As part of our blog series, we share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the second FAQ in our series.


Even though the California Consumer Privacy Act (“CCPA”) will be effective January 1, 2020, the time to plan for compliance is now.  It may seem as though you have plenty of time to prepare but it is a mistake to not start preparing. Indeed with the twelve-month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.

Under the CCPA, individuals have various new rights that must be detailed in a company’s just in time privacy notice (a new requirement under the Attorney General’s proposed regulations) and a company’s privacy policy, including the right to access their information, to request deletion of their information, to be informed of certain transfers of their information, to opt-out (if over 16) of or opt-in (if under 16) to sales of their information, and receive equal service and price even if they exercise their rights.

There are many nuanced questions to consider that may not be apparent on a cursory read of the CCPA or the proposed Attorney General regulations. Some basic common questions arise when companies first hear about the CCPA, as follows. Continue Reading Privacy FAQ #2 – CCPA

Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA).  As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.

The Nevada statute (SB 220) is an amendment to Nevada’s existing law, which requires website operators to have a privacy policy with certain disclosures. Continue Reading From the Golden State to the Silver State – Privacy Law in Nevada

With schools starting this fall, one invariably will think about the safety of their children – both online and in the real world. There are numerous security programs and apps now that tout data security technology and online measures to keep students safer in the real world classroom. The technology generally markets itself as having the ability to predict the propensity of students to conduct acts of violence in schools. In order to do so, the software offered by these companies reads our kids’ emails and social media posts insofar as they are publicly available or sent through school networks. The technology contains certain key words and phrases that trigger alerts, which are then sent to the provider’s customer, typically schools. It sounds promising and is definitely optimistic given today’s climate, which I like. But are they really getting the full picture? If a message is privately sent between students on social media as opposed to a school’s network email, it seems that the software would not have access important information indicating a kid’s nefarious plans or potential harmful activities if it were included in private interaction. It is also questionable if the limited scope of the protection services offered by these companies is worth what we give up in terms of privacy.  Continue Reading School and Student Privacy vs. Security – How to Balance

As part of our blog, from time to time we will share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the first FAQ in our series.

What’s the Deal with the Data Protection Officer?

Not to be confused with a CPO (Chief Privacy Officer) or EU Representative, the role of data protection officer (DPO) has specific legal meaning under the GDPR. The primary role of a DPO is to ensure that the organization to which it is appointed processes the personal data of its staff, customers or any other individuals (i.e., data subjects) in accordance with applicable data protection rules. Many, but not all organizations subject to GDPR, are required to appoint a DPO, but given the unique nature of the DPO, the why, when and how of this topic is definitely at the top of our US clients’ FAQs. Continue Reading Privacy FAQ #1