Written by Susan Kohn Ross, Lucy Holmes Plovnick, and Stacey Chuvaieva While the U.S. still does not have a federal privacy law, the laws in various states are changing. California was, of course, first, and even its law has changed. Following in 2023 are privacy laws in Virginia, Colorado, Connecticut and Utah. January 1, 2023 is the compliance date for the California Privacy Rights Act … Continue reading The CPRA and Recent Privacy Patchwork
On March 11, 2020, the California Attorney General (CA AG) issued additional revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA). The CA AG published a redline against the earlier proposed regulations highlighting the latest changes. A copy can be found here. The latest modified draft regulations are subject to a public comment period which ends on March 27, 2020, at 5:00 p.m. (PDT). Information about where to submit comments can be found at the end of this Alert.
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes. Continue reading “New Revisions to the CCPA”
In Part 1, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that time frame, but also seek to provide much-needed guidance to industry.
Most of the legislative changes focused on narrowing the definition of personal information, clarified the time frame which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions: Continue reading “California Consumer Privacy Act: Are You Ready? (Part 2)”
In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
Have annual gross revenues in excess of $25 million;
Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
Derive 50% or more of their annual revenues from selling consumer personal information.
This framework leaves companies to ask some very basic questions before deciding next steps:
What is our annual gross revenue (not limited to California income)?
Do we have the personal information of at least 50,000 consumers, households or devices located in California?
Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
Even if we do not sell that personal data, do we disclose any portion of it to any third parties?
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push! Continue reading “California Consumer Privacy Act: Are You Ready? (Part 1)”