The California Privacy Protection Agency announced a new consumer complaint system is now in effect at its most recent board meeting 14 July. The new form allows residents and nonresidents to lodge both sworn and unsworn complaints detailing possible violations of the California Consumer Privacy Act. There is also an FAQ page to assist individuals filling out their complaint. During the meeting, CPPA Special Advisor Elizabeth Allen, CIPP/US, said the new system received 13 complaints after its... Read More

New rules and obligations under the California Consumer Privacy Act have reached the finish line. The California Privacy Protection Agency announced its first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February. The first rulemaking package addresses regulations concerning data processing agreements, consu... Read More

Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10 proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Infor... Read More

The California Consumer Protection Act has been in effect since Jan. 1, 2020 and the California Privacy Rights Act, which modified the CCPA, went into effect Jan. 1, 2023. Now that the CPRA is in effect, one of the questions businesses are concerned about is the modification of the CCPA threshold test of "what is a business," and the implications this modification for small businesses, e.g., those under USD25 million in annual revenue, in light of the new compliance requirements for business-to... Read More

Covered entities under the California Consumer Privacy Act are on the cusp of long-awaited legal certainty regarding updated compliance efforts. The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations. The final rulemaking package, which consists of the proposed regulations and a draft final statement of reasons from the CPPA, will soon be sent to the California Office of Administrative Law fo... Read More

California has led the way on many privacy-related laws, going back to at least 2002 when it passed the first data breach notification law in the U.S. More recently, passage of the California Consumer Privacy Act and the California Privacy Rights Act has prompted other states to follow suit. Lothar Determann has long practiced and taught international data privacy law, and beginning in 2013, published the book, “California Privacy Law.” Now in its fifth edition and published by the IAPP for the... Read More

The anticipated finalization of California Privacy Rights Act regulations has been pushed back again. While the CPRA takes effect in just under two weeks — on Jan. 1, 2023 — the California Privacy Protection Agency is still working to promulgate final rules. During a Dec. 16 board meeting, CPPA Executive Director Ashkan Soltani said the final rules will likely be released in late January. Under that timeline, with a 30-day review by the California Office of Administrative Law, the regulations w... Read More

It seems like at the start of every year there are new privacy laws. The 2020 new year brought us the California Consumer Privacy Act. The 2023 new year will bring us the California Privacy Rights Act and the Virginia Consumer Data Protection Act, with new legislation from Colorado, Connecticut and Utah arriving a bit later in the year. So yet again, cross-functional privacy teams from across the digital advertising industry are trying to decipher what companies can and can’t do under new state... Read More

The delay on California Privacy Rights Act regulations has proven difficult for everyone involved. Covered entities are in a bind trying to address CPRA compliance ahead of the Jan. 1, 2023, effective date without final rules being promulgated by the California Privacy Protection Agency. On the other hand, the CPPA is trying to work diligently and tactfully in the face of criticism for running well past its initial July 1 deadline to finalize regulations. The pressure on both sides could ease s... Read More

The California Privacy Protection Agency released updated California Privacy Rights Act draft regulations with a summary of the latest modifications. These are the first updates to the initial draft rules published May 31 covering select topics under the CPRA, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement and privacy notice requirements. The CPPA filed its updates ahead of expected discussion on the draft regulations during its two-day ope... Read More

In an op-ed for The San Francisco Chronicle, California Privacy Protection Agency Board Chair Jennifer Urban reiterated the agency's position on how the proposed American Data Privacy and Protection Act would "undermine" Californians' privacy rights and businesses' "ability to confidently invest in more privacy-protective practices." Urban said companies "may be understandably confused about how to invest if Congress overturns this existing guidance" under the California Consumer Privacy Act. Sh... Read More

On Aug. 31, hopes were dashed when the California legislative session ended without enacting Assembly Bill 1102. The bill would have extended grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act as amended by the California Privacy Rights Act. CCPA/CPRA will become fully operational on Jan. 1, 2023, for B2B and HR personal information and will be subject to the same rigorous California privacy regulations as "consumer" ... Read More

Beauty retailer Sephora was fined $1.2 million by California Attorney General Rob Bonta and is the first-ever California Consumer Privacy Act enforcement action. At the heart of the matter is Sephora allegedly misrepresenting its actions to California consumers (saying that it did not sell consumer personal information despite the fact it engaged in targeted advertising, thereby “selling” data to third-party companies) and failing to provide for or recognize global opt-outs “including … the Glob... Read More

Businesses barely had time to recover from a hectic privacy summer, with U.S. privacy legislation making progress on the Hill and the U.S. Federal Trade Commission’s launch of a sweeping rulemaking initiative, when California Attorney General Rob Bonta dropped a bombshell: The first enforcement settlement under the California Consumer Privacy Act. Pursuant to the settlement, Sephora, a French cosmetics brand, will pay $1.2 million in fines and abide by a set of compliance obligations. The attorn... Read More

There's been plenty of bark with California Consumer Privacy Act enforcement since the law entered into force January 2020 and now the bite has arrived. California Attorney General Rob Bonta announced the first enforcement action under the CCPA, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. According to the attorney general's office, Sephora's violation specifically concerned the failures to inform individuals about the sale... Read More

California Privacy Protection Agency Executive Director Ashkan Soltani wrote a letter to U.S. House Speaker Nancy Pelosi, D-Calif., and House Minority Leader Kevin McCarthy, R-Calif., doubling down on its opposition to the proposed American Data Privacy and Protection Act. Soltani told House leadership the ADPPA's "sweeping preemption" works to "remove important protections and significantly weaken the privacy Californians currently enjoy." Soltani called preemption "an anomaly for federal priva... Read More

The California Privacy Protection Agency officially launched the formal rulemaking process for the California Consumer Privacy Rights Act. The CPPA announced draft regulations in early June that maintain pre-existing California Consumer Privacy Act regulations, while modifying certain provisions and proposing new regulations. The public is invited to participate in the rulemaking process by submitting written comments by Aug. 23 or attending public hearings scheduled for Aug. 24 and 25, both in-... Read More

The California Consumer Privacy Act gives California residents the right to know what personal information a business collects about them and how it is used. The law likewise imposes obligations on businesses to ensure consumers can exercise this right. Although the CCPA and its regulations provide a framework, operationalizing the consumer request process can be complex. Two compliance issues that present challenges for organizations covered by the CCPA are: The scope of information subject... Read More

The California Privacy Protection Agency board reached what member Christopher Thompson called “an incredible milestone” June 8, voting unanimously to authorize Executive Director Ashkan Soltani to begin the California Privacy Rights Act rulemaking process. “I think we all share a desire to ensure that we issue regulations and enforce those regulations in a way that protects consumers’ privacy and allows consumers to understand and make decisions about their own privacy,” Thompson said.  The a... Read More

There has been a stream of activity around California Privacy Rights Act rulemaking in recent months, yet privacy professionals have been working under a mostly undefined timeline for a formal rulemaking process. The California Privacy Protection Agency is now signaling that process is on the horizon. The CPPA announced May 27 its plans to discuss CPRA draft regulations during its next board meeting June 8. That announcement subtly included the first cluster of proposed rules for the 22 topics ... Read More

The California Privacy Protection Agency Board outlined a proposed course of action for the upcoming California Privacy Rights Act rulemaking process, addressing what will and will not be anticipated areas of focus. The board did not discuss the quickly approaching July 1 target date for finalizing regulations. The CPRA takes effect Jan. 1, 2023, and provides for regulations to be finalized by July 1, allowing for a six-month compliance window. CPPA Executive Director Ashkan Soltani indicated d... Read More

Compliance activities loom large as organizations gear up for the California Privacy Rights Act to take force next year. Remaining measures depend largely on the substance of the California Privacy Protection Agency's much-anticipated CPRA rulemaking. The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law's Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. Whil... Read More

The California Privacy Protection Agency published the public comments from its stakeholder consultation on California Privacy Rights Act regulations. The comment periods were conducted Sep. 22 to Nov. 8 and broken up into four sections. The CPPA intends to have additional informational hearings to gather more feedback toward its rulemaking process. Formal rulemaking activities will begin at the conclusion of the agency's fact gathering, which has no set timetable. Editor's note: IAPP's Cathy Co... Read More

The California Privacy Protection Agency, established by the California Privacy Rights Act, is taking shape. It hired Ashkan Soltani as its Executive Director Oct. 4 and is expected to hire a general counsel and deputy director of administration soon. The agency is also moving forward with its rulemaking responsibilities, engaging in preliminary rulemaking activities as it considers what new regulations or amendments to the regulations are appropriate. Adopting final CPRA regulations by the July... Read More

With California playing host to the IAPP's Privacy. Security. Risk. 2021, it was only fitting that the California Privacy Rights Act took center stage from the get-go. Attendees were treated Wednesday to a CPRA Comprehensive workshop, a full-day event dedicated to providing information and advice on what to expect when the law takes effect Jan. 1, 2023, and how to best prepare for compliance in the leadup to the day. The workshop's panel sessions covered some of the most obvious and pressing qu... Read More

It was always going to be interesting to see who would be appointed the inaugural leader of the California Privacy Protection Agency. With the hiring process mostly closed-door and unpublicized, the selection was bound to catch people by surprise and did just that on Monday. The CPPA announced Ashkan Soltani, former chief technologist for the U.S. Federal Trade Commission and senior advisor to the White House, will be its first executive director. Soltani was a key player in the drafting of the... Read More

Employment rights and obligations related to human resources data are about to get messy in California. On Jan. 1, 2023, California will become the first state to have a comprehensive data privacy law covering human resources data when the California Privacy Rights Act becomes operational. This change will leave both employees and employers confused regarding the interplay between the CPRA and employment laws because most of the rights under the CPRA either are already addressed or do not make s... Read More

In July, the office of the attorney general of California marked the one-year anniversary of its enforcement of the California Consumer Privacy Act by issuing a press release to tout its “successful enforcement efforts.” Also well-publicized, in the same announcement, the office unveiled a new Consumer Privacy Tool to enable consumers to directly notify eligible businesses of perceived “Do Not Sell My Personal Information” link deficiencies. Although the press release teased four examples of not... Read More

Those wondering how California Consumer Privacy Act enforcement went after the law's first year in effect got that answer and plenty more July 19. California Attorney General Rob Bonta held a press conference to tout the effectiveness of the CCPA, particularly its cure notices, while unveiling a new Consumer Privacy Tool for individuals to report instances of missing or unclear "Do Not Sell My Personal Information" buttons on companies' websites. Bonta said he was pleased to report 75% of the c... Read More

The California Privacy Protection Agency is the new agency established by the California Privacy Rights Act to implement and enforce the law. On June 14, the five-member CPPA Board held its first public meeting over Zoom. The 15 agenda items focused primarily on informational and logistical tasks as the board considered what is needed to create the agency. Not surprisingly, the July 1, 2022, deadline for adopting final CPRA regulations overshadowed much of the discussion.   The IAPP previously ... Read More

With any newly assigned leadership group, it is fair to wonder if the appointments provide any clues as to how they might approach their duties. It is a question being asked and explored in the days following the appointments to the California Privacy Protection Agency board. The inaugural board members for the first privacy-focused regulatory body in the U.S. were announced by California government officials March 17. University of California, Berkeley Clinical Professor of Law Jennifer Urban ... Read More

On March 15, 2021, California approved new regulations implementing the California Consumer Privacy Act. These regulations primarily focus on a business's obligations to comply with opt-out right protocols and requirements (e.g., Do Not Sell links) and respond to data privacy requests that are submitted by a consumer's authorized agent.  Although California voters recently approved the California Privacy Rights Act, the CCPA's outstanding requirements, including these new regulations, remain in... Read More

New Year’s Day 2023 will usher in many new changes for California (and, by extension, the U.S.) privacy law when the California Privacy Rights Act becomes fully operative. One significant change will be the CPRA’s expansion of contracting requirements for transfers of personal information to other entities. The California Consumer Privacy Act only requires contracts to establish service provider relationships. The CPRA will expand that requirement to include transfers to third parties and “contr... Read More

