Photo of Craig Cardon

Craig Cardon sits on Sheppard Mullin's Executive Committee and serves as Practice Group Leader of the Privacy and Cybersecurity Practice.

The California AG has now released the final CCPA regulations, as approved by the Office of Administrative Law (OAL).  The final draft (issued August 14, 2020) incorporates some relatively minor changes that the OAG submitted as part of its final rulemaking package, as summarized in its addendum to the final statement of reasons. In addition to generally “non-substantive” edits for consistency, etc. the OAG withdrew four sections (999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c)) from OAL review.
Continue Reading CCPA Regulations Finally Approved, Effective Immediately

With the current limited exemptions under CCPA for employment and business-to-business related information set to expire January 1, 2021, there is uncertainty over when businesses should prepare to extend CCPA compliance efforts to this type of information. However, a pending amendment in the California senate, and/or the impending CPRA ballot initiative in November may bring clarity to the issue.
Continue Reading What Will Come First: Pending CCPA Amendment Could Clarify Key Exemptions

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions

On June 1, 2020, the California AG submitted the final text of the proposed CCPA regulations to the Office of Administrative Law (OAL). There were no changes to the final text from the last version released in March, which we previously summarized here.
Continue Reading Final Draft CCPA Regulations Submitted, Effective Date Unclear

As many who have been tracking CCPA are aware, the law requires training employees who handle consumer inquiries, and ensuring that employees understand how to help consumers exercise their rights. Since most of those rights requests are arriving by web page, email, and phone, it is unlikely that rights requests will slow in the face of COVID-19. Indeed, it is possible that they may increase. Employees will thus still need training, something many companies had anticipated doing in-person.

Coronavirus


Continue Reading Turn On the Camera Part Three: Fulfilling CCPA Training Obligations in the Face of COVID-19

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
Continue Reading Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

As companies brace for the impact of COVID-19, the last thing on everyone’s mind may be proactive privacy compliance obligations. Certainly, companies may be thinking about privacy obligations that relate specifically to their COVID-19 response. What types of employee information can be disclosed, for example, especially in European offices? (On this, see guidance from the French, Italian and Irish data protection authorities.) But companies can think more broadly, in particular about how they will continue the proactive operations of the privacy team during this time. Some questions companies can ask themselves now include:
Continue Reading Turn on the Camera Part One: Keeping Your Privacy Compliant Efforts Moving Forward in the Face of COVID-19

On February 10, the California Attorney General’s office released a highly anticipated updated draft of the proposed CCPA regulations. This draft corrected a version first issued on February 7, 2020. These latest updates follow the four public hearings held in December 2019 and nearly 1,700 pages of comments submitted after the AG first released the initial proposal in October 2019.  While these modified regulations are still not final, some of the notable changes include:
Continue Reading And the Modified Proposed CCPA Regulations are Here!

The California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more detail in the coming days, the regulations provide details about how to verify consumers and the need for website accessibility in the provision of notices. The proposal also calls on companies to acknowledge access and deletion requests within 10 days of receipt of such a request.
Continue Reading Proposed CCPA Regs Released, Comments Due Dec. 6

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted.
Continue Reading Modifications Under CCPA To Receipt of Consumer Requests

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021.
Continue Reading What To Do About Employees Under CCPA: An Update