure the security of processing. Comprehensive internal policies and procedures are thus crucial for all companies controlling or processing EU personal data. Recent enforcement brings home this point, as the Portuguese supervisory authority (CNPD) fined a hospital for using software that provided inadequate patient protections, even though the hospital asserted that it used the software provided by the Portuguese Health Ministry.
Continue Reading

On February 20, 2019, the Privacy & Consumer Protection Committee of the California State Assembly held an informational hearing where panelists representing different interests spoke on changes and clarifications to the California Consumer Privacy Act (CCPA). Panelists included Alastair Mactaggart, the founder of the ballot initiative of the bill, Stacey Schesser of the California Attorney General’s Office (AGO), Sarah Boot from the California Chamber of Commerce, as well as other interested parties including industry representatives, attorneys, consumer privacy advocates and professors.

Assembly member Ed Chau opened the hearing by noting that even with the passage of SB 1121, which amended the CCPA, there is more work to be done and more “cleanup” bills expected. Assembly member Chau emphasized that the law should be refined so that it is true to its legislative intent and workable for both consumers and businesses.
Continue Reading

Recent privacy laws and standards promote, and in some cases require, privacy by design. Simply put, companies are to incorporate privacy principles in and throughout all its products and services. In Europe, Article 25 of the GDPR requires companies to implement “appropriate technical and organisational measures . . . which are designed to implement data-protection

Since the passing of the European General Data Protection Regulation (“GDPR”), several states have introduced or passed privacy and data protection legislation. In addition to the California Consumer Privacy Act of 2018 (“CCPA”), the following state laws should be on your radar in 2019.

New Laws

  • Colorado’s H.B. 18-1128 “concerning strengthening protections for consumer data privacy,” which became effective on September 1, 2018, imposes strict obligations on businesses that maintain, own, or license personal information. Such businesses must have written policies governing the disposal of paper and electronic records containing personal information, take reasonable steps to protect such information, and provide detailed notice of a data breach to consumers and, in certain circumstances, the Attorney General.
  • Vermont’s data broker privacy law (H.B. 764), effective January 1, 2019, is the first of its kind in the United States. It regulates businesses that buy and sell personal information about consumers with whom the business does not have a relationship. The law requires data brokers to disclose what data they collect and allow customers to opt out. It also imposes registration, reporting, and security obligations on data brokers and provides for a right of action for consumers.


Continue Reading

The second annual review of the EU-U.S. Privacy Shield framework is currently underway, with the European Commission planning to release a report detailing its findings regarding the effectiveness of the Privacy Shield by January 1, 2019. The Privacy Shield framework was created to act as a conduit between the respective privacy approaches of the European Union and the United States. In July, the European Parliament warned that it would suspend the EU-U.S. Privacy Shield agreement unless the United States took steps to demonstrate its obligations under the framework. Since then, the United States has been collaborating with the European Union to preserve the international data flows in place under the Privacy Shield, emphasizing its importance for both EU and U.S. consumers and businesses.
Continue Reading

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations(Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense.
Continue Reading

Under the GDPR, individuals have the following rights relating to their personal data:

  1. Right to access various information about their personal data;
  2. Right to rectify to ensure the accuracy of their personal data;
  3. Right to request erasure of their personal data;
  4. Right to restrict the processing of their personal data;
  5. Right to retrieve or transmit their personal data (i.e., portability request);
  6. Right to object to the processing of their personal data; and
  7. Right to not be subject to automated decision-making.


Continue Reading

While the California Consumer Protection Act (CCPA) bears a resemblance to the General Data Protection Regulation (GDPR), there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance whatsoever. Among the differences between the CCPA and the GDPR are the following:
Continue Reading