California Consumer Privacy Act (CCPA)

The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224.

The proposed legislation is not nearly as extensive as the CCPA and is perhaps more analogous to California’s Shine the Light Law. The proposed legislation would require a “business that retains a customer’s personal information [to] make available to the customer free of charge access to, or copies of, all of the customer’s personal information retained by the business.” It also would require businesses that disclose customer personal information to third parties to disclose certain information to customers about the third parties and the personal information that is shared. Businesses would have to provide this information within 30 days of a customer request and for a twelve-month lookback period. The rights also would have to be disclosed in online privacy notices. Notably, the bill would create a private right of action for violations of its provisions.

We will continue to monitor this legislation and any other proposed legislation.

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record. Continue Reading Some Thoughts on the Year in Privacy and Data Security Law

Just in case you needed a reminder that the California Consumer Privacy Act of 2018 (CCPA) will go into effect on January 1, 2020, the California Department of Justice announced that it will hold six statewide forums to collect feedback from stakeholders as part of its duty to promulgate regulations “that will establish procedures to facilitate consumers’ rights.” The meetings will be held between January 8, 2019 and February 15, 2019. Further information is available at https://www.oag.ca.gov/privacy/ccpa. The California Department of Justice also is accepting comments via email and mail. Members of Ballard Spahr’s privacy and data security practice group are already regularly assisting clients in complying with the CCPA and are available to consult on any written comments that entities may be considering.

For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation. Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business. Continue Reading GLBA and the California Privacy Act: Analyzing SB 1121’s Change to the Financial Institution Carve-Out Provision

As discussed in our prior post, the California Consumer Privacy Act of 2018 (the “Act”) is expected to be modified by the California legislature prior to its January 1, 2020, enforcement deadline. In fact, while Governor Brown signed the legislation less than two months ago, one effort to amend the law already is underway through California Senate Bill 1121.

Continue Reading Update on California’s Consumer Privacy Act of 2018

Thank you to everyone who attended our webinar on the California Consumer Privacy Act of 2018.  For those who were unable to attend, you can listen to the recording here and obtain a copy of the slide deck here.  To access the recording, please fill in the requested information under “Register Now,” select “Yes, I will attend,” and click “Register.”

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR.  Continue Reading Using the GDPR to Comply with the California Consumer Privacy Act

As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the “grave, grave concerns” expressed by lawmakers.

Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.

Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.

Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a “business” under the Act will need to comply with the law or risk substantial financial penalty.

Continue Reading California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State