Skip to content

On Thursday, October 10, 2019, only 83 days before the California Consumer Privacy Act (“CCPA”) was set to become effective, California Attorney General Xavier Becerra held a press conference, with no prior notice, and issued his long awaited proposed regulations (the “Regulations”). The hope had been that the Regulations would provide much needed guidance to businesses of all sizes and in all industries as to how to implement a law that was hastily passed in a week’s time in 2018. Instead, while the Regulations provide some clarity around the mechanisms that organizations may use to verify and respond to the various consumer requests allowed by the law, the Regulations also add even more ambiguity to a number of requirements. Even more concerning, the Regulations add some new requirements and deadlines that do not exist in the statute itself.

The Regulations include 24 pages of legalese. Every privacy lawyer I know – and I know the best and the brightest – is struggling to interpret these Regulations and what they really mean. That does not bode well for businesses who (1) are trying to run businesses and not become privacy experts; and (2) cannot afford experienced privacy counsel. And that, in turn, does not help California consumers. As I have said many times before, California can do better. I call again on all California businesses of any size, and in every industry, to submit comments to the Attorney General to let the AG know the impact on your business and the California economy. Comments are due on or before December 6.  There will also be hearings around the state December 2-5. Let’s show up and be heard.

With that, we give you a summary of the Regulations. I would say enjoy, but I know better.

Continue Reading The California AG’s Proposed CCPA Regulations are Live, but Not Ready for Prime Time

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business: Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

Trend Micro, a cybersecurity solutions provider, recently reported that it blocked ~5 million hacking attempts of IP-connected cameras in just the last 5 months. This means that a hell of a lot of people are trying to hack into Internet-connected cameras. But why?

Continue Reading Watching Me, Watching You—IoT Camera Hacks Surge

An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.

Continue Reading Just Ahead of CCPA, Ad Agency Fails to Secure Leads Data

The California Assembly had a busy May hearing amendments that might clarify (or further muddy) the California Consumer Privacy Act (“CCPA”). With four new bills approved by the Assembly in the final week of the month, May saw a total of 10 CCPA-related bills pass through the Assembly and on to the Senate. We covered a number of these in our last update. Here’s a rundown of the 10 bills: Continue Reading CCPA ABs – the Latest Alphabet Soup

On May 29, 2019, Nevada’s SB 220[1] became law, amending Nevada’s Privacy Law (2017).[2] The existing Nevada Privacy Law is similar to California’s Online Privacy Protection Act (2004), by requiring a conspicuously posted privacy policy. The new SB 220 resembles the new California Consumer Privacy Act (“CCPA”) but is more narrow in application and scope.

Continue Reading Nevada’s New Privacy Law Has Data Sale Opt-Out Rights

California’s Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest. Continue Reading CCPA Amendment Update: Bill to Expand Private Right of Action is Dead (for Now)

Many organizations are committing considerable resources to preparing for compliance with  the California Consumer Privacy Act (CCPA), a process that is complicated by the large number of pending proposed legislative amendments. We won’t rehash the history here. As you know, the Act has an effective date of January 1, 2020, and the Attorney General can enforce the Act on July 1, 2020 (or six months after issuing regulations). This post is meant to bring you up to speed on some of the key proposed amendments to the CCPA (there are many more not addressed here) and where they are in the California legislative process. This process is constantly in flux, so keep a close eye on the text and history of these bills (some of which are linked below).

Continue Reading The CCPA Amendments – What’s the Deal?