Topic: CCPA

California AG Issues Significant Changes to Draft CCPA Regulations as of March 2020

By Jeewon Kim Serrato (US) and Susan Ross (US) on April 9, 2020 Posted in CCPA

Data Protection Report - Norton Rose Fulbright

On February 7, 2020, and again on March 11, 2020, the Office of the Attorney General (OAG) issued revisions to the proposed California Consumer Privacy Act (CCPA) regulations, and there are some surprises in both the additions and in the deletions. For the CCPA regulations to become effective on July 1, the final regulation text must be filed with the Secretary of State by May 29.

Click here for the text of modified regulations. Our white paper with a summary of the changes is available for download here.… Continue Reading

State of the Union: CCPA and Beyond in 2020

By Jeewon Kim Serrato (US) and Susan Ross (US) on January 13, 2020 Posted in CCPA

Data Protection Report - digital privacy, CCPA and cybersecurity

On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.”

To understand the various approaches to CCPA … Continue Reading

The Privacy Officers’ New Year’s Resolutions

By Marcus Evans (UK) and Janine Regan (UK) on January 6, 2020 Posted in CCPA, Compliance and risk management

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself.

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post). Although the AG’s view was that the SCCs are valid, … Continue Reading

Here We Go Again: Another Ballot Initiative for CCPA in 2020

By David Kessler (US) and Susan Ross (US) on December 2, 2019 Posted in CCPA

As companies get ready for the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, compliance is complicated because there are still several moving variables:

Draft regulations have been proposed but may not be final until after January 1, 2020.
The recent amendments to CCPA include two important exceptions (business-to-business (B2B) and the “employee” exceptions) that sunset on December 31, 2020. It is anticipated that amendments to CCPA will be introduced in the California legislature during the 2020 session on these topics and others.
A ballot initiative to amend CCPA may be presented directly to California voters. The

California Governor signs all 5 CCPA amendments

By Jeewon Kim Serrato (US) and Susan Ross (US) on October 14, 2019 Posted in CCPA

Norton Rose Fulbright - Data Protection Report blog

On Friday, October 11, 2019, the California Governor signed all five of the California Consumer Privacy Act amendments that were awaiting his signature (AB 25, 874, 1146, 1355, and 1564) as well as an amendment to California’s data breach law (AB 1130). We had previously written about the impact on CCPA if all five amendments went into effect here.… Continue Reading

Mic Drop: California AG releases long-awaited CCPA Rulemaking

By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US), Anna Rudawski (US) and Max Kellogg (US) on October 11, 2019 Posted in CCPA, Compliance and risk management

On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).

The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”… Continue Reading

And then there were five: CCPA amendments pass legislature

By Jeewon Kim Serrato (US) and Susan Ross (US) on September 17, 2019 Posted in CCPA, Compliance and risk management, Enforcement

Executive Summary

The wait is over: Only five CCPA amendments made it through the California legislature. The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading

CCPA: “Wait and see” is not the right approach

By Chris Cwalina (US), David Kessler (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on August 29, 2019 Posted in CCPA, Compliance and risk management

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.

Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.

Those statements are indeed accurate, as far as they go. However, they neglect the fact that … Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

By Jeewon Kim Serrato (US) and Susan Ross (US) on August 12, 2019 Posted in CCPA, Compliance and risk management, Enforcement

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

Back At The Negotiating Table: CCPA Amendments Debate Continues

By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US) and Anna Rudawski (US) on July 16, 2019 Posted in CCPA

In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”).

Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill to remove the toll-free number requirement.… Continue Reading

“What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

By Jeewon Kim Serrato (US) and Susan Ross (US) on July 3, 2019 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.

As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month … Continue Reading

Nevada, New York and other states follow California’s CCPA

By Jeewon Kim Serrato (US) and Susan Ross (US) on June 6, 2019 Posted in CCPA, Compliance and risk management

The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted.

While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.… Continue Reading

CCPA: “Attorney General Amendment” Likely Dead

By David Kessler (US), Spencer Persson (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on May 17, 2019 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the California Consumer Privacy Act (“CCPA”). The bill is being held in committee and under submission, which means the bill has been blocked and is likely dead.… Continue Reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on February 27, 2019 Posted in CCPA, Compliance and risk management, Enforcement

This is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.

To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:

two noteworthy recent EU and US

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 31, 2019 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s seventh blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney … Continue Reading

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 14, 2019 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set to be issued on or before July 1, 2020, the Attorney General’s Office will … Continue Reading

CCPA extends “right to deletion” to California residents

By David Kessler (US) and Anna Rudawski (US) on September 27, 2018 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of … Continue Reading

California Consumer Privacy Act: Disclosure requirements

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on September 11, 2018 Posted in CCPA

This is the Data Protection Report’s fourth blog posts in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of … Continue Reading

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on August 27, 2018 Posted in CCPA

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (“CCPA” or the “Act”) sets a new precedent with its sweeping definition of Personal Information (“PI”). The CCPA defines “[p]ersonal information” as any information that “identifies, relates to, describes, is capable of being … Continue Reading

California Consumer Privacy Act blog series: Covered entities

By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on August 16, 2018 Posted in CCPA, Compliance and risk management, Regulatory response

This is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.

California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the … Continue Reading

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

By Spencer Persson (US), Jeewon Kim Serrato (US), Steve Roosa (US), Arleen Fernandez (US) and Anna Rudawski (US) on June 29, 2018 Posted in CCPA

This is a Data Protection Report post in a series of blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data.

The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers … Continue Reading