If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:

Continue Reading California Attorney General CCPA Enforcement—Make Sure You Pay Attention to What Customers Are Saying on Twitter

On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.

Continue Reading AG Submits Final CCPA Regulations—Is Enforcement Still on Track for July 1, 2020?

COVID-19 is delaying just about everything these days—except the CCPA.

In letters submitted on March 17 and March 20, a coalition of nearly sixty business and organizations called on California Attorney General Xavier Becerra to temporarily defer CCPA enforcement by six months to January 2, 2021 due to COVID-19. The coalition, which spans a range of industries including tech, telecommunications, advertising, retail, insurance, transportation and real estate, argued that a deferral of enforcement would allow businesses to prioritize the needs of their workforce during the global pandemic. The coalition also pointed to the still-changing nature of the CCPA’s regulations as grounds for a temporary enforcement hiatus, contending that businesses need time to implement the final CCPA requirements.

Continue Reading California Attorney General: CCPA Enforcement on Schedule Despite COVID-19

Here we go again.  On March 11, 2020, the California Attorney General (AG) published a second set of modifications to its Regulations under the California Consumer Privacy Act.  Unlike the AG’s modifications from just last month, the substantive changes this time are not quite so numerous.  There are, however, a few provisions worth noting.

As a general matter, the most significant changes this time around consist of undoing some of the additions made in the first set of modifications.  There is also some new language in the Regulations that provides further guidance for businesses that do not directly collect personal information as well as businesses working to draft CCPA-compliant privacy policies.

Continue Reading California Attorney General’s Second Set of Modified CCPA Regulations: Undoing, Redoing, Clarifying

“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.”  Karen Zacharia, Chief Privacy Officer at Verizon

The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy.  The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information.  In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.

Continue Reading Industry Insight: The CCPA’s Elusive “Reasonable Security” Safe Harbor

On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA).  The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version.  The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward.  It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline.  The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.

Continue Reading California Attorney General’s Modified CCPA Regulations: Top Ten Changes

In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.

For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.

Continue Reading CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims

This week, the California Attorney General held public hearings on the draft California Consumer Privacy Act (CCPA) regulations it issued in October.  We attended the hearings in both Los Angeles and San Francisco.  One clear message resounded — unintended consequences of the proposed regulations if left as drafted.

Both hearings were well-attended, with dozens of comments from businesspeople, attorneys, and a handful of concerned citizens.  In addition to these two hearings, the Attorney General also held public hearings in Sacramento and Fresno, and is accepting written comments through Friday, December 6, 2019.  If the Los Angeles and San Francisco hearings are any indication, there are many areas in which the Attorney General could provide further clarity should it choose to revise the current draft regulations.

Continue Reading California Attorney General’s Public Hearings on CCPA Regulations in Los Angeles and San Francisco—An Overview

Late last week heralded two significant and highly anticipated updates to the California Consumer Privacy Act (CCPA).

On October 10, 2019, the Office of the California Attorney General issued a long-anticipated Notice of Proposed Rulemaking Action regarding the CCPA.  The full text of the proposed regulations can be found here.  The next day, Governor Gavin Newsom signed all seven amendments to the CCPA that came out of the California State Assembly.

This post will address the statutory amendments first since they modify the CCPA itself, then turn to the draft regulations (officially, the “California Consumer Privacy Act Regulations”). Continue Reading CCPA Update: AG Issues Draft Regulations and Governor Signs Amendments

As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees.  AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition of “consumer.”  This amendment was slated to exclude businesses from having to comply with the CCPA if their only connection to the “big data” world is collecting the personal information of employees and job applicants.

Recently, however, AB-25 underwent significant revisions when it made its way to the Senate Judiciary Committee for hearing on July 9, 2019.  The bill’s author, Assembly Member Ed Chau, agreed to amend AB-25 before it unanimously passed.  The amended version now states that businesses collecting personal information from job applicants, employees, owners, directors, officers, medical staff members or contractors of the business are exempt from the CCPA only until January 1, 2021.  Moreover, businesses are not completely off the hook under the one-year exemption.  They must still comply with the disclosure obligations under Sections 1798.100, and remain subject to a private right of action under the CCPA if there is a data breach based on a business’s failure to implement and maintain reasonable security procedures and practices.

It remains to be seen if AB-25 will be signed into law in its current iteration.  The addition of the sunset clause suggests that this amendment may be a placeholder until proponents on both sides of this issue negotiate legislation that, on the one hand, alleviates the CCPA’s burden on employers who do not collect or sell typical consumer data, and on the other hand, adequately protects employee privacy and information.