On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here).  The changes are effective immediately. The modifications largely focus on (1) changes impacting those companies that “sell” information, and (2) the verification process for rights requests made by authorized agents.
Continue Reading Changes to CCPA Regulations are Approved and in Effect

Throughout 2020, companies have been negotiating with their business partners the issue of “selling” under CCPA. Is the partner a service provider? A third party? Is there an exchange of consideration? These issues will not likely go away in 2021, especially as we turn to addressing the CCPA modification, CPRA.
Continue Reading 2020 In Review: Exchanging Data With Business Partners

As 2020 draws to a close and we approach CCPA’s first birthday, the regulations continue to remain very much in “infant” mode. On December 10, 2020, the California Attorney General released a fourth set of proposed regulations. This is the second set of proposed changes released since the regulations went into effect in August 2020. Companies have until December 28, 2020 to submit comments to the AG on the modifications.
Continue Reading The Button is Back! Fourth Set of Modifications to CCPA Regulations Released

By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it.  Further, no new private right of action will be added by CPRA.  The substantive provisions of CPRA do not take effect until January 1, 2023.
Continue Reading The CCPA Wheels Keep Turning: The Addition of CPRA

The California Attorney General recently released a third set of proposed modifications to the CCPA regulations. As we previously covered, the CCPA regulations were approved and went into effect on August 14, 2020. Many companies will likely be frustrated by the fact that new changes have been proposed again, just two months after the final version was approved. Companies have until October 28, 2020 to submit comments to the AG on the modifications.
Continue Reading Will CCPA Regulation Change Again?: Comment Deadline Looming

An amendment to the CCPA recently passed through the legislature, adding some much needed clarity to HIPAA-regulated entities, research institutions and other life science and medical device companies. CCPA in its current form left open uncertainty for business associates, de-identified information, and information collected in the course of medical research. AB 713 helps clarify certain exemptions and applicability of CCPA to organizations in the health and research space.
Continue Reading CCPA Amendment Adds Needed Clarity for Medical & Research Community

The California AG has now released the final CCPA regulations, as approved by the Office of Administrative Law (OAL).  The final draft (issued August 14, 2020) incorporates some relatively minor changes that the OAG submitted as part of its final rulemaking package, as summarized in its addendum to the final statement of reasons. In addition to generally “non-substantive” edits for consistency, etc. the OAG withdrew four sections (999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c)) from OAL review.
Continue Reading CCPA Regulations Finally Approved, Effective Immediately

On June 1, 2020, the California AG submitted the final text of the proposed CCPA regulations to the Office of Administrative Law (OAL). There were no changes to the final text from the last version released in March, which we previously summarized here.
Continue Reading Final Draft CCPA Regulations Submitted, Effective Date Unclear

During COVID-19, in certain areas of the law, we have seen significant flexibility from regulators and government agencies in how they are addressing typical approval processes and/or compliance requirements. In the context of privacy and cybersecurity regulations, largely, regulators are emphasizing that personal privacy and data security are important now more than ever. New information is being collected and used in new ways. Certain data security vulnerabilities may be more prevalent in this work-from-home environment.
Continue Reading Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy

The Network Advertising Initiative, which provides guidance to advertisers who engage in personalized advertising, updated its Code of Conduct (2020 Code) earlier this year to address, inter alia, data collected offline and used for tailored advertising, as well as CCPA and TV-based tailored advertising. In anticipation of the January 1, 2020 effective date of the Code, the NAI recently issued a guidance on how to get “opt-in consent.” While the NAI Code and guidance is applicable only to NAI members, the requirements are important for all to know, since it is these members who typically implement companies’ online behavioral advertising.
Continue Reading NAI’s 2020 Code Effective January 1 Along with CCPA