On February 7, 2020, the California Attorney General released its revised draft implementing regulations for the California Consumer Privacy Act. The revised regulations are not yet final. The California AG will accept written comments regarding the updated regulations until 5:00 pm (PST) on Tuesday, February 25, 2020. The following is a high-level overview of the key new requirements under the updated regulations that are important for businesses to consider in connection with their CCPA compliance…
Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020. Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space. California Amends Definition of Personal Information for Breach Notification The definition of personal information…
With the world’s attention on the California Consumer Privacy Act (CCPA), it’s easy to overlook the privacy storm that is brewing throughout the rest of the country. As of February 10th, eleven other states (in addition to California and Nevada) have either released new or revived old data privacy and protection bills that did not pass during last year’s legislative sessions. Although the status of the majority of these bills is uncertain – as many…
The European Union’s highest court, the Court of Justice of the European Union (CJEU), is evaluating the legitimacy of the EU standard contractual clauses (SCC). SCCs have been the bedrock of cross-border personal data transfers outside the EU for many years. Today, the advocate general (a.g.) has rendered an opinion on the Schrems II case. By way of brief background, Schrems II is a case before the Court of Justice of the European Union (CJEU)…
The requirements of the California Consumer Privacy Act enter into force 1 January 2020, and impose an array of requirements on companies that are subject to the law. Among them are obligations related to the sharing of “personal information” [Section 1798.140(o)] that obligate businesses to push down contractual limitations on service providers and other recipients of personal information and to offer California “consumers” [Section 1798.140(g)] the right to opt out of disclosures that qualify as…
In 2018, California enacted the California Consumer Privacy Act (“CCPA”), the first state-level “omnibus” privacy law, which imposes broad obligations on businesses to provide state residents with transparency and control of their personal data. This year, Maine and Nevada have followed suit and passed legislation focused on consumer privacy, and Pennsylvania has a consumer privacy bill currently under legislative review. Other states in which US companies do business saw similar legislation, such as Hawaii, Illinois,…
The best time to plant a tree was 20 years ago. The second best time is now. – Chinese ProverbIn fewer than 6 months, the requirements of the California Consumer Privacy Act (“CCPA”) come into operation. With no sign that CCPA’s obligations will be materially watered down or preempted by federal legislation, companies that have not started preparing for CCPA need to do so as quickly as possible in order to meet the January 1,…
On 23 October 2015, the Portuguese Data Protection Authority (the “CNPD”) issued a statement (available in Portuguese only) outlining its position on transfers of personal data to the U.S. following the Schrems judgement. Businesses that are subject to Portuguese data protection law and engage in transatlantic data transfers would be prudent to assess and adapt those data transfers in light of the statement.What Does The CNPD Say?The CNPD makes the following key statements:Data flows under…