As anticipated, on September 29, 2020, Governor Newsom signed into law Assembly Bill 1281 incorporating an extension of time for the sunset of the employee and business to business exemptions of the California Consumer Privacy Act of 2018 (“CCPA”) to January 1, 2022.
Continue Reading Don’t Let the Sun Go Down – Governor Newsom Signs Off on the Extension of Key CCPA Exemptions for Employee and B2B Data

Over the past several weeks, the California Attorney General (“AG”) published revisions to its proposed regulations implementing the CCPA (the “Modified Regulations”), and then further revised the Modified Regulations (“Version 2”).  Despite earlier warnings to the business community that AG’s initial draft of Regulations would not materially change, we’ve now seen it happen twice.  The full redlines of both the Modified Regulations and Version 2 are available here. This article highlights what’s new, what remains the same, what we expect to have the biggest impact on businesses working toward compliance, and the lack of predictability of next moves given the growing global health crisis.  
Continue Reading CCPA Update: Oops, the CA AG Did It Again

On Thursday, October 10, 2019, only 83 days before the California Consumer Privacy Act (“CCPA”) was set to become effective, California Attorney General Xavier Becerra held a press conference, with no prior notice, and issued his long awaited proposed regulations (the “Regulations”). The hope had been that the Regulations would provide much needed guidance to businesses of all sizes and in all industries as to how to implement a law that was hastily passed in a week’s time in 2018. Instead, while the Regulations provide some clarity around the mechanisms that organizations may use to verify and respond to the various consumer requests allowed by the law, the Regulations also add even more ambiguity to a number of requirements. Even more concerning, the Regulations add some new requirements and deadlines that do not exist in the statute itself.

The Regulations include 24 pages of legalese. Every privacy lawyer I know – and I know the best and the brightest – is struggling to interpret these Regulations and what they really mean. That does not bode well for businesses who (1) are trying to run businesses and not become privacy experts; and (2) cannot afford experienced privacy counsel. And that, in turn, does not help California consumers. As I have said many times before, California can do better. I call again on all California businesses of any size, and in every industry, to submit comments to the Attorney General to let the AG know the impact on your business and the California economy. Comments are due on or before December 6.  There will also be hearings around the state December 2-5. Let’s show up and be heard.

With that, we give you a summary of the Regulations. I would say enjoy, but I know better.


Continue Reading The California AG’s Proposed CCPA Regulations are Live, but Not Ready for Prime Time

California’s Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest.
Continue Reading CCPA Amendment Update: Bill to Expand Private Right of Action is Dead (for Now)

The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.


Continue Reading Attorney General Holds Public Forum on CCPA

Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.

With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.


Continue Reading Your Vacuum Cleaner, Your Coffee Maker, and Your Baby Monitor May Be Watching You, So They Better Be Secure: California Passes New Connected Device Cybersecurity Law

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:


Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law

In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier.
Continue Reading Times They Are A-Changin’: Oregon and Illinois Bills Latest in Push by States to Regulate Internet Privacy