AB 25 Passes the California Assembly – and Excludes Employee Information from Coverage under the California Consumer Privacy Act (the “CCPA”)

By Joseph Lynyak and Samir Islam On May 29, 2019, the California Assembly took a major step to rationalize the coverage of the CCPA by excluding employee information from the definition of “consumer.”   Specifically, the term “consumer” was amended to exclude  a person whose personal information has been collected by a covered business in the… Read More

SB 561 Held in Committee-Private Right of Action under the CCPA Confined (for Now)

On Thursday, March 16, 2019, the California Senate Appropriations Committee held in Committee SB 561, which would have greatly expanded the private right of action (i.e., the ability to bring private class actions) available under the California Consumer Privacy Act (“CCPA”). SB 561 was introduced in February by California Attorney General (“AG”) Xavier Becerra and Senator Hannah-Beth Jackson. Notably, the bill sought to amend the existing private right of action to cover all violations of the CCPA, as opposed to merely data breaches. Additionally, the bill would have discontinued the 30-day cure period, whereby businesses were immunized from penalization by the AG to the extent they were able to cure an alleged violation within 30-days’ notice thereof, and would have eliminated businesses’ and third parties’ entitlement to seek interpretive guidance regarding compliance from the AG (and instead would authorize the AG to publish general guidance).

Potentially Expanded Private Right of Action Increases Risk of Class Action Exposure Under the California Consumer Privacy Act

As companies were getting up-to-speed on the effects of the European Union’s General Data Protection Regulation (GDPR) last year, California quickly enacted its own privacy law, the California Consumer Privacy Act (“CCPA” or “Act”) last June. We address below the high risk associated with the CCPA and its interaction with regulations in key U.S. industries. The fast-passed legislation was designed to avoid a November 2018 ballot initiative on the subject, and was plagued by errors and ambiguities that require robust clarification.  The Act’s take-away, however, was abundantly clear – California consumers have a right to know what personal data companies are collecting and are empowered to bring a private right of action for a data breach (and even potentially for other violations of the Act). 

Jail Time for Executives? Federal Privacy Proposals Have Teeth

2019 will bring significant privacy law changes in the U.S. These changes will require significant compliance efforts by companies operating in the U.S. this year. It is still an open question as to whether those compliance efforts will be in connection with a new federal privacy law or the California Consumer Privacy Act of 2018 (CCPA). Numerous companies and members of Congress are calling for federal legislation. Momentum is building. However, unless legislative action is immediate in the new Congress, it is time for companies to begin efforts to comply with the CCPA, if they have not already done so.

SEC Report on Internal Controls, Cybersecurity

Cyber-security has become – or perhaps should be – a key area of concern for every enterprise. The risks are substantial for the firm, its shareholders, executives and customers as recent cases illustrate. Every enterprise large or small is a potential victim. The losses can and often are substantial not just in dollars but also in trust, customers and more. The Commission has issued guidance. The agency has also brought enforcement actions.

Now, however, the Commission has issued a report based on nine investigations of firms involved in a variety of industries, cautioning about cyber risks in the context of the firm’s obligations to maintain proper internal controls. Report of Investigation Pursuant to Section 21(a) of the Exchange Act Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies, October 16, 2018. 

Extraterritorial Application of The GDPR

By:  Ron Moscona, Jamie Nafziger and Clint Conner The EU General Data Protection Regulation (GDPR), which is billed as the most important development in data privacy regulation in at least 20 years, arrived with a bang in May of this year and companies have been scrambling to implement compliance measures that will avoid its stiff… Read More

Will California’s New Privacy Law be Preempted? Federal Hearings and Public Comments Begin

Although numerous attempts have been made to pass a comprehensive U.S. privacy law over the years, this one might actually succeed. Efforts have begun on multiple fronts. From Senate Commerce Committee hearings to several federal agencies vying for which will lead a federal regulatory effort, privacy is a hot topic in Washington, DC. Businesses should take immediate action to enter the discussions if they have not already done so. Comments on a proposed federal framework are due October 26, 2018. The Commerce Committee will hold additional hearings in October. Industry is coming to the table in an attempt to avoid facing a jumble of inconsistent state privacy laws.

Digital Assets a Focus Point for Regulators

By:  Genna Garver, Daniel Baich, Kimberly Frumkin As investor interest in cryptocurrencies has picked up, government agencies and non-governmental organizations tasked with protecting investors are taking a harder look at these virtual investment products. While the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), and the National Futures Association… Read More

Will California’s New Privacy Law be Preempted? Federal Hearings and Public Comments Begin

Although numerous attempts have been made to pass a comprehensive U.S. privacy law over the years, this one might actually succeed.  Efforts have begun on multiple fronts.  From Senate Commerce Committee hearings to several federal agencies vying for which will lead a federal regulatory effort, privacy is a hot topic in Washington, DC.  Businesses should take immediate action to enter the discussions if they have not already done so.  Comments on a proposed federal framework are due October 26, 2018.  The Commerce Committee will hold additional hearings in October.  Industry is coming to the table in an attempt to avoid facing a jumble of inconsistent state privacy laws.

Updated Alert: Governor Brown Signs Amendments to the California Consumer Privacy Act of 2018

By:  Joseph Lynyak, Robert Cattanach, and Sam Bolstad 1. Introduction On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California.1 Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”), goes far beyond current U.S. privacy protections,… Read More

Post navigation