by David A. Katz, Marshall L. Miller, and Zachary M. David
Just a month after the European Union’s General Data Protection Regulation (GDPR) (PDF: 146 KB) took effect, California enacted the most expansive data privacy law in the United States to date. The California Consumer Privacy Act (CCPA), which is scheduled to go into effect on January 1, 2020, will impose unprecedented data obligations on companies doing business in California, requiring increased data use transparency and the observance of novel consumer data rights. Notwithstanding any GDPR compliance fatigue, companies need to take steps to prepare for compliance with the CCPA.
The CCPA was a hastily crafted legislative package passed to preempt a statewide ballot initiative set to qualify for California’s November 2018 ballot. The initiative—which promised to be even more far-reaching—was withdrawn by its ballot sponsors in exchange for passage of the CCPA. The statute remains a work in progress, with numerous legislative amendments currently under consideration and implementing regulations from the California Attorney General expected this fall. Continue reading
by Craig A. Newman and Jonathan (Yoni) Schenker
In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.
The CCPA excludes information that otherwise meets the definition of “personal information” if the information is already governed under specified federal or state statutes or regulations. Cal Civ. Code §§ 1798.145(c-f). The CCPA also adopts a narrower definition of “personal information” when conferring a private right of action in the context of a data breach. Id. § 1798.150; see id. § 1798.81.5(d)(1)(A). As we will discuss in a later post, when a private litigant files a data breach lawsuit, the CCPA’s definition of “personal information” isn’t in play but the narrower definition from the state’s existing data breach statute is used.
Our three-part series is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition, which is unprecedented in the United States. In Part II, we explored the law’s two explicit exclusions from the “personal information” definition for “publicly available” and “deidentified or aggregate consumer information,” noting the lack of clarity in the language of the law. Finally, we conclude our series with a look at the rest of the statute for exclusions from, and limitations to, the information covered under the CCPA. Continue reading
by Avi Gesser, Daniel F. Forester, and Mengyi Xu
One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data. By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations. But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted. We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:
- the growth of a company’s data over time, and the associated storage costs;
- lost productivity associated with searching large volumes of irrelevant data;
- the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
- internal audit and compliance risks;
- contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
- the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.
by Craig A. Newman and Jonathan (Yoni) Schenker
Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part , we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.”
The CCPA excludes two categories of information from its definition of “personal information”: “publicly available information” and “consumer information that is deidentified or aggregate consumer information.” Cal Civ. Code § 1798.140(o)(2) . As we discuss below, the statute’s definitions of both terms are far from clear, and as with other aspects of the CCPA, interpretative regulations will be useful in assisting businesses as they work their way through both exceptions. Continue reading
by Craig A. Newman and Jonathan (Yoni) Schenker
The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.
And the CCPA isn’t set in stone. The California Attorney General’s office recently concluded a public comment period as it prepares to draft interpretative regulations mandated by the CCPA. Not surprisingly, industry lobbyists are out in full force advocating for the legislature to amend the law. Yet with January 1st approaching, businesses potentially affected by the CCPA must start preparing for the law’s implementation.
In an effort to assist organizations in complying with the CCPA’s requirements – and all its moving pieces – we are taking a closer look over the next few months at key aspects of the law. In the event of changes to the CCPA, we will also highlight those on this blog. Continue reading
by Alexis Collins and Destiny D. Dike
On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act. This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications. Below we summarize the CLOUD Act and discuss the DOJ’s key observations. Continue reading
Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works. But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for new laws. Instead, they are refitting existing laws to meet their data privacy and security objectives. Continue reading
by Professor Lokke Moerel
“Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”
European Commission, at the time of the adoption of the GDPR
At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.
In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.
This is noteworthy, as apparently the main complainant filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland. Continue reading
by Lynn Haaland
The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States. On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA. Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA. For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to. Continue reading
by Allison Caffarone
Financial authorities worldwide are focused on how new technologies can be used to more effectively combat money laundering and financial crime. The UK’s Financial Conduct Authority (the “FCA”) is one of the leaders in the movement towards using financial technology (FinTech) and regulatory technology (RegTech) to fight money laundering. In the FCA’s most recent conference on this issue, which was attended by over 100 technology firms, regulators, and law enforcement agencies from the US, Europe, the Middle East, and Asia, participants were tasked with developing proposals to address fifteen problem statements relating to how new technologies can more effectively combat money laundering and financial crime. This article addresses one of the proposals that received significant attention during and subsequent to the conference.
The proposal, offered by a team from Santander Bank and others, called for financial institutions to use distributed ledger technology to develop a database of “bad actors” without requiring the institutions to share the underlying transactional data that led to the “bad actor” designation. The goal for the database was to create a money laundering detection network to benefit all financial institutions in the ecosphere without running afoul of data privacy restrictions. This “Catch the Chameleon” proposal won the “Eureka” award at the conference for the “most original idea” and, according to the FCA website, will receive “support to progress” from Level 39, RegTech Associates and The Disruption House. Following the conference, the proposal continued to receive attention from other major financial institutions. For example, Credit Suisse highlighted the proposal in its letter (PDF: 338 KB) responding to FINRA’s request for comment on FinTech innovation, deeming the proposal worthy of exploration.
There is clearly merit behind the “Catch the Chameleon” proposal. Data and information sharing between the private and public sectors and among and between the different institutions in the private sector is essential to combat money laundering. Additionally, the use of distributed ledger technology to help facilitate the sharing of such information seems to have significant benefits, such as requiring relatively low implementation costs and allowing enforcement agencies to access a single source of data for all financial institutions in real time. However, there are at least three significant dangers of the platform or database as described on the FCA website, and in light of the heightened attention this proposal has received, these concerns are worthy of further discussion and exploration. Continue reading