Search results for: CCPA

On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA).  The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version.  The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward.  It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline.  The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.

Continue Reading California Attorney General’s Modified CCPA Regulations: Top Ten Changes

In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.

For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.

Continue Reading CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims

This week, the California Attorney General held public hearings on the draft California Consumer Privacy Act (CCPA) regulations it issued in October.  We attended the hearings in both Los Angeles and San Francisco.  One clear message resounded — unintended consequences of the proposed regulations if left as drafted.

Both hearings were well-attended, with dozens of comments from businesspeople, attorneys, and a handful of concerned citizens.  In addition to these two hearings, the Attorney General also held public hearings in Sacramento and Fresno, and is accepting written comments through Friday, December 6, 2019.  If the Los Angeles and San Francisco hearings are any indication, there are many areas in which the Attorney General could provide further clarity should it choose to revise the current draft regulations.

Continue Reading California Attorney General’s Public Hearings on CCPA Regulations in Los Angeles and San Francisco—An Overview

Late last week heralded two significant and highly anticipated updates to the California Consumer Privacy Act (CCPA).

On October 10, 2019, the Office of the California Attorney General issued a long-anticipated Notice of Proposed Rulemaking Action regarding the CCPA.  The full text of the proposed regulations can be found here.  The next day, Governor Gavin Newsom signed all seven amendments to the CCPA that came out of the California State Assembly.

This post will address the statutory amendments first since they modify the CCPA itself, then turn to the draft regulations (officially, the “California Consumer Privacy Act Regulations”). Continue Reading CCPA Update: AG Issues Draft Regulations and Governor Signs Amendments

As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees.  AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition of “consumer.”  This amendment was slated to exclude businesses from having to comply with the CCPA if their only connection to the “big data” world is collecting the personal information of employees and job applicants.

Recently, however, AB-25 underwent significant revisions when it made its way to the Senate Judiciary Committee for hearing on July 9, 2019.  The bill’s author, Assembly Member Ed Chau, agreed to amend AB-25 before it unanimously passed.  The amended version now states that businesses collecting personal information from job applicants, employees, owners, directors, officers, medical staff members or contractors of the business are exempt from the CCPA only until January 1, 2021.  Moreover, businesses are not completely off the hook under the one-year exemption.  They must still comply with the disclosure obligations under Sections 1798.100, and remain subject to a private right of action under the CCPA if there is a data breach based on a business’s failure to implement and maintain reasonable security procedures and practices.

It remains to be seen if AB-25 will be signed into law in its current iteration.  The addition of the sunset clause suggests that this amendment may be a placeholder until proponents on both sides of this issue negotiate legislation that, on the one hand, alleviates the CCPA’s burden on employers who do not collect or sell typical consumer data, and on the other hand, adequately protects employee privacy and information.

Last week, the IAPP hosted its annual Global Privacy Summit in Washington, D.C.  This year’s summit was the IAPP’s largest event, with more than 4,000 attendees from around the world.  From day 1, it was clear that the summit was heavily focused on the California Consumer Privacy Act of 2018 (CCPA), with many of the conferences covering the CCPA’s nuances, and tech vendors, legal professionals, and consultants offering compliance solutions for this new law. Continue Reading Recap: 2019 IAPP Global Privacy Summit Highlights the CCPA and Growing Demand for Federal Privacy Law

On February 26, 2019, the Daily Journal hosted its annual Cyber Forum in Beverly Hills, California.  The event, entitled “A California Perspective from the Epicenter of Data Security and Privacy,” focused primarily on the California Consumer Privacy Act of 2018 (CCPA) and federal law enforcement’s approach to data breach investigations. Continue Reading 2019 Cyber Forum Highlights CCPA

The California Attorney General is currently on a California tour soliciting public comment on the CCPA.[i] To date, the Attorney General has held public forums in San Francisco (January 8th), San Diego (January 14th) and Riverside (January 24th) and will continue on to Los Angeles (January 25th), Sacramento (February 5th), and Fresno (February 13th). These hearings are being held pursuant to a CCPA requirement that the Attorney General “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. Specifically, the Attorney General is directed to seek public feedback on the following areas: expanding the definition of “personal information,” establishing additional exceptions to compliance, establishing rules and procedures for facilitating consumer opt-out requests, just to name a few. Continue Reading Recent Developments on the California Consumer Privacy Act (CCPA)

Threats to cybersecurity and data privacy are constantly increasing both in volume and complexity.  This trend is expected to continue in 2022.  In a bid to protect cybersecurity and ensure data is properly safeguarded, countries around the world are introducing new laws focused on cybersecurity and data protection.  Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybersecurity breaches.  There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.

In this ever-changing area what is on the horizon for 2022?

Continue Reading Cybersecurity and Data Privacy – What to expect in 2022

On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting.  The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of subcommittees of the Board, notice to the Attorney General regarding the assumption of rulemaking under the California Privacy Rights Act (the “CPRA”), and setting future agenda items and a meeting schedule for the Board.  (As a refresher, when the CPRA passed as a ballot measure last Fall, it established the CPPA as a first-of-its-kind agency solely devoted to the regulation and enforcement of consumer privacy.  The CPPA is tasked with enforcing the CPRA and developing a set of regulations providing guidance for businesses on how to comply with that new law.  For more on the CPRA, please see our post here.)

While the CPPA Board’s June 14 full-day meeting covered a lot of ground, it is clear there is much work to be done for the CPPA to emerge as an independent, fully-functional agency, let alone promulgating regulations in time to meet the CPRA’s July 1, 2022 deadline for final regulations.  Overall, the Board members appeared to be committed to working through these challenges, but acknowledged that they are under a lot of time pressure.

Continue Reading Starting at the Beginning: California Privacy Protection Agency Board Meets for the First Time