Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it.  Further, no new private right of action will be added by CPRA.  The substantive provisions of CPRA do not take effect until January 1, 2023.
Continue Reading The CCPA Wheels Keep Turning: The Addition of CPRA

The California Attorney General recently released a third set of proposed modifications to the CCPA regulations. As we previously covered, the CCPA regulations were approved and went into effect on August 14, 2020. Many companies will likely be frustrated by the fact that new changes have been proposed again, just two months after the final version was approved. Companies have until October 28, 2020 to submit comments to the AG on the modifications.
Continue Reading Will CCPA Regulation Change Again?: Comment Deadline Looming

Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU’s GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.
Continue Reading Brazil’s Comprehensive Privacy Law Now in Effect

Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.
Continue Reading What the First Enforcement Action under NYDFS Cybersecurity Reg Means to Companies

An amendment to the CCPA recently passed through the legislature, adding some much needed clarity to HIPAA-regulated entities, research institutions and other life science and medical device companies. CCPA in its current form left open uncertainty for business associates, de-identified information, and information collected in the course of medical research. AB 713 helps clarify certain exemptions and applicability of CCPA to organizations in the health and research space.
Continue Reading CCPA Amendment Adds Needed Clarity for Medical & Research Community

As the California legislature session concluded at the end of August, a significant amendment to the CCPA finally passed both houses. California bill AB-1281 passed the Senate in the last days of the month, extending the business-to-business and employee/applicant carve-outs through January 1, 2022 (as we wrote about previously). The bill now sits with Governor Newsom to sign before the end of September.
Continue Reading CCPA Bill Extending Exemptions Passes Through California Legislature

The California AG has now released the final CCPA regulations, as approved by the Office of Administrative Law (OAL).  The final draft (issued August 14, 2020) incorporates some relatively minor changes that the OAG submitted as part of its final rulemaking package, as summarized in its addendum to the final statement of reasons. In addition to generally “non-substantive” edits for consistency, etc. the OAG withdrew four sections (999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c)) from OAL review.
Continue Reading CCPA Regulations Finally Approved, Effective Immediately

With the current limited exemptions under CCPA for employment and business-to-business related information set to expire January 1, 2021, there is uncertainty over when businesses should prepare to extend CCPA compliance efforts to this type of information. However, a pending amendment in the California senate, and/or the impending CPRA ballot initiative in November may bring clarity to the issue.
Continue Reading What Will Come First: Pending CCPA Amendment Could Clarify Key Exemptions

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions