Photo of Craig Cardon

Craig Cardon sits on Sheppard Mullin's Executive Committee and serves as Practice Group Leader of the Privacy and Cybersecurity Practice.

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details.
Continue Reading Like a Butterfly, Will the CCPA Continue to Evolve?

Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in the Senate Appropriations Committee during a hearing held yesterday. While the act as originally drafted only provided for Attorney General enforcement (except for one section addressing data security breaches), SB 561 added a private right of action as well as statutory damages for any violation of the act. This amendment clearly would have significantly increased the risks of any failure to comply with CCPA, no matter how small. But remember the words of Miracle Max – “There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.” So while it is possible that another amendment could be introduced at a later date, for now at least, the act will likely remain as drafted with enforcement coming only from the AG’s office, except in data breaches.
Continue Reading Ding Dong the CCPA Private Right of Action is (Mostly) Dead!

In response to the concern of many that the definition of consumer is so broad as to cover employees, a bill has been introduced in California to exclude employees from the scope of CCPA. As those who have been following CCPA are aware, the definition of “consumer” is extremely broad. Under the proposal, amended on March 25 of this year, the definition would specifically exclude from the definition information collected by a business “in the course of a person acting as a job applicant,” employee, contractor, or agent of the business. The carve-out goes on to clarify that this would hold true only if the individual’s information is used “for purposes compatible with the context” in which they gave it to the company.
Continue Reading Will CCPA’s Definition of Consumer Be Narrowed?

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments.
Continue Reading Year In Review: Eye on Privacy 2018

Everyone who has been paying attention to privacy news knows that January 1, 2020 is the implementation date of the California Consumer Protection Act, and July 1, 2020 is the current deadline for enforcement to begin. July 2020 is also the current deadline for the California AG to implement regulations under CCPA. Read more about the law in our blog post from last year. What should companies do over the coming months to get ready for what looks like a sweeping new set of requirements? Two big ones: keep a 12 month look-back of data processing activities and take stock of what you collect and how you use it. Over the coming months you will also want to look at how you might handle rights requests, and take the CCPA into account for your 2019 and 2020 budgeting. This graphic can help you communicate the importance of CCPA to internal stakeholders.
Continue Reading 2019 is the Year of . . . CCPA?

As has been widely reported, California’s new privacy regime entitled the California Consumer Privacy Act of 2018, or CCPA, is set to come into effect on January 1, 2020. The law constitutes an expansion beyond California’s existing privacy laws, in particular California’s existing Shine the Light Law and the California Online Privacy Protection Act. Various provisions of the new law will apply to businesses with annual total revenue greater than $25 million (not just in California), that obtain or share for commercial purposes the personal information of 50,000 or more, or that get 50% or more of their revenue from selling or sharing PII. The law was passed quickly to avoid a similar voter-initiative ballot measure, and as a result has several ambiguities and apparent inconsistencies. It is therefore very likely that the law will be changed by amendment, and clarified through rules and regulations, before it comes into effect in 2020. 
Continue Reading The California Consumer Privacy Law (CCPA) Is Coming: What Should Your Company Do Now?