Photo of Rachel Tarko Hudson

Rachel Tarko Hudson is a partner in the Intellectual Property Practice Group in the firm's San Francisco office. She is also a member of the Retail Team.

As companies brace for the impact of COVID-19, the last thing on everyone’s mind may be proactive privacy compliance obligations. Certainly, companies may be thinking about privacy obligations that relate specifically to their COVID-19 response. What types of employee information can be disclosed, for example, especially in European offices? (On this, see guidance from the French, Italian and Irish data protection authorities.) But companies can think more broadly, in particular about how they will continue the proactive operations of the privacy team during this time. Some questions companies can ask themselves now include:
Continue Reading Turn on the Camera Part One: Keeping Your Privacy Compliant Efforts Moving Forward in the Face of COVID-19

On February 10, the California Attorney General’s office released a highly anticipated updated draft of the proposed CCPA regulations. This draft corrected a version first issued on February 7, 2020. These latest updates follow the four public hearings held in December 2019 and nearly 1,700 pages of comments submitted after the AG first released the initial proposal in October 2019.  While these modified regulations are still not final, some of the notable changes include:
Continue Reading And the Modified Proposed CCPA Regulations are Here!

The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of  the companies’ privacy provisions in vendor contracts.
Continue Reading The Privacy Shield Survives Another EU Commission Review, For Now…

The California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more detail in the coming days, the regulations provide details about how to verify consumers and the need for website accessibility in the provision of notices. The proposal also calls on companies to acknowledge access and deletion requests within 10 days of receipt of such a request.
Continue Reading Proposed CCPA Regs Released, Comments Due Dec. 6

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted.
Continue Reading Modifications Under CCPA To Receipt of Consumer Requests

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021.
Continue Reading What To Do About Employees Under CCPA: An Update

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details.
Continue Reading Like a Butterfly, Will the CCPA Continue to Evolve?

Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in the Senate Appropriations Committee during a hearing held yesterday. While the act as originally drafted only provided for Attorney General enforcement (except for one section addressing data security breaches), SB 561 added a private right of action as well as statutory damages for any violation of the act. This amendment clearly would have significantly increased the risks of any failure to comply with CCPA, no matter how small. But remember the words of Miracle Max – “There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.” So while it is possible that another amendment could be introduced at a later date, for now at least, the act will likely remain as drafted with enforcement coming only from the AG’s office, except in data breaches.
Continue Reading Ding Dong the CCPA Private Right of Action is (Mostly) Dead!

In response to the concern of many that the definition of consumer is so broad as to cover employees, a bill has been introduced in California to exclude employees from the scope of CCPA. As those who have been following CCPA are aware, the definition of “consumer” is extremely broad. Under the proposal, amended on March 25 of this year, the definition would specifically exclude from the definition information collected by a business “in the course of a person acting as a job applicant,” employee, contractor, or agent of the business. The carve-out goes on to clarify that this would hold true only if the individual’s information is used “for purposes compatible with the context” in which they gave it to the company.
Continue Reading Will CCPA’s Definition of Consumer Be Narrowed?

Everyone who has been paying attention to privacy news knows that January 1, 2020 is the implementation date of the California Consumer Protection Act, and July 1, 2020 is the current deadline for enforcement to begin. July 2020 is also the current deadline for the California AG to implement regulations under CCPA. Read more about the law in our blog post from last year. What should companies do over the coming months to get ready for what looks like a sweeping new set of requirements? Two big ones: keep a 12 month look-back of data processing activities and take stock of what you collect and how you use it. Over the coming months you will also want to look at how you might handle rights requests, and take the CCPA into account for your 2019 and 2020 budgeting. This graphic can help you communicate the importance of CCPA to internal stakeholders.
Continue Reading 2019 is the Year of . . . CCPA?