CCPA

Subscribe to CCPA via RSS

On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.”

To understand the various approaches to CCPA compliance, we reviewed the websites of 50 companies in the Fortune 500® and noticed a few trends:

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself.

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post).  Although the AG’s view was that the SCCs are valid, he suggested that those using them would need to examine the national security laws of the data importer’s jurisdiction to determine whether they can in fact comply with the terms of the SCCs.  He also raised serious doubts over the validity of the Privacy Shield.  If the CJEU shares these doubts, it could influence the outcome of La Quadrature du Net.

Data localisation issues are also set to resurface during 2020.  China’s requirements are tricky, the Russian Data Localisation law now has monetary penalties and the draft Indian data protection bill also imposes localisation requirements in certain circumstances.

As companies get ready for the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, compliance is complicated because there are still several moving variables:

  • Draft regulations have been proposed but may not be final until after January 1, 2020.
  • The recent amendments to CCPA include two important exceptions (business-to-business (B2B) and the “employee” exceptions) that sunset on December 31, 2020. It is anticipated that amendments to CCPA will be introduced in the California legislature during the 2020 session on these topics and others.
  • A ballot initiative to amend CCPA may be presented directly to California voters. The proposed initiative had originally been filed with the California Attorney General on September 25, 2019, but an amended ballot initiative was received by the Attorney General on November 13, 2019. This version has some potential surprises for companies subject to CCPA.

On Friday, October 11, 2019, the California Governor signed all five of the California Consumer Privacy Act amendments that were awaiting his signature (AB 25, 874, 1146, 1355, and 1564) as well as an amendment to California’s data breach law (AB 1130).  We had previously written about the impact on CCPA if all five amendments went into effect here.

On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).

The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA.  In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with  groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”