Does the CCPA Apply to Your Business?

With the CCPA going into effect soon, and the look back period already in place for the current time period, I thought it would be helpful to lay this out, as the CCPA has gone through some amendments and there is some confusion out there about the CCPA’s scope.

If your company falls into either 1 or 2 below (or both), then it is subject to the CCPA and should comply with its requirements:

1. The company (i) is a for profit business, (ii) that does business in the State of California (there is a legal test to determine this), (iii) that collects, or has collected for it, California consumer’s personal information and determines the processing of such information

AND

the company also meets at least one of the following factors: (x) it has at least $25,000,000 in annual gross revenue, (y) it buys, sells, shares or receives the personal information of at least 50,000 California consumers each year, or (z) it receives at least half of its annual revenue from “selling” California consumer’s personal information.

2. The company controls or is controlled by a business that meets the requirements in 1. above.

The California Consumer Privacy Act of 2018

So the wave of privacy laws originating in Europe has hit the United States.  On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law (referred to in this post as the “Act” or the “Law”).  It is both similar to, and distinct from, the GDPR.  Companies should absolutely not assume that if they are GDPR compliant, that they would also compliant with the California law.  The California law has broad out of state reach and violations carry serious monetary penalties, including actions from the Attorney General of the State of California, or individuals (either separately or as a class action).   Companies should make sure they are out in front of this law.  The date the Act is set to take effect is January 1, 2020. Read more

GDPR’s Restrictions on “Processing” of Personal Data

At the heart of it, the European Union’s new data privacy legislation, the General Data Protection Regulation (“GDPR”), restricts what the company’s that hold or manipulate personal data of individuals can do with it, and what type of consent is required for what acts.  Like all regulations, there are a number of defined terms, which must be understood to grasp the coverage of the GDPR.  In summary it covers a lot of activities that companies may not have thought would be regulated.   Read more

Overview of US Privacy Law

One of the current and future hot button legal issues is privacy law.  As technology progresses, how it intertwines with privacy rights is going to be an interesting area.  There are many instances where people knowing and willingly forego certain rights to privacy, like allowing certