On February 2, 2021, a California magistrate judge dismissed claims against a defendant tech company based on alleged violations of the California Consumer Privacy Act (CCPA) because the plaintiff admittedly failed to allege a security breach. Continue Reading California Judge Dismisses CCPA Claim in Absence of Alleged Security Breach

With the introduction of the final regulations under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), consumers have more rights to limit the sale and sharing of their personal data than ever before. In particular, the CCPA gives consumers or their authorized agents the right to opt out of the sale of their personal information.[1] Adding on to the CCPA, the CPRA also gives consumers the right to limit the use and disclosure of sensitive personal information and to opt out of the sharing of personal information for cross-context behavioral advertising.[2]

Under the CCPA, businesses have an obligation to give consumers notice of their right to opt out and provide one or more designated methods for consumers to exercise that right, including an interactive webform accessible via a clear and conspicuous homepage link titled “Do Not Sell My Personal Information.”[3] Businesses must honor opt-out requests within 15 days of receipt.[4] The CCPA Regulations also indicate that businesses must treat user-enabled global privacy controls that communicate or signal the consumer’s choice to opt out of the sale of their personal information—controls such as a browser plug-in or privacy setting, device setting, or other mechanism—as valid requests to opt out for that browser, device, or (if known) consumer.[5] Similarly, the CPRA also addresses the implications of opt-out preference signals, giving businesses the option of honoring such signals in lieu of providing an opt-out link.[6] Continue Reading The Push for Global Privacy Controls

The Brazilian General Data Protection Law (LGPD) has been effective for almost six months.  Since then, there have been movements to form the National Data Protection Authority responsible for enforcing the law (ANDP), guidance on best practices for data security has been published and private enforcement of the LGPD is underway.  This quick tip will shed some light on how Brazil’s landmark privacy legislation has made way despite the continuing COVID-19 pandemic. Continue Reading LGPD Updates: Six Months Out

Yesterday, California Attorney General Xavier Becerra announced a $17.5 million multi-state settlement with The Home Depot, Inc. regarding a data breach affecting point-of-sale systems at the retailer’s facilities. The breach affected the payment card information of approximately 40 million consumers and 53 million email addresses. The settlement includes both monetary and injunctive relief, pursuant to which the retailer will implement increased security policies and procedures.

In announcing the settlement, Attorney General Becerra stated that the retailer had, among other things, failed to “stay apprised of evolving security standards.” The settlement is an important reminder of the need for companies to keep abreast of developments in consumer privacy and cybersecurity.

Attorney General Becerra joined more than 40 other state attorneys general in securing the settlement. The California case is California v. Home Depot U.S.A., Inc. et al., No. 20-CIV-05220 in the Superior Court of California for San Mateo County. The settlement, which is pending final approval, is available here.

The Fundamentals of Preparing for and Responding to a Cyber Event Are More Important Than Ever

To say 2020 has been a year of change would be quite an understatement. The COVID-19 pandemic has fundamentally transformed how we live, work, and interact with one another.

This is most definitely true for the world of cybersecurity. Bill Conner, the chairman and CEO of SonicWall, probably captured it best: “We’re in the midst of one of the most turbulent times in cybersecurity history. Over the past six months … we’ve seen shifts we thought would take decades happen virtually overnight.” Continue Reading 2020: The Year COVID-19, Corporate Reputation & Cybersecurity Collided

Update: The Governor signed the law on Friday, September 25, 2020.

Life science and healthcare companies operating in California face unique challenges regarding California Consumer Privacy Act (CCPA) compliance because of existing inconsistencies between the CCPA and the Health Insurance Portability and Accountability Act (HIPAA). California Assembly Bill (AB) 713 addresses these inconsistencies by easing burdens imposed by the CCPA on medical research and by bringing certain provisions of the CCPA in line with HIPAA and other federal and state health data regulations. At the same time, the bill will impose additional requirements on the use of deidentified health data. AB 713 has passed the California legislature unanimously and will be signed or vetoed by Governor Newsom by September 30, 2020. If signed, the bill will immediately go into effect. Continue Reading The CCPA May Soon Be Amended to Strengthen CCPA Exemptions for Medical and Research Data

In the latest chapter of the discussions about Brazil’s LGPD, on August 26, 2020, the Senate rejected the article in the Executive Order (‘Medida Provisória’ – MP) which provided for the extension of its implementation to May 3, 2021. Accordingly, the MP will lose effect in relation to that article, and the LGPD will go into force promptly, pending only the presidential sanction. The implementation of the LGPD articles covering the administrative penalties remains set for August 1, 2021, as per the amended Law enacted on June 10, 2020. Continue Reading In a Surprise Move, the Brazilian Landmark Privacy Law, LGPD, Is About to Be in Effect

The final California Consumer Privacy Act Regulations (CCPA Regs) were adopted by the California secretary of state on August 14, 2020. In an addendum released by the California attorney general (Cal. AG), the office of administrative law (OAL) notes that their changes are “non-substantive changes for accuracy, consistency, and clarity.” There are indeed no wholesale changes from the version adopted by the California attorney general in June 2020 and the final CCPA Regs released on August 14, 2020. That said, the following changes, while not altogether transformative, could nonetheless cause businesses to update their CCPA compliance programs. Continue Reading The Final California Consumer Privacy Act Regulations Are in Effect

The attorney general’s office has posted a set of FAQs and corresponding responses on its California Consumer Privacy Act (CCPA) site. While aimed at providing guidance to consumers about the CCPA, the FAQs can also serve as a quick reference for businesses regarding their CCPA compliance obligations. Below are the highlights.

  • Right to Opt Out of Sale: California residents have the right to request that businesses stop selling their personal information (PI), which is an “opt-out request” that can be submitted via the “Do Not Sell My Personal Information” link that businesses must conspicuously provide on their websites and privacy policies. Businesses cannot require residents to create an account to submit opt-out requests, and if businesses ask for PI to complete these requests, they can only use such information to verify the consumers’ identities. Upon receipt of an opt-out request, a business must stop all sales of the consumer’s PI and wait 12 months before prompting the consumer to opt back in. Common exceptions to this opt-out right include sales that are necessary to comply with legal obligations and certain exempted medical or credit report information. Opt-out requests should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to such requests. Businesses can only sell PI of a child under the age of 16 if they have received affirmative “opt-in” consent. If the child is under the age of 13, that consent must come from the child’s guardian.

Continue Reading The AG Publishes Its FAQs on the CCPA

The Schrems II decision issued on July 16, 2020, is seismic.

In invalidating the Privacy Shield program, it immediately jeopardizes the portion of the $7.1 trillion in commerce between the European Union and United States that is in part underpinned by the Privacy Shield program.

But it does not have to be seismic for your company.

Standard contractual clauses are still valid under the decision.

If your company relies on Privacy Shield to transfer data from the European Union and United States,  you should, immediately identify the programs at issue and update your data protection addenda to add standard contractual clauses. The European Court of Justice placed a greater onus on data exporters in the European Union to assess the adequacy of privacy protections for the data importer [e.g., U.S. company].  Therefore U.S. companies should anticipate a greater degree of questions from customers and E.U. employees regarding the adequacy of the controls. In addition, we suggest the following additional steps for in-house teams:

  • First Step: Leverage your Article 30 inventory to identify data flows impacted by the decision
  • Second Step: Collaborate with your procurement and IT teams to assess impact
  • Third Step: Discuss with your senior leadership to align on risk tolerance
  • Fourth Step: Document the basis for the decision
  • Fifth Step: Develop your long term action plan (e.g., regionalized data centers, development of a cross-functional team)

Schedule a meeting to discuss your specific situation.

Please see our July 20 update for full analysis of the decision.