In November 2020, California voters approved a new data privacy law. Unfortunately, the law contains a provision that may threaten the future of digital content for underrepresented communities. California’s new law, the California Privacy Rights Act, includes provisions that prohibit “revealing” a consumer’s racial or ethnic origin, religious or philosophical beliefs, and sex life or sexual orientation. The beneficial intent behind this provision is unassailable, but regulations need to careful... Read More

In November 2020, a majority of Californians (56.1%) voted to pass Proposition 24 — establishing the California Privacy Rights Act. While the CPRA’s provisions become enforceable in 2023, many aspects of the law come into effect now, including the creation of a new California Privacy Protection Agency and a period of formal rulemaking that could begin as early as July 2021. While preserving the CCPA’s existing consumer rights, the CPRA establishes a range of new protections, including and perha... Read More

While most of the nation anxiously awaits the final vote tallies for the U.S. presidential election, several privacy-related propositions and referendums were also on the ballots in a few states. Most significantly, California's Proposition 24 has passed, paving the way for the California Privacy Rights Act. This major new state privacy law is something privacy pros will want to pay attention to. IAPP Editorial Director Jedidiah Bracy, CIPP, shares some early reactions from practitioners on what... Read More

With only a week until what might be the most important U.S. election in a generation, tensions across the United States are running high. True, the big focus for the nation is on the presidential election, while a selection of closely contested and equally significant U.S. Senate races also hang in the balance. But for the privacy profession, there's a major election choice in California this Nov. 3.  Proposition 24, the ballot initiative that would cement the California Privacy Rights Act in... Read More

Hard to believe it, but we’re only days away from a fateful vote in California on what’s called Proposition 24. If approved by the residents of California, Prop 24 will put the California Privacy Rights Act on the books. The law will add an additional layer of privacy protections for California residents and a new privacy compliance regime for businesses. Prop 24 has been hotly debated, especially in recent weeks. And the traditional fault lines between consumer advocacy and industry are not wha... Read More

In the flurry of bills relating to the California Consumer Privacy Act (CCPA),[1] the California Legislature also enacted a new law effective January 1, 2020, according to which data brokers must register with the California attorney general by January 31, 2020. With the new law, California follows a similar (but not identical) law in Vermont[2] and attention to data brokers by Congress, the Federal Trade Commission (FTC) and advocates in prior years.[3] California lawmakers placed the broker la... Read More

In September, California Attorney General Xavier Becerra testified at the U.S. Senate Committee on Commerce, Science and Transportation hearing regarding the need for a U.S. privacy law. Although the context of the hearing was federal privacy legislation, his testimony included important insights into how his office may approach enforcement of the California Consumer Privacy Act and what privacy issues he is focused on going forward. In addition, several bills with privacy implications were pas... Read More

On July 1, 2020, the California Consumer Privacy Act hit two milestones. It was the midyear point of its Jan. 1, 2020, implementation and the day full enforcement of the law officially began. The six-month grace period between implementation and enforcement was designed to give businesses an opportunity to get ahead of the CCPA and put programs in place. Of course, when that grace period was built into the law, no one anticipated a pandemic and millions of people moving to remote work, shifting... Read More

In a provision that has not yet received much attention, the California Consumer Privacy Act imposed the fair information principle of “purpose limitation” on businesses subject to the law. As we explain below, this provision and the way the California Attorney General’s Office has sought to implement it may have important consequences for businesses when evaluating whether the personal information they have collected from consumers can be used for purposes not specifically contemplated at the t... Read More

For much of the year, privacy professionals have expressed concern that the California Consumer Privacy Act business-to-business and employee partial moratoria were scheduled to expire at the end of 2020. If these moratoria lapse, the scope of CCPA rights requirements would expand dramatically. For example, CCPA businesses would need to present CCPA “At Collection” privacy notices to employees and representatives of other business entities — something that U.S. businesses rarely, if ever, do tod... Read More

The California Consumer Privacy Act is the nation’s first comprehensive commercial privacy law, and Consumer Reports has been working to defend and expand it since it was signed into law in 2018. The fact that California residents now have the legal right to access, delete and control the sale of one’s information is a major step forward, especially as the federal government has failed to take action to protect online privacy. That said, the CCPA was in some places drafted sloppily — its looph... Read More

Editor's note: This is the third article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act. On June 2, the proposed regulations were sent to the California Office of Administrative Law for final review, and if approved by the OAL, the California Consumer Privacy Act regulations will then be filed with the California Secretary of State and become enforceable. This third article in a three-part series on the dr... Read More

Editor’s note: This is the second article in a three-part series addressing some of the more significant areas of the regulations implementing the California Consumer Privacy Act. The California Consumer Privacy Act affords California residents several data privacy rights, including the right to know, access and delete specific pieces or categories of personal information that a business has collected about them and the right to “opt-out,” which refers to a consumer’s right to request that a bu... Read More

The private right of action in the California Consumer Privacy Act has generated substantial commentary. Now that plaintiffs have started to bring lawsuits alleging violations of the CCPA, we can see how these claims are being plead and the novel questions courts will be asked to consider. Litigation on these issues seems likely, as litigants seek to define the scope of this remedy for consumers. CCPA private right of action Section 1798.150(a)(1) of the CCPA provides a private right of actio... Read More

The California Privacy Rights Act officially cleared the threshold to make it into the November 2020 ballot last week. It was a bumpy road to certification, but Californians for Consumer Privacy ended up with significantly above the minimum required verified signature count. This, despite most of California being in COVID-19 lock-down since April and an unexpected administrative delay by Riverside County that threatened to derail the initiative just a few weeks ago. It will be now up to Califor... Read More

The California State Assembly held a hearing June 12 on the California Privacy Rights Act, formerly known as "CCPA 2.0." CPRA author Alastair Mactaggart was on hand to explain why he thinks the CPRA should make it to the ballot, but critics asked: Why now? The ink on the CCPA's regulations is barely dry, and companies are scrambling to get compliant. Is now the right time to throw another law at them? IAPP Editor Angelique Carson, CIPP/US, has the details for The Privacy Advisor. Full Story... Read More

On May 14, California Secretary of State Alex Padilla announced that the Californians for Consumer Privacy effort to qualify the California Privacy Rights Act initiative for the November ballot has met its first threshold. The raw number of signatures filed exceeded prima facie the 623,212 number required for the CPRA to qualify for the ballot. More on this can be found here.  Padilla ordered county officials to begin the process of verifying signatures selected from random samples. In counties... Read More

As Californians for Consumer Privacy announced last week, a new privacy law is likely to be on the California ballot in November. The California Privacy Rights Act is a ballot initiative, which, if adopted — and most agree it will be — would replace the California Consumer Privacy Act, which entered into force earlier this year. The CPRA is truly an omnibus data protection law, modeled on the EU General Data Protection Regulation, and would create a much broader set of privacy rights and obligat... Read More

May the 4th be with Alastair Mactaggart? On May 4, the Californians for Consumer Privacy, led by founder Alastair Mactaggart, announced its submission to qualify the California Privacy Rights Act for the November 2020 ballot. Because of COVID-19 social distancing measures in place in California and the huge number of signatures required, the announcement surprised many political observers.  However, the CPRA’s presence on the ballot is still not a "done deal." County election officials and the... Read More

As companies grapple with complying with the California Consumer Privacy Act, they will need to decide whether the internet protocol addresses they collect from consumers are considered “personal information” and thus within the scope of this new law. It will not be easy. The CCPA defines “personal information” to include online identifies such as an IP address, but only if the identifier “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be ... Read More

The California Consumer Privacy Act certainly has its fair share of complexities, which companies began grappling with well before the law came into force Jan. 1. While some are becoming more clear with time and discussion, others remain the topic of debate, including how to approach the CCPA's broad definition of "sale." Instead of accepting and conforming to the statute of the law, though, there's talk within the privacy profession that some companies are using tricky semantics to avoid termi... Read More

After more than a year of preparation, the California Consumer Privacy Act is now in effect. Yet, in the sprint to get ready for the CCPA, businesses may have overlooked the CCPA’s impact on anticipated or pending civil litigation. This article examines some of those impacts. Deletion of personal information pre-litigation Readers are undoubtedly aware of the general rule that the obligation to preserve evidence arises when [a] party has notice that the evidence is relevant to litigation or wh... Read More

A new year means a slate of new laws went into effect across the country Jan. 1. For privacy pros, particularly those based in the United States, the big one in 2020 is the California Consumer Privacy Act. As people rang in the dawn of a new decade Tuesday night, the country's most comprehensive privacy law went into the books Wednesday, and the email inboxes of countless individuals filled up with new CCPA-related notices.  The CCPA is expected to affect approximately 500,000 businesses operat... Read More

With the EU General Data Protection Regulation being in force for quite a while and its "controller" and "processor" concepts for yet much longer, there seems to be a well-established practice for identifying third parties and where they fit into that picture. However, there are still situations in which this remains a significant challenge, both to organizations concerned and to the data protection authorities. The California Consumer Privacy Act, on the other hand, is a completely new legal a... Read More

On Oct. 10, the California Office of the Attorney General issued a draft of their long-awaited regulations pursuant to the California Consumer Privacy Act. The draft rules do more than simply fill in gaps in the CCPA regarding how businesses should implement CCPA rights; they also contain substantial additional requirements not found in the statute.  There are significant “new” aspects of the draft rules, which will be open for public comment until Dec. 6, 2019. The attorney general's office in... Read More

Tanya Forsheit, CIPP/US, CIPT, PLS, was about to take the stage Thursday at a speaking engagement when a colleague asked her if she was watching the news conference. Forsheit assumed there must have been a news conference on U.S. President Donald Trump's impeachment hearings. But, like everyone else watching the California Consumer Privacy Act's progress as it nears its 2020 implementation date, Forsheit was surprised to learn that California's attorney general was, in fact, holding a news confe... Read More

The way companies use personal data is somewhat reminiscent of how people approach their wardrobes. You start buying clothes of a particular style or brand, but over time, your sense of fashion changes, and you buy based on new needs and desires. The use of personal data works in the same way, as companies collect data for one purpose and then use it differently as new needs arise. In both instances, the sudden change in direction merits some type of justification, and that's especially the cas... Read More

Everyone at the Privacy. Security. Risk. stage Wednesday was expecting to have one specific conversation: How about those recent California Consumer Privacy Act amendments? What no one but one man knew until the night before, including the panelists to take the stage, was that another conversation would supplant those plans. On Tuesday, news broke that Alastair Mactaggart, the co-architect of the CCPA, would introduce a citizen's initiative more stringent than the CCPA.  The new initiative, cal... Read More

The Legislature in Sacramento finished its session last Friday, Sept. 13 and will no longer be able to make changes to the California Consumer Privacy Act before it goes into effect Jan. 1, 2020.  Assuming that California Gov. Gavin Newsom signs all of these laws — he has until Oct. 13 — these amendments will leave the "right to know" intact but make significant changes including to some of the definitions, the non-discrimination provision, and how a consumer makes a verifiable request. The le... Read More

The 2019 California Consumer Privacy Act amendment process is finally coming to a close this week, less than four months before the law will take effect. The Legislature is scheduled to adjourn Friday the 13th, and sometime thereafter, the attorney general is expected to issue draft rules that will clarify notice and request verification obligations under the landmark law.  Overall, the CCPA amendment bills that passed the Senate Committee on the Judiciary appear on track to be enacted. However... Read More

The requirements of the California Consumer Privacy Act enter into force Jan. 1, 2020, and impose an array of requirements on companies that are subject to the law. Among them are obligations related to the sharing of “personal information” [Section 1798.140(o)] that obligate businesses to push down contractual limitations on service providers and other recipients of personal information and to offer California “consumers” [Section 1798.140(g)] the right to opt out of disclosures that qualify as... Read More

The California Consumer Privacy Act has made plenty of waves since its announcement in April 2018. The EU General Data Protection Regulation near-look-alike is the first of its kind in the U.S. and presents many complications for global businesses with California residents as their consumer. The CCPA will demand revision to many data-handling practices, chiefly in the data subject access right space, but will also feature expansion of the definition of personal information, depending on your org... Read More

Sacramento is back in session, and there is one more month to get changes through the Legislature before the California Consumer Privacy Act goes into effect Jan. 1, 2020.  These are some of the issues I will be watching closely: Who will win the battle over the definitions of 'personal information' and 'deidentified'? Tech lobbyists suffered a major blow when AB 873, changing the definition of "deidentified," failed to pass out of the U.S. Senate Judiciary Committee. Assemblymember Jacqui Irw... Read More

On Tuesday, July 9, the California Senate Standing Committee on Judiciary took up the slew of California Consumer Privacy Act amendment bills that the Assembly had passed more than a month earlier.  Consensus bills At the hearing, Democratic State Sen. Hannah-Beth Jackson supported two CCPA “clean-up” bills without requesting amendments. These were Democratic Assembly Privacy Committee Chairman Ed Chau’s AB 25 and Democratic Assemblymember Jacqui Irwin’s AB 874. Both sailed through her committ... Read More

Unless you’ve been living under a rock for the last year, you are well aware of the California Consumer Privacy Act. This regulation first captured the attention of privacy professionals through how it came to be, originating with an unlikely champion in San Francisco real estate developer Alastair Mactaggart, gaining momentum in a post–Cambridge Analytica political climate, and speeding to Democratic Gov. Jerry Brown’s desk to receive his signature after weeks of intense negotiation between pri... Read More

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other stat... Read More

As of July 1, 2020, for Maine, and Oct. 1, 2019, for Nevada, some companies will have to comply with additional requirements and restrictions regarding personal information selling under new laws that seem inspired by but not as broad as the California Consumer Privacy Act. Maine’s Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s S... Read More

Transparency is a fundamental aspect of the California Consumer Privacy Act. The act creates consumer rights to access data and obligations for businesses to disclose data practices. One of the law’s effects will be increased scrutiny of privacy notices, specifically their details about a business’s data collection and sales practices. This article applies the CCPA to the current privacy notice of theScore — a sports news application — one of the 17 apps The New York Times recently identified f... Read More

There appears to be consistent confusion with regard to the California Consumer Privacy Act and its incentives to encrypt and redact personal information wherever possible. Specifically, the CCPA encourages security through two means. First, non-encrypted and non-redacted information that is breached results in fines of up to $750 per consumer. Data that is encrypted and redacted may potentially avoid such fines in the case of a breach. Second, deidentified or aggregate data is not subject to ... Read More

The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to third parties — a provision that may have profound implications for the online advertising industry. This provision has revealed the divide between privacy advocates and industry groups, perhaps more th... Read More

On Tuesday, the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the California Consumer Privacy Act. As readers of the Daily Dashboard know well, the CCPA sets out landmark privacy rights for Californians, but often in language that is either confusing or difficult to operationalize. Several bills approved at the hearing offer encouragement that the legislature may resolve several key compliance ambiguities before the attorney general’s rul... Read More

Editor's note: This story has been amended to reflect the more recent vote in the California legislature, updating the April 23 version. The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to third parties — a provision that may have profound implications ... Read More

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

Broad data and business regulation, applicable worldwide As of January 1, 2020, companies around the world will have to comply with additional regulations related to processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies have to observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and liquida... Read More

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work toward compliance and help you focus your efforts. In this installment, Lydia De La Torre, CIPP/US, compares the new California Consumer Privacy Act 2018 to the GDPR. We all found out the results of the World Cup July 15, but there is a different matchup i... Read More

The brand-new California Consumer Privacy Act of 2018, which swept through the California legislature last week with startling speed as a compromise measure preempting an even stricter ballot initiative, will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises. These figures were derived by an IAPP examination of the language of the law as applied to U.S. census data about American businesses.  The new act, which provides California resid... Read More