Data Privacy

Subscribe to Data Privacy

Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date.
Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the

In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.

With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.

It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.

Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements.
Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers

Cross-posted from The Global Privacy Watch blog.

Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.

Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress.
Continue Reading And the Wait for CCPA Rules is Over …. Kind Of

In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.

First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:  
Continue Reading Nevada: Bucking the Wait and See Approach to Consumer Privacy Law

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing.
Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what

The eDiscovery and Information Governance Group has been ranked in Tier Three in the latest Legal 500 ranking. Richard (Rick) Lutkus was also recognized as a Rising Star in Media, Technology & Telecoms – Cyber Law. Rick Lutkus and Kathleen McConnell were also recognized by the editorial as recommended lawyers. Led by Scott Carlson (also

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer