California is the newest “privacy battleground” and the CCPA will apply to a wide scope of business and an even wider scope of personal information. Since February 2019, Mintz has run a webinar series focused on helping businesses understand the reach and scope of the California Consumer Privacy Act (CCPA), and our team has been working with clients of all sizes and in all sectors to assess CCPA exposure and risk.
CCPA Webinar Recordings
California Consumer Privacy Act: Overview (2/6/2019)
This webinar, the first in our California Consumer Privacy Act Series, provides an overview of the act including who it applies to, the types of data covered, and the new rights granted by the act such as data access, deletion, and portability. Actionable, business-focused advice is provided regarding preparing data inventories and process flows to support these new rights, as well as business model considerations in light of the act’s guidance on data monetization and the sanctions and remedies that companies may face. Click to View Recording
In May of 2018, the EU’s General Data Protection Regulation (GDPR) took effect. Not to be outdone, California passed its own sweeping data protection legislation in August of 2018 — the California Consumer Privacy Act of 2018 (CCPA). In this webinar, Sue Foster and Cynthia Larose discuss the key similarities and differences between the GDPR and the CCPA, as well as practical steps your company can take to assess gaps and map out your path to compliance. Click to View Recording
The CCPA includes an exemption for personal health information collected by HIPAA-covered entities. But, health care organizations and life sciences companies still have obligations under CCPA and are not completely “home free.” In this webinar, Dianne Bourque and Cynthia Larose discuss the requirements of the CCPA for health care organizations – both HIPAA-covered entities and business associates – and life sciences companies, and discuss the scope of the HIPAA, Confidentiality of Medical Information Act, and clinical research exemptions. Click to View Recording
With the January 1, 2020 deadline for compliance with the California Consumer Privacy Act fast approaching, companies that serve California residents want to know how the act will affect their businesses. The retail and hospitality industries depend on knowing and understanding consumers to both attract and retain them. In this webinar, Cynthia Larose and Brian Lam focus on how to retool common process flows to become compliant with the act while maintaining user experience, provide a checklist on best practices for complying with the new regulations, and discuss current developments with amendments to the act. Click to View Recording
With the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, many businesses dealing with California consumers and their information are under immediate pressure to comply. Despite the deadline, the CCPA remains a work in progress. From ways to institute compliance practices in such a short amount of time, to strategies for avoiding the incoming flood of litigation, many unanswered questions remain. This session will focus on: the latest CCPA legislative updates, tips for anticipating and avoiding CCPA class actions, the CCPA's private right of action, strategically responding to CCPA request, and a checklist on best practices for complying with the new regulations and how to avoid pitfalls. Click to View Recording
We are continuing our webinar series on the impact of the California Consumer Privacy Act (CCPA) now that amendments have been passed and are awaiting signature by the governor. One of the amendments, AB 25, narrows the definition of “consumer” to exclude employees (at least until January 2021) but still imposes certain obligations on employers. Jennifer Rubin, a Member in the firm’s Employment, Labor & Benefits Practice, will review the CCPA’s implications for employers who have California operations and provide practical suggestions as to next steps. Click to View Recording
EU General Data Protection Regulation (GDPR) Webinar Series
CCPA Blog Posts
2020 “back to school” has a whole new meaning in the age of COVID-19. Now, it is finally time for companies to take compliance with the California Consumer Privacy Act (“CCPA”) off the back burner and implement policies and procedures and processes.
The California Legislature has passed AB-1281 over to the Governor’s desk, approving the continuation of an exemption for personal information collected in the employment context and certain information collected in the course of a business-to-business (B2B) transaction or about B2B-related personnel.
California Attorney General Becerra announced Friday afternoon that the Office of Administrative Law (OAL) had approved the final CCPA regulations his office submitted to the OAL in June, and that the review process is complete. This means that the CCPA Regulations go into effect immediately.
At present, the California Consumer Privacy Act (CCPA) has “temporary” (and limited) exemptions for the application of portions of the CCPA to personal data collected in the course of business-to-business transactions (Section 1798.145(o)) and that of employees and job applicants (Section 1798.145(h).
Today's The Day: CCPA Enforcement Begins (7/1/2020)
As we’ve been writing about in this space for some time, today marks the opening of the CCPA enforcement era.
Just as businesses are gearing up for the start of enforcement of the California Consumer Privacy Act (“CCPA”), California cleared the way for the California Privacy Rights Act (“CPRA”). The CPRA is an initiative imposing greater privacy restrictions on businesses holding consumer data, to be voted on as part of California’s November 2020 ballot.
A New CCPA Data Breach Lawsuit Is “Minted” (6/17/2020)
Online stationery and craft company Minted Inc. has been hit with a CCPA class action lawsuit, stemming from a massive data breach the company disclosed in late May. The proposed class action lawsuit, filed in a California federal court, claims that Minted Inc. failed to implement “reasonable security measures” and to properly encrypt certain personal information.
This post focuses on the California Consumer Protection Act of 2018 (the “CCPA”). The CCPA went into effect on January 1, 2020, and its enforcement is set to begin on July 1, 2020.
The California AG’s office has dropped the long-awaited final CCPA Regulations, and requested expedited review from the Office of Administrative Law.
The organization known as Californians for Consumer Privacy announced yesterday that it successfully secured enough signatures to qualify adding the California Privacy Rights Act (“CPRA”) to the state’s November 2020 ballot.
While many companies around the world are coping with a global pandemic, some are facing additional challenges in light of a looming deadline triggered by the California Consumer Privacy Act (“CCPA”). Citing #covid19 concerns, a coalition of more than 60 such companies made a plea this week to California’s Attorney General Xavier Becerra (“AG”) to delay the AG’s enforcement of the CCPA.
Although it may not seem like it, there are privacy-related issues to discuss beyond COVID-19. Before the state of emergency, we saw the first complaint under the California Consumer Privacy Act (CCPA) filed in a California federal court. This action, styled as Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. March 10, 2020), arose from a data breach, which allegedly exposed highly sensitive personal and medical information of thousands of patients of Sunshine Behavioral Health Group (“Sunshine”).
Wrapping up our multi-part series on the recent revisions to the CCPA draft regulations issued earlier this month by the California Attorney General’s office, we look at Article 6 pertaining to non-discrimination and financial incentives.
In this post, we offer insights on the revisions recently made by the California Attorney General’s office to Article 5 of its draft regulations pertaining to special rules regarding minors. Article 5 imposes special requirements on businesses that sell the personal information of children and minors.
Analysis of Modified Attorney General Regulations to CCPA—Part 3: Verification of Requests (2/19/2020)
In this post, we offer insights on the revisions recently made by the California Attorney General’s office to Article 4 of its draft regulations pertaining to verification requirements. Article 4 specifies how businesses should verify consumers’ identities when they receive consumers’ data requests.
We previously provided insights into this important portion of the regulations here. In this installment we address important revisions provided by the AG’s office to Article 3 of these regulations, several of which will have far reaching implications.
Back in October, we provided a summary of Article 2 of the California Attorney General’s Initial Proposed CCPA draft regulations, which specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.
The revised draft regulations to the California Consumer Privacy Act were issued by the California Attorney General’s office on February 7, and then modified on February 10. These amendments are open for public comment under Tuesday, February 25, 2020 at 5 pm PST.
Late in the afternoon on Friday, the California Attorney General dropped the long-awaited revised draft regulations implementing the California Consumer Privacy Act of 2018 (CCPA). The AG’s office provided a redline to the initial draft regulations, which we have previously discussed.
The companies Salesforce.com, Inc. and Hanna Andersson, LLC are on the receiving end of a novel lawsuit, which appears to be the very first data breach class action ever filed with alleged violations of the California Consumer Privacy Act (“CCPA”). The case is styled as Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.
With the CCPA having just become effective January 1st, 2020, affected entities and consumers may not have expected that actions are already being taken to dramatically amplify the consumer protections put in place by the CCPA. Yet Alastair Mactaggart, who led the effort that resulted in the CCPA, via the advocacy group Californians for Consumer Privacy, has put forth a ballot initiative, to be known as the California Privacy Rights Act (CPRA), to do just that.
The short answer is “no”. The CCPA has a specific definition for “service provider” at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from:
- Retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
- Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
- Disclosing the personal information “for any purpose …” you get the drift. See Section 1798.140(v)
Because the term “consumer” is so broad in the CCPA (remember: it’s any California resident), it would have applied to employee and job applicant data and all business contact information across the board. After much negotiation, the legislature enacted (and the Governor signed) two amendments dealing with this information. Until January 1, 2021, the CCPA will not apply to information collected about employees or job applicants, or in typical business-to-business (B2B) transactions by a business otherwise required to comply with CCPA.
Unless you have been living off the grid for the past year, you likely know that we are now down to 13 days and counting to the effective date of the California Consumer Privacy Act (CCPA). We have received hundreds of questions and concerns from clients over the past few weeks in the preparations of compliance programs and thought we would share a question of the day (QOTD).
The California Consumer Privacy Act becomes effective on January 1, 2020 with an amendment that impacts California employers. Covered businesses should, of course, already be in the process of preparing CCPA privacy notices and disclosures. And while the amendment carves out some of the direct CCPA provisions applicable to California employers, employee data – and how it is handled – should also be on every covered employers’ to do list.
The California Attorney General’s CCPA draft regulations impose additional requirements for collection of data from children under 13 on top of those imposed by the federal Children’s Online Privacy Protection Act (COPPA), and also create additional requirements for minors between the ages of 13 and 16. Businesses will need to have reasonable processes in place to ensure that the person providing consent for the sale of a child’s data on his or her behalf is actually their parent or legal guardian. Minors must also be able to opt in, and later, opt out, of the sale of their PI. Businesses should include these practices in their privacy policies.
The California Attorney General’s draft regulations specify how businesses verify consumers’ identities when they receive consumers’ data requests. Specifically, Section 999.323 requires a business (i) to verify consumers’ requests by using available data and implementing reasonable security measures, (ii) not to collect new data for verification unless necessary for security purposes, and (iii) to promptly delete newly collected information.
Within Article 3 (pages 10-18), the regulations detail important requirements that every business must follow when providing and fulfilling consumer rights under the CCPA.
Article 2 of the California Attorney General’s draft regulations specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.
The California Attorney General’s office (CA AG) has published the long-awaited implementing regulations to the California Consumer Privacy Act (CCPA). In addition to the regulations, the CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons to support the draft regulations. The CA AG will hold a series of public hearings as outlined in the Notice of Proposed Regulations, and will be accepting written comments from the public on the regulations until 5:00 PM PST on December 6, 2019.
The California Attorney General has issued draft regulations to the California Consumer Privacy Act. View the draft regulations in this post.
2019 CCPA Amendment Process Comes to a Close (9/20/2019)
Interested parties and privacy professionals have all been anxiously awaiting how legislative activity would shake out before the California Consumer Privacy Act (“CCPA”) is implemented January 1, 2020. Now that the dust has settled inside the golden dome in Sacramento and the state legislature’s 2019 session has come to a close, we can see which bills passed and will be provided to Governor Gavin Newsom, who has until October 13th to either veto these bills or sign them into law.
The California 2019 legislative session closes on Friday, and thus all bills must be finalized to move to the Governor’s desk for signature. That means that all CCPA pending amendments have a few more days. Last Friday marked the last day on the legislative calendar that changes could be made from the floor to pending amendments, and the California Senate did just that with several of the CCPA Assembly bills.
In California's Senate session on September 5, AB 1130 was passed, which amends the state’s data breach notification law. The amendment would include passports, biometric data, and taxpayer and military identification numbers to the definition of “personal information” requiring notice under the breach notification law if breached.
And the CCPA Amendment Countdown Begins … (8/13/2019)
The California Legislature has returned from its summer recess and got right to work on the pending amendments to the California Consumer Privacy Act (CCPA). The Legislature has 30 days from today to send any amendments to the Governor’s desk for signature.
Get ready: October 1, 2019 is the new date for many U.S. businesses to begin providing consumers the right to opt-out of the sale of their personal information. While January 1, 2020 was the date upon which many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act (CCPA), Nevada moved the goalpost last week and signed Nevada Senate Bill 220 (SB-220) into law, which requires many businesses to provide a similar opt-out, and becomes effective on October 1, 2019.
The California Consumer Privacy Act takes effect on January 1, 2020, but amendments are expected. In an article recently published by Bloomberg Law, Mintz attorneys Joshua Briones, Esteban Morales and Matthew Novian discuss the April 9 hearing on SB-561, a bill that would expand the private right of action and remove compliance opportunities for businesses, and explain why the bill should be closely watched.
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.
Last week, California State Senator Jackson and state Attorney General Becerra introduced a new bill, Senate Bill 561. If passed, it will greatly expand the consumers’ right to bring private lawsuits for violations of the California Consumer Privacy Act (“CCPA”). SB 561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day safe-harbor provision that currently allows companies to cure the violation and thereby avoid a private right of action; and (3) prevent companies from seeking specific opinions from the Attorney General and instead allow the AG’s office to provide “general guidance” via publications.
CCPA Amendment May Answer Employee Question (3/28/2019)
We’ve now presented two webinars (links will be posted ICYMI) on the scope of the California Consumer Privacy Act, and have been talking with scores of clients about preparation and planning. One of the most frequently asked questions is whether the CCPA really applies to employee personal data processe by employers for business purposes.
On the heels of the passing one of the nation’s leading pieces of privacy legislation, the California Consumer Privacy Protection Act (“CCPA”), Governor Newsom, used his first “State of the State” address, to highlight his position on data protection and privacy, by saying that technology companies “make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it” and that “Consumers have a right to know and control how their data is being used.”
California AG’s Office Gets Public Input on CCPA (1/29/2019)
The California Attorney General’s Office (CAGO) is conducting a series of public hearings around the state to gather input on the California Consumer Privacy Act of 2018 (CCPA). We attended the CAGO’s January 25th, 2019 hearing. The panel of CAGO staff informed those in attendance to anticipate a Notice of Proposed Regulatory Action in the fall of 2019.
California continues to lead the nation in cybersecurity and privacy legislation on the heels of the recent California Consumer Privacy Act of 2018 (“CCPA”). Governor Brown recently signed into law two nearly identical bills, Assembly Bill No. 1906 and Senate Bill No. 327 (the “Legislation”) each of which required the signing of the other to become law, on September 28th, 2018.
Labor Day is passed, and the Privacy & Security Matters blog is back after a bit of a hiatus. The California State Legislature was busy up to the last day of the session working on privacy legislation.
June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation. California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits.