With the explosion of COVID-19 cases worldwide, companies and governments have expanded their interest in the use of the vast stores of consumer data. Even where such collection and use of personal data is ostensibly for the public good, the privacy rights and legal requirements applicable to such data must be considered carefully.[i] Continue Reading Public Ends From Private Means: Privacy Rights and Benevolent Use of Personal Data

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 provided for a grace period to allow companies additional time to come into compliance with the new regulation. That grace period ensured the California Attorney General’s office would not bring enforcement actions until six months after publication of the office’s regulations, or July 1, 2020, whichever came first.  The AG’s office continues to revise its proposed regulations, including revisions as recent as March 11, 2020, so the grace period is still currently scheduled to end July 1, 2020. Continue Reading CCPA Enforcement During COVID-19 Pandemic

On March 11, 2020, California Attorney General Xavier Barrera released a second revision to the draft California Consumer Privacy Act (CCPA) regulations. The new draft contains a number of important changes to the regulatory landscape under the CCPA. One very specific change—concerning data scraping—caught my eye. Since the CCPA has been discussed and, indeed, even earlier in connection with the GDPR, there has been an open question of whether entities that pull personal data from public sources (e.g., from the publicly available LinkedIn pages) were required to provide notice to the individuals whose data had been collected. The new regulations answer the question, at least in part. Continue Reading Data Scraping Under the Revised CCPA Regulations

The outbreak of the novel coronavirus (COVID-19) presents challenging medical privacy issues for employers. Employers must observe their employees’ continued legal right to privacy—including under the Americans with Disabilities Act (ADA), HIPAA, and/or relevant state and local laws—while maintaining a safe and healthy workplace. Below are some privacy guidelines for employers to consider with respect to the coronavirus outbreak. Continue Reading Coronavirus and Employee Privacy Laws: What Employers Should Know

The cyber insurance markets are beginning to adapt to the new California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020.

There is great variation in how cyber insurance policies currently address risks under the CCPA. And further developments are expected as the law begins to impact companies under its jurisdiction—that is, companies that, regardless of their location, are for-profit, collect data from California residents, and either have annual revenue of at least $25 million; or collect, store and/or save the data of at least 50,000 California data subjects; or realize at least half of their revenue from the sale of data.

It is critical that companies subject to the CCPA understand the nuances of cyber insurance policies, and how they may be able to negotiate favorable coverage terms when they buy or renew them this year.

I dive into the CCPA’s impact on insurance policies in an article I co-authored with my Farella colleagues Sushila Chanana and Nate Garhart for TAG Cyber Law Journal. Read the full article, here.

Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.

While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements. Continue Reading Data Breach Disclosure Requirements Implicate More Than Privacy Law

California employers collectively breathed a sigh of relief when the state legislature delayed most of the California Consumer Privacy Act’s (CCPA) application to them until 2021. However, there’s not much time to relax: two significant CCPA provisions took effect in 2020, and the legislature is expected to pass an employer-specific data privacy law this year.

To ensure compliance with the provisions taking effect this year, and prepare for what may be coming next year, covered employers should consider taking the following steps now: Continue Reading What Steps Should Employers Take Now Regarding the CCPA?

It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software?  I think it will.

So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data? Continue Reading Data Security: Are you looking at your third party software?