California Consumer Privacy Act (CCPA)

On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California.

In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for

The California legislature has approved a contingency plan to ensure that certain California Consumer Privacy Act (“CCPA”) exemptions will be extended beyond December 2020.  Regardless of what happens with the November ballot initiative, businesses will have at least another year before they must comply with all of the CCPA’s provisions when collecting or using certain

Two developments in the past week will likely have a significant impact on businesses subject to the California Consumer Privacy Act (“CCPA”): the long-awaited CCPA regulations have been finalized and put into immediate effect with modifications, while at the same time it seems increasingly likely that the exemptions for employees’ and business-to-business contacts’ data will be extended beyond January 2021.
Continue Reading Final CCPA Regulations Take Effect With Modification; Extension of Employee and Business-to-Business Exemptions Advances

Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November.

In addition, the Committee will consider two contact tracing measures, AB 660 (Levin) and AB 1782 (Chau).  Both bills could impact private employer and business contact tracing efforts:

  • AB 660 would prohibit use or disclosure of data collected for purposes of contact tracing for any other purposes. It generally would require deletion of such data within 60 days.
  • AB 1782 would require businesses that offer “technology-assisted contact tracing” to satisfy certain requirements, including providing individuals with the opportunity to revoke consent to collection of their personal information and rights to access, correct, and delete personal information. It also requires covered businesses to provide consumers certain disclosures, except where research or other exceptions apply, to delete personal information within 60 days from the time of collection, to maintain security safeguards, and to make available public reporting of the number of individuals whose information has been collected, amongst other content.

Finally, we also are watching SB 980, which passed out of the Senate on June 25, 2020 and is now under consideration by the Assembly.  SB 980 was scheduled for hearing before the Assembly’s Privacy and Consumer Protection Committee on July 28, although that hearing was postponed.  If enacted, the bill would impose certain additional privacy obligations on direct-to-consumer genetic testing companies that go beyond the CCPA, including requiring:
Continue Reading California Legislature Advances Privacy Legislation

The California Attorney General (“AG”) has submitted his proposed final CCPA regulations to the California Office of Administrative Law (“OAL”).

The proposed final rules substantively are the same as the draft rules released for public notice on March 11, which we summarized previously here.   However, the AG’s responses to comments and Final Statements of Reasons accompanying the final rulemaking package provide guidance on the AG’s position on key ambiguities under the CCPA.   For example, in declining to clarify whether the use of website cookies shared with third parties is a “sale,” the AG emphasized that, “[w]hether the particular situations raised in the comments constitutes a “sale” raises specific legal questions that would require a fact-specific determination, including whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers.”  The response thus is consistent with a determination that there is no “sale” of personal information based on specific facts and circumstances.  Other commentary provides guidance on such topics as the AG’s understanding of financial incentive provisions, obligations to respond to access and deletion requests, and when the law is applicable.
Continue Reading CCPA Update: Final Rulemaking Package Submitted to OAL

 On May 4th, 2020, Californians for Consumer Privacy confirmed that they had submitted hundreds of thousands more signatures than required to qualify for a ballot initiative. It is still yet unknown whether the Attorney General will qualify the ballot for the November 2020 election, let alone whether it would pass. If the initiative passes, it will be noteworthy for a number of reasons.
Continue Reading CCPA 2.0 And Where We Go From Here

In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:
Continue Reading California AG Releases Draft CCPA Regulations: Round 3

The California Attorney General has released both clean and redlined versions of proposed modifications to the draft implementing regulations for the California Consumer Privacy Act (“CCPA”). Below is a high-level overview of some key changes:

  1. Service Providers. The modified draft restricts a service provider from processing the personal information it receives from a business except

In a complaint filed on Monday involving an alleged data breach, Barnes v. Hanna Andersson, the California Consumer Privacy Act (CCPA)—the State’s comprehensive privacy law that went into effect on January 1, 2020—was cited for what appears to be the first time in a lawsuit.  Importantly, however, the plaintiff in this case has not

While all eyes are on California following the implementation of the California Consumer Privacy Act (“CCPA”) earlier this month and the start of enforcement later this year, other states are off to the privacy races already.  On Monday, Washington State became the latest entrant with the introduction of a revised Washington Privacy Act.

From the proposals introduced so far this year in Washington, Virginia, New Hampshire, Illinois, and Nebraska, it is clear that states will continue to follow last year’s trend of varied approaches to state privacy legislation. While there are variations in state proposals, many of the bills seem to fall into three molds.

CCPA Copycats

The first category of proposals closely track the CCPA.  Some of these bills, like last year’s Mississippi Consumer Privacy Act, are essentially identical to the CCPA or have minor changes.  These bills may lack changes made by the September amendments to the CCPA.  For example, the CCPA originally regulated as personal information all information  “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household.  The September amendments also eliminated limitations on the scope of publicly available information and added exceptions for employment or business-to-business related data.  These differences were notable in the New Hampshire legislation recently introduced, which was otherwise in line with the CCPA.
Continue Reading State Privacy Trends to Watch in 2020