At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing

John Tomaszewski
John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the "Information Age", management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists - its data.
John's expertise in the understanding of a company's data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.
John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.
China’s New Data Security Law
Introduction
On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment…
Out With the Old, In With the New: New GDPR Standard Contractual Clauses
This post was originally posted on The Global Privacy Watch blog.
In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the …
California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really?
Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations
Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA. This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.
Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft. In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.
An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable. Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date. …
Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations
What We Can Expect from the CCPA Regulations
While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the…
And the Wait for CCPA Rules is Over …. Kind Of
Cross-posted from The Global Privacy Watch blog.
Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.
Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress.
Continue Reading And the Wait for CCPA Rules is Over …. Kind Of
CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About
Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About
Upcoming Webinar Series! California Consumer Privacy Act: Is your organization ready?
In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what…
And Texas joins the Privacy Fray – Part 2 (or, Everything is Bigger in Texas…)
Cross-Posted from The Global Privacy Watch Blog
In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).
The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.
Continue Reading And Texas joins the Privacy Fray – Part 2 (or, Everything is Bigger in Texas…)