So while the California Consumer Privacy Act of 2018 won’t take effect until 2020 (or later depending on when the regulations are issued), when it does go into effect, part of it will require companies who are subject to the act to have kept records of the data collected within the 12 months prior to the effectiveness of the act. This seems a little retroactive in application and its questionable legally of how this will be enforced, but any companies that are doing business in California should be cognizant of the application and time periods here and should have a procedure in place to track what is being collected and from whom. Additionally when the Act does come into effect, the companies will have to inform California consumers about the data that has been collected, how it was used, especially if it was sold to or shared with third parties. Having a procedure in place to track it now is important.
Tag: data protection
Updates to the California Consumer Privacy Act of 2018
We introduced the California Consumer Privacy Act of 2018 (CCPA) before, and there has been some updates since then. While the CCPA was to take effect on January 1, 2020, the date of effectiveness and the date when the California Attorney General has to promulgate the regulations for same has been pushed back to July 1, 2020. Similarly, the time of enforcement of same is to be that date if the regulations are published then and if not, then six months from the date of publication of the regulations.
There was lobbying in California regarding the private right of action in the CCPA and there was some language added to clarify the limits of consumer suits against companies.
On the federal level, Senator Marco Rubio introduced what he called the American Data Dissemination Act (and used the acronym “ADD Act”), which he presents as a federal data protection bill which would require the FTC to promulgate national regulations on data protection and would explicitly preempt state laws like the CCPA. It is to be based on the antiquated Privacy Act of 1974. Its unclear without specific statutory language or regulations on the ADD Act to determine the reasons for its genesis. If it were to follow the European model, an entirely new statutory scheme would likely be needed. The purpose could also be to halt the rise of 50 different data protection laws, one from each state. In any event, the members of Congress have been getting heavily lobbied by the US Chamber of Commerce and other business groups. It should be interesting to see how it all plays out. Companies should not however, presume that the CCPA will be pre-empted and should begin to prepare for same now.
GDPR’s Restrictions on “Processing” of Personal Data
At the heart of it, the European Union’s new data privacy legislation, the General Data Protection Regulation (“GDPR”), restricts what the company’s that hold or manipulate personal data of individuals can do with it, and what type of consent is required for what acts. Like all regulations, there are a number of defined terms, which must be understood to grasp the coverage of the GDPR. In summary it covers a lot of activities that companies may not have thought would be regulated. Read more