California

Subscribe to California via RSS

This is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.

California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the CCPA if they do business in California, collect consumers’ personal information, and determine the purposes and means of processing that information. Companies must also meet one of three criteria: (a) have annual gross revenue in excess of $25 million; (b) buy, receive, or sell personal information of at least 50,000 California consumers, households, or devices; or (c) derive at least 50% of its annual revenue from selling California consumers’ personal information. Consumer is defined as a natural person who is a California resident. The new rules may also apply to parent companies and subsidiaries that share common branding with the business.

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here.

This is a Data Protection Report post in a series of blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts.

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data.

The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules.

A little more than one month from implementation of GDPR, companies may be tempted to relax and exhale (and if GDPR is still causing you headaches, consult our checklist). After all, the U.S. couldn’t be crazy enough to implement something as onerous and difficult, right? RIGHT?!?

Enter California, which appears likely to place an initiative on the November 2018 ballot that could bring some familiar aspects of GDPR to the sixth largest economy in the world. The proposed initiative, the Consumer Right to Privacy Act of 2018 (the “CRPA”), still needs to obtain the necessary signatures to appear on the ballot and then be passed by a majority of California voters. However, given the high profile data misuse and breach stories in the news over the past several months, the possible passage of the initiative must be taken seriously.

A new state law places California businesses on the front line in responding to federal immigration enforcement actions.  Effective January 1, 2018, AB 450 requires California employers to protect employees and their private information from warrantless “workplace raids” and I-9 form demands, and to warn employees who become targets of an immigration investigation.

In re: Google Inc. Cookie Placement Consumer Privacy Litigation, involves 24 consolidated lawsuits that were initially brought against several internet advertisers alleging violations of various state and federal privacy statutes, including the Computer Fraud and Abuse Act, the Wiretap Act and the Electronic Communications Privacy Act. In October of 2013, the District of Delaware dismissed the consolidated case, finding that “that plaintiffs have not alleged injury-in-fact sufficient to confer Article III standing” and that they had failed to “[plead] sufficient facts to establish a plausible invasion of the rights” under various statutes asserted in the complaints. However, on November 10, 2015, the Third Circuit Court of Appeals issued an order restoring some of the plaintiffs’ claims alleging that Google’s internet tracking practices violate California’s Constitution and state privacy laws.

This month, California Governor Jerry Brown signed into law five new privacy bills that the Governor said are intended to strengthen data protections for the state’s residents. The laws, effective as of January 1, 2016, implement California’s Electronic Communications Privacy Act and amend the state’s breach notification statute, among other things.

In this post, our Data Protection, Privacy & Cybersecurity team members discuss these new laws and what they mean for companies.