CCPA

Subscribe to CCPA

As if businesses did not already have enough to address with the COVID-19 pandemic and compliance with the California Consumer Privacy Act (the “CCPA”), businesses need to consider the California Privacy Rights Act (the “CPRA”), which will almost certainly be on the November ballot. Structured as an amendment to the CCPA and also known as “CCPA 2.0”, the CPRA ballot initiative was spawned by Alastair Mactaggart. You may recall Mr. Mactaggart as the real estate developer who submitted a ballot initiative that resulted in a negotiation with the state legislature to replace the initiative with the CCPA. If the CPRA is passed and becomes law, it would be effective and enforceable January 1, 2023, with certain provisions having a look-back provision.

The CPRA would establish a new category of “sensitive data” that is reminiscent of the GDPR’s definition of special categories of data but it is much broader. The definition is overly-inclusive, spanning from race, religion, and sexual orientation to financial account information and government identifiers (e.g., social security numbers). Consumers could choose to limit the use, sale and sharing of their sensitive data. Additional links on business websites may be required to “Limit the Use of My Sensitive Personal Information” in addition to the current “Do Not Sell My Personal Information” link that some businesses must now include under the CCPA.
Continue Reading The California Privacy Rights Act: CCPA Part Two

As cities and states gradually open up, companies have begun to assess under what circumstances they can re-open the workplace – and in particular, what health-related personal information can and should be collected. When it comes to monitoring employees, generally speaking, privacy and employment law are increasingly overlapping as more stringent laws are adopted, and COVID-19 has brought this overlap to the forefront. Our employment team at Hopkins & Carley has provided a number of resources and webinars on the employment-related issues of COVID-19 and what can and cannot be done (available here). Here we will focus on the intertwined privacy implications of allowing individuals – employees and non-employees – back into offices and facilities, particularly with respect to the California Consumer Privacy Act (CCPA).

What are the CCPA’s notice requirements?
Continue Reading Returning to Work: CCPA Considerations

While much of the discussion around the California Consumer Privacy Act (CCPA) has centered around organizations that collect personal information online, less attention has been directed to the requirements that may come into play when personal information is collected offline. We recently wrote about how CCPA applies to the restaurant industry specifically (you can read that blog here), but there is no question that many other industries and businesses really ought to be paying close attention to CCPA and how to comply with the various requirements. One of those is commercial real estate.

On a recent visit to a client’s office in the San Francisco financial district, I arrived in the lobby of a large commercial office building and headed to the security desk. As is common, I was asked for my ID, which I promptly surrendered. I am accustomed to having security personnel look at my ID and hand it back immediately, but this time, the gentleman behind the counter actually wrote down the details of my information before handing back my ID. As it happens, the process was unusually slow enough to give me time to look around for some privacy notice or reference to privacy practices – something that has become a bit of a habit for a privacy practitioner like myself, post-CCPA. Unsurprisingly, there was no privacy notice (or reference to a privacy notice) to be found – be it on the counter, the wall behind the counter, or anywhere else. I asked the security guard where I might be able to locate a privacy notice, but when he looked at me like I was speaking a foreign language, I knew better than to insist.Continue Reading Privacy (& CCPA) In Commercial Real Estate

Gone are the days of thinking your business only needs to comply with certain privacy laws if it’s a “tech” company – or one that handles particularly sensitive information such as health information. Under the California Consumer Privacy Protection Act (“CCPA”), which went into effect on January 1, 2020, even brick and mortar companies must provide notices of their privacy practices at the point of collection, and this includes a number of retailers, wineries and restaurants (or restaurant groups).

Not so long ago, technology and the restaurant industry were worlds apart. If you wanted a reservation, you’d leave a voicemail that would be transcribed only to be deleted shortly thereafter. Loyalty cards were punch cards with no name attached. And if the wait for brunch was too long, you’d add your first name to a scrappy list that was discarded at the end of the day, or be handed a small buzzing device to let you know when your table was ready. Those “carefree” (or data-free) days have been replaced with a multitude of interconnected applications that all require the collection of personal information in some way – and importantly, that hang on to this information for longer periods. Restaurants and restaurant groups that collect the personal information of California residents and meet any one of the CCPA thresholds (i.e., over $25 million in annual revenue, collection of data on more than 50,000 consumers or 50% of revenue from sales) must comply with California’s stringent new law. Because the definition of personal information under CCPA is very broad and includes online identifiers, email addresses, and location data, as well as offline data (just to name a few), many successful restaurant groups are likely to fall within these thresholds and be subject to the CCPA.
Continue Reading How CCPA Affects Brick & Mortar Industries: Restaurants

If it’s not already, security should be a top priority for all companies that collect and hold personal data. Companies subject to the California Consumer Privacy Act (CCPA), effective since January 1, should be even more concerned given the new consumer right of action in the event of certain security incidents, and the increase in class actions to which this will inevitably lead (more on that below).

And yet…

During a recent discussion with friends in the hospitality/travel industry, I was surprised to hear of shockingly poor security practices when they described how travelers’ information was shared and transmitted on a daily basis. I learned, for instance, that travelers’ information – especially when it comes to groups – is often sent in unprotected, unencrypted documents, such as excel spreadsheets or pdfs, to equally insecure email addresses, with multiple recipients copied. These documents, which circulate freely among various players in the ecosystem, contain hyper-sensitive information, such as passport numbers, credit card information, location, and travel dates and addresses. We are not talking about a name and a device ID, here, but troves of data that hackers would love to get their hands on.
Continue Reading Staying on Top of Security Practices

The new decade started off with a flurry of emails informing us of updated privacy notices being posted on websites in response to the California Consumer Privacy Protection Act (“CCPA”). While most people began their new year resolutions or happily watching football on January 1, 2020, some of us were busy peeling through these updated privacy notices. What our review reveals is that companies are handling the CCPA in many different ways. Some take a strict approach to the letter of the law and proposed regulations, while others outright challenge the CCPA’s broad definitions and sweeping requirements by flouting language suggesting that their original privacy policy already disclosed everything it needed to, but, paraphrasing, “we now also have to disclose the same thing this way just because of CCPA.”
Continue Reading CCPA Is Here: What Does It Look Like So Far?

The California Consumer Privacy Act (CCPA) goes live in six weeks. While many companies have been working on mapping their data for some time, others are just getting started. Some of the issues left open by the language of the CCPA and the proposed regulations have yet to be resolved, but there is no question

As part of our blog series, we share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the second FAQ in our series.

Even though the California Consumer Privacy Act (“CCPA”) will be effective January 1, 2020, the time to plan for compliance is now.  It may seem as though you have plenty of time to prepare but it is a mistake to not start preparing. Indeed with the twelve-month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.

Under the CCPA, individuals have various new rights that must be detailed in a company’s just in time privacy notice (a new requirement under the Attorney General’s proposed regulations) and a company’s privacy policy, including the right to access their information, to request deletion of their information, to be informed of certain transfers of their information, to opt-out (if over 16) of or opt-in (if under 16) to sales of their information, and receive equal service and price even if they exercise their rights.

There are many nuanced questions to consider that may not be apparent on a cursory read of the CCPA or the proposed Attorney General regulations. Some basic common questions arise when companies first hear about the CCPA, as follows.
Continue Reading Privacy FAQ #2 – CCPA

Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA).  As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.

The Nevada statute (SB 220) is an amendment to Nevada’s existing law, which requires website operators to have a privacy policy with certain disclosures.
Continue Reading From the Golden State to the Silver State – Privacy Law in Nevada