Photo of Anna Rudawski (US)

Anna Rudawski (US)

Subscribe to Anna Rudawski (US)'s Posts
Contact:Read more about Anna Rudawski (US)

This is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of its kind in the US, is an omnibus privacy law for the state of California that grants individuals new rights in connection with their data – including, the right to erasure.

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here.

This is a Data Protection Report post in a series of blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data.

The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules.

On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment.  The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR.  For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework.  However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations.

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.