Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”


Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.

NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES

a. Key data protection principles

The GDPR revolves around seven key data protection principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability


Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II

The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA).  We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA makes several significant changes to the CCPA:

  • It introduces the concept of “sensitive personal data”;
  • It introduces new obligations on businesses, and GDPR-style “principles”;
  • It introduces new rights for consumers; and
  • It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.

These changes are very significant – but do they represent a move closer to GDPR, or a move away?


Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part I

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.


Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA

On October 12, 2020, the California Attorney General provided public notice of a new Proposed Third Set of Modifications to the Regulations under the California Consumer Privacy Act (the “CCPA”).  You will be forgiven if you assumed that “final approval” of the existing Regulations back in August meant the Regulations were final—or at least we hope so because we made the same assumption.

Since August, however, it appears the AG was working behind the scenes to resurrect previously withdrawn Sections 999.306(b)(2) (covering offline notice of opt-out if a business substantially interacts with consumers offline); 999.315(c) (minimum standards for opt-out requests); and 999.326(c) (specific requirements for authorized agents).  The AG describes the newly proposed rules as follows:


Continue Reading Spooky: Presumed-Dead CCPA Regulations Come Back to Life

On August 14, 2020, the California Attorney General announced final approval of the California Consumer Privacy Act Regulations by the Office of Administrative Law.  The Regulations take effect immediately.

While the revisions made to the Final Regulations mostly consist of “non-substantive changes” to correct grammatical errors or clarify the wording of various provisions, business should be aware of the “global modifications” made in a few key areas.  These are summarized below along with our take on what they may mean for businesses:


Continue Reading Finally Final: CCPA Regulations Take Effect

Update: On the evening of June 24, 2020—the same date we published the post below and the day before the original deadline for verification of signatures—the Secretary of State announced that the CPRA reached the signature verification threshold and qualified for the fall 2020 ballot.  While the Mactaggart lawsuit will now be a mere footnote in the history of the CPRA, any way you look at it, this was a successful week for Californians for Consumer Privacy.

On June 19, 2020, the Superior Court for Sacramento County, California issued a ruling providing relief to the promoters of the California Privacy Rights Act ballot initiative (the “CPRA”).  We wrote here about the potential problem with the timing of the signature verification process required for the CPRA to qualify for the Fall 2020 ballot, but that issue now appears to be resolved.

The specifics are to be ironed out in a further order to be jointly proposed by the parties, but suffice it to say that the procedural issue with the timing of signature verification will not prevent the CPRA from appearing on the Fall 2020 ballot.  For now, the Court ordered as follows:


Continue Reading CPRA Back on Track Following Court Order

On May 14, California Secretary of State Alex Padilla announced that the California Privacy Rights Act of 2020 (the “CPRA”) had obtained sufficient raw signatures to qualify for the November 3, 2020 ballot.  Those signatures are currently being verified by the counties in which they were obtained.  However, based on a complaint filed June 8 by Alastair Mactaggart and other members of Californians for Consumer Privacy—the proponents of the CPRA—it appears that the verification process may not be completed in time for the CPRA to appear on the ballot this Fall.

The lawsuit, Alastair Mactaggart, et al. v. Padilla, filed in Sacramento County Superior Court, alleges that Secretary of State Padilla failed to adhere to a provision of the California Elections Code requiring his office to “immediately” notify county officials to begin the verification process upon receipt of a sufficient number of raw signatures.  Here is a brief timeline of the events alleged in the Complaint:


Continue Reading A Day Late, but Will it Fall Short? CPRA Ballot Initiative May Not Appear on Fall Ballot

On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.


Continue Reading AG Submits Final CCPA Regulations—Is Enforcement Still on Track for July 1, 2020?

There are many laws at the state and federal level that regulate the processing of genetic information.  There may soon be one more.

Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.”  As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA.  Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination.  However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.


Continue Reading The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework