Influenced by California’s Consumer Privacy Act and Europe Union’s General Data Protection Regulation, a wave of new data privacy legislation has been introduced across the United States. Visit this page for the latest developments during this critical juncture in US privacy regulation.
The far-reaching Consumer Privacy Act of 2018 (CCPA) requires many companies doing business in California to implement new policies and procedures no later than July 1, 2020. The CCPA can be enforced by the California Attorney General or by private plaintiffs with the possibility of statutory penalties for noncompliance.
California has passed a comprehensive consumer privacy law—similar in some respects to the European Union’s General Data Protection Regulation (GDPR). The CCPA was unanimously approved by the California Senate and Assembly on June 27, 2018, and signed into law by then-Governor Jerry Brown the same day. The enforcement date for the CCPA is now six months after the Attorney General’s Office issues regulations, so organizations subject to the CCPA must be in compliance no later than July 1, 2020.
The CCPA creates an array of new consumer privacy rights that require many companies doing business in California to reassess their collection and use of personal information, and modify their business processes to accommodate the new rights of consumers. It allows California consumers to make requests of businesses to disclose what personal information the business has shared and also to delete or no longer share that information.
In addition to California, since the start of 2019, at least 10 state legislatures have introduced privacy bills inspired to varying degrees by the CCPA.
Consumer Privacy Legislation Introduced
Morgan Lewis is prepared to guide companies and institutions of all sizes through the challenges they face in this new regulatory environment. We will closely follow each new development as the CCPA is amended and regulations and guidance documents are issued. We are also following developments in other states as data privacy legislation is proposed and enacted. Our lawyers assist clients in virtually all the major industries around the globe in understanding how these important changes affect their businesses and how to navigate the changing data privacy landscape.
To help businesses prepare for the CCPA we created a CCPA checklist. The checklist covers the following points in detail to help you determine whether the CCPA applies to your business, and includes actionable steps your business can take to ensure compliance and many other useful tips:
The California attorney general on March 12 released additional modified regulations (Second Set of Modifications) proposing further refinements to the California Consumer Privacy Act. This latest set are mostly minor adjustments, introducing fewer significant new concepts than the previous iterations on October 11, 2019 and February 7 and 10, 2020. Against this backdrop, businesses responding to the coronavirus (COVID-19) outbreak seek enforcement delays as the regulations approach final form.
While the final CCPA regulations remain pending, written comments on the recently released proposed modifications are due by February 25, 2020. This article highlights some of the most notable changes to the proposed regulations.
Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.”
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, is the first privacy act of its kind in the United States and significantly alters the privacy and cybersecurity enforcement landscape. This article reviews one of the unique aspects of the CCPA: enforcement by the California attorney general (AG).
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. This new cause of action is among the many new statutory rights established by the CCPA, which represents a major turning point for privacy and cybersecurity standards and will significantly impact enforcement in California and beyond. This article highlights the key features of the private right of action and discusses how companies can prepare. Enforcement actions by the California attorney general are discussed in a subsequent article.
California is the fifth largest economy in the world. Its new laws and regulations have an impact far beyond its borders. Many Non-US companies do business in California. The California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, applies broadly, and includes companies that are based outside of the state. This article discusses how the CCPA impacts non-US companies and what those companies need to do to prepare for CCPA compliance.
May 25, 2018, was a milestone for privacy in Europe. The General Data Protection Regulation (GDPR) of 2016 became fully applicable. One of GDPR’s goals is a “consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union; the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States” (Recital 10 of the GDPR).
The California Consumer Privacy Act (CCPA) gives California residents various new rights regarding the collection, use, and disclosure of their personal information, and imposes a number of obligations on businesses covered by the CCPA, including some that apply to personal information collected from employees, owners, officers, directors, job applicants, and contractors, effective January 1, 2020. This article discusses issues for employers under the CCPA, as amended by AB 25, and under related regulations proposed by the California attorney general, including compliance with a notice provision by January 1.
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to the consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (request to know); (2) delete any personal information that the business has collected from the consumer (request to delete); and (3) not sell the consumer’s personal information (request to opt out).
The recently proposed regulations implementing the California Consumer Privacy Act (CCPA) “establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” This article focuses on the consumer’s right to request deletion of the consumer’s personal information collected by the business, and outlines the best practices for responding to such requests to delete under the CCPA, including some information on the exceptions to deletion request.
The California Consumer Privacy Act (CCPA) gives consumers the right to request that a business (1) respond to a consumer with a list of the categories or specific pieces of personal information that the business has collected about that consumer (a request to know); (2) delete any personal information that the business has collected from the consumer (a request to delete); and (3) not sell the consumer’s personal information (a request to opt out).
All businesses subject to the California Consumer Privacy Act (CCPA) will need to have privacy policies that comply with the CCPA, regardless of whether they conduct business in person, online, or through mobile apps, and will need to update those policies at least every 12 months. The CCPA regulations proposed by the California attorney general on October 10, 2019, clarify and expand upon the requirements for privacy policies. This article explains those requirements and provides best practices for privacy policies.
The second article in our Guide to the CCPA series focuses on verifying consumer requests received pursuant to the California Consumer Privacy Act (CCPA). The California attorney general’s recently proposed regulations implementing the CCPA establish rules and procedures for verifying the identity of consumers making requests to know and requests to delete. This article explains those rules and provides best practices for verifying consumer requests made under the CCPA.
The California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA) on October 10, providing detailed guidance on CCPA compliance for affected businesses. This article, the first in our Practical Advice on Privacy: Guide to CCPA Requests series, focuses on best practices for receiving consumer requests made under the CCPA.
The upcoming California Consumer Privacy Act (CCPA) envisages harsher data protection regulations in California. Find out what German companies should pay attention to.
Morgan Lewis partner Mark Krotoski and associate Kevin Benedicto authored an article for Law360 about California AB 1130, which was recently enacted and amends the state’s data breach notification law.
While the California attorney general’s proposed regulations do not address all provisions of the California Consumer Privacy Act, they do include new procedures and deadlines and cover compliance issues for businesses not covered by the statute. For example, there are new obligations concerning service providers, training and recordkeeping, and standards for certain businesses maintaining the personal information of 4 million or more consumers for commercial purposes, like data brokers.
Morgan Lewis attorneys review amendments approved to the California Consumer Privacy Act (CCPA) and awaiting approval by California Governor Gavin Newsom. In the Bloomberg Law article, they say the amendments will create important exemptions for employee and business-to-business data.
Our prior post discussed three potential enhancements to cyber-related liability insurance policies designed to maximize their potential responsiveness to actions initiated by consumers or the state attorney general under the California Consumer Privacy Act (CCPA).
Will typical cyber-related liability insurance policies respond to actions initiated under the CCPA? In their current form, many likely will not. This post suggests enhancements to existing cyberliability policies to maximize their potential responsiveness to CCPA actions.
At the close of its legislative session on September 13, the California legislature passed five bills to amend and clarify the scope of the landmark California Consumer Privacy Act, which establishes new statutory privacy rights and business obligations for the collection and use of “personal information.”
The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.
Nevada Senate Bill (SB) 220 will go into effect on October 1, 2019. SB 220 amends Nevada’s data privacy law to require that website operators honor a consumer’s request not to sell the consumer’s personal information. Exempt from the new law are certain financial and health institutions, and individuals involved in the manufacture and service of motor vehicles.
On the first anniversary of the European Union’s General Data Protection Regulation (GDPR), the United States is seeing a wave of state legislatures similarly considering laws to regulate the use of personal data. This installment of The eData Guide to GDPR recaps the current legislative activity across the United States.
New York has increased its effort to enforce cybersecurity by creating a new unit designed to combat cybercrime and protect individuals’ sensitive data from attacks.
This article examines recent developments regarding the CCPA, and looks at some issues that will likely be a focus in the coming months now that the California Legislature is back in session.
By January 2020, manufacturers of Internet-enabled (IoT) devices that are sold or offered for sale in California (connected devices) must comply with the new legislation. For cyber security regulations in California. This includes the requirement to equip their devices with adequate security features to protect the device and the information contained therein.
As detailed in a prior blog post, California’s new privacy law, commonly referred to as the CCPA seeks to impose tougher privacy requirements on companies that collect and use consumer data.
The article analyzes the CCPA, which has been described as a landmark privacy bill that aims to give California consumers increased transparency and control over how companies use and share their personal information by January 2020. Companies with business in California should start with their compliance work as soon as possible.
At a time when many companies have only recently completed their efforts to comply with the European Union’s General Data Protection Regulation (“GDPR”), California has upped the ante by passing a comprehensive consumer privacy law that many are characterizing as “GDPR-like.”
In order to cause the withdrawal of a privacy measure slated to appear on the November ballot, the California Senate and Assembly approved the California Consumer Privacy Act (CCPA) on June 27, and it was signed into law by Governor Jerry Brown the same day. The CCPA, as enacted, modified some of the provisions in the ballot measure that were considered most onerous by business interests. But, like the ballot measure, the CCPA creates an array of new consumer privacy rights—similar in some respects to the European Union’s General Data Protection Regulation (GDPR)—that will cause many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights. Organizations subject to the CCPA must comply by January 1, 2020.
Colorado Governor John Hickenlooper recently signed into law House Bill 1128, which will take effect on September 1, 2018. The new law requires businesses owning, maintaining, or licensing personal information of Colorado residents to maintain a written policy for disposing documents containing personal identifying information; implement appropriate security procedures to protect personal information; and comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by a data breach.
The California Consumer Privacy Act will appear on the November ballot in California. It establishes new, groundbreaking consumer privacy rights similar to some of the new privacy (GDPR) rules in Europe. Among other things, it empowers consumers to find out what information businesses are collecting about them and gives them the choice to tell businesses to stop selling their personal information.
The California Consumer Privacy Act, which could be on the ballot in November, aims to introduce a groundbreaking approach to consumer privacy that not only is likely to resonate with the state’s voters, but is also expected to have national implications – thanks to California’s reputation as a trendsetter in consumer privacy. If passed, the act will come with significant compliance challenges and costs that companies should prepare for ahead of time.
The article summarizes the impact of The US COULD Act on businesses in Germany, in particular new risks for storing personal data in the Cloud. Some of the provisions in the US CLOUD Act my collide with the provisions of the General Data Protection Regulation (GDPR) for international data transfers.
This webinar brings a diverse panel of leading security and legal professionals to examine potential exemption pitfalls, the extent of GLBA and HIPAA coverage compared to the CCPA and share real-life examples of steps organizations have taken to demonstrate reasonable security.
The January 1 effective date of the landmark California Consumer Privacy Act (CCPA) is fast approaching, but the law’s requirements remain a moving target. In this webinar we will provide an overview of the latest amendments to the CCPA, the state of the law and related regulations, and practical perspectives on CCPA compliance.
We will discuss compliance with the new California law and what might be on the horizon in California and other states.
California has long been a laboratory for innovative privacy legislation, and there were many new experiments in 2018 and 2019.
When the California Consumer Privacy Act was signed into law on June 28, it was recognized as a landmark privacy measure – and as a work in progress. Now the California Legislature has passed the first set of amendments to the CCPA, but many more issues remain to be debated and clarified.
On June 27, California enacted the nation’s most comprehensive consumer privacy law, the California Consumer Privacy Act of 2018 (CCPA). This webinar will provide an overview of the landmark privacy measure.
Morgan Lewis partner Tess Blair’s comments during Legalweek New York’s “GDPR & CCPA Are Fueling High Demand for On-Point RegTech Solutions” panel were featured in a Legaltech News article.
Morgan Lewis partner Reece Hirsch spoke with The Epoch Times for an article about the impact of the California Consumer Privacy Act.
Morgan Lewis partner and co-head of the firm’s privacy and cybersecurity practice Reece Hirsch was interviewed by Law360 for an article about significant legislative and regulatory developments expected in the cybersecurity and privacy space in 2020, including the California Consumer Privacy Act (CCPA).
Morgan Lewis partner and co-head of the firm’s privacy and cybersecurity practice Reece Hirsch spoke with The Verge about preparing for compliance with the California Consumer Privacy Act (CCPA).
Morgan Lewis partner Gregory Parks, co-leader of the firm’s privacy and cybersecurity practice, was interviewed for a Law360 article about a new law in Nevada that allows residents to opt out of the sale of their data.
Bloomberg Law Quoted: Reece Hirsch
Law360 Quoted: Reece Hirsch
Bloomberg Law Quoted: Reece Hirsch