The Office of the Attorney General has released the long-anticipated proposed CCPA regulations. The proposed regulations outline procedures intended to facilitate consumers’ new rights under the CCPA and provide compliance guidance to businesses regarding:
- Notices businesses must provide to consumers under the CCPA;
- Handling consumer requests made pursuant to the CCPA;
- Verifying the identity of the consumer making those requests;
- Personal information of minors; and
- Nondiscrimination and offering of financial incentives.
Please see our Alert for a detailed discussion of the proposed regulations.
Governor Gavin Newsom signed five CCPA amendment bills into law on Friday, October 11, 2019. He also signed an amendment broadening the California breach notification law and a new law which creates a data broker registry for the sale of certain personal information. The event marked the culmination of the California Legislature’s efforts this year to clarify the terms and scope of the CCPA, which takes effect on January 1, 2020.
A summary of these laws and their impact may be found in our previous Alert.
Stay tuned to the Duane Morris TechLaw Blog for developments regarding the CCPA and its implementation.
The newest Nevada privacy law, SB 220, is about to become operative on October 1, 2019, and will require website operators to provide consumers with the right to opt out of the sale of their personal information. The definition of what constitutes a “sale” is fairly narrow and includes several broad exclusions. Therefore, this opt-out provision is likely to apply only in narrow circumstances. However, businesses that may be covered by this new law will need to complete the following items prior to October 1:
- Determine whether the law applies to your business.
- Confirm compliance with existing consumer notice requirements.
- Establish a designated request address where consumers may submit a verified request to opt out of the sale of their covered information.
- Develop policies, procedures and processes for verifying and responding to requests within 60 days.
Please see our Alert for a detailed discussion of this law and when it applies.
By: Michelle Hon Donovan, Brandi Taylor and Angelica Zabanal
Last Friday, September 13, 2019, marked the final day for the California Legislature to vote to pass amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and the Governor will have until October 13, 2019, to sign or veto them.
Of the CCPA amendment bills that were in consideration, the following were passed:
- AB 25, regarding employee exemption
- AB 874, regarding the definition of PI (personal information)
- AB 1146, regarding warranty and vehicle repairs
- AB 1355, regarding the B2B exemption and other clarifying amendments
- AB 1564, regarding toll-free telephone number exception
Also of note, AB 1130 – a bill that does not specifically amend CCPA – also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is anticipated to impact liability under the CCPA’s private right of action
While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to be passed by the legislature:
- AB 873, regarding the definition of de-identified
- AB 846, regarding customer loyalty programs
- AB 981, regarding exemption for certain insurance transactions
While the approved amendments did not significantly overhaul the CCPA, several notable changes were made. Please see our Alert for a detailed discussion of these changes.
In early March, cybersecurity professionals around the world filled the San Francisco Moscone Convention Center’s sprawling exhibition halls to discuss and learn about everything infosec, from public key encryption to incident response, and from machine learning to domestic abuse.
Companies should not overthink [data privacy and personal information]. Instead, data privacy lawyers said businesses should pay attention to what information they collect and where they operate to best understand personal data protection and compliance.
As Duane Morris LLP intellectual property and cyber law partner Michelle Donovan said:
“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”
To read the full text of this article, please visit the MalwareBytes website.