With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:
Continue Reading Twists in the Plot: California AG Releases Final CCPA Regulations

Californians for Consumer Privacy has announced that it has secured and submitted enough signatures to qualify its California Privacy Rights Act (“CPRA”) for inclusion on California’s November 2020 ballot.

Alistair Mactaggart, the architect behind the ballot initiative that led to the California legislature’s adoption of the CCPA, pushed forward with the CPRA to amend perceived issues and shortcomings in the CCPA.
Continue Reading Signatures Submitted for Inclusion of New California Privacy Law on November Ballot

As we are all well aware by now, the California Consumer Privacy Act (CCPA) (Cal. Civ. Code Sections 1798.100 et seq.) went into effect on Jan. 1. Through its amendments and regulations (the latter of which have yet to be finalized as of this article’s publication), one aspect of the act has stayed largely consistent: the CCPA grants a private right of action only in limited situations. While the California Attorney General has the ability to impose fines for any CCPA violation, the private right of action is specifically limited (over significant debate and a proposed amendment that failed to pass) to data breach. Moreover, in creating that private right of action, the act specifically notes that violations “shall not be interpreted to serve as the basis for a private right of action under any other law.”

Does that mean there will not be significant litigation concerning the CCPA outside of the data breach realm? The answer is clearly a resounding “no.” Indeed, we have already seen multiple lawsuits filed taking direct aim at the CCPA’s claimed limitations on private enforcement. In those cases, in direct contravention of the stated limitation on private rights of action, plaintiffs have claimed (among other things) that the failure to provide proper notice required by the CCPA predicates a violation of California’s Unfair Competition Law (Cal Civ. Code. Section 17200) (the UCL). See, e.g., Burke v. Clearview AI, Case No. 3:20-cv-00370 (S.D. Cal., filed Feb. 27, 2020); Sheth v. Ring, Case No. 2:20-cv-01538 (C.D. Cal., filed Feb. 18, 2020). Whether such claims will fail as expressly barred by the act remains to be seen.
Continue Reading Private Rights of Action and the CCPA—Unlimited Limitation?

As large portions of society become subject to coronavirus-related quarantines, increasing numbers of people have turned to web-based communications platforms for classes, meetings, events, and socialization. One such platform, Zoom, has become, in some estimations, the most important app in the business world, and the single most downloaded mobile app in all of India.

With such rapid expansion in its user base, there was bound to be increased focus on the company. Over the last few weeks, Zoom has faced questions related to the legality of its privacy and information-gathering practices. In fact, in addition to addressing concerns on social media and national television programs, Zoom must also now defend itself in a new class action lawsuit involving the newly enacted California Consumer Privacy Act (“CCPA”), which we analyze below.
Continue Reading New CCPA Lawsuit Against Zoom: Issues to Watch

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 provided for a grace period to allow companies additional time to come into compliance with the new regulation. That grace period ensured the California Attorney General’s office would not bring enforcement actions until six months after publication of the office’s regulations, or July 1, 2020, whichever came first.  The AG’s office continues to revise its proposed regulations, including revisions as recent as March 11, 2020, so the grace period is still currently scheduled to end July 1, 2020.
Continue Reading CCPA Enforcement During COVID-19 Pandemic

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part.
Continue Reading Data Scraping Under the Revised CCPA Regulations

The cyber insurance markets are beginning to adapt to the new California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020.

There is great variation in how cyber insurance policies currently address risks under the CCPA. And further developments are expected as the law begins to impact companies under its jurisdiction—that is,

California employers collectively breathed a sigh of relief when the state legislature delayed most of the California Consumer Privacy Act’s (CCPA) application to them until 2021. However, there’s not much time to relax: two significant CCPA provisions took effect in 2020, and the legislature is expected to pass an employer-specific data privacy law this year.

To ensure compliance with the provisions taking effect this year, and prepare for what may be coming next year, covered employers should consider taking the following steps now:
Continue Reading What Steps Should Employers Take Now Regarding the CCPA?

It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software?  I think it will.

So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data?
Continue Reading Data Security: Are you looking at your third party software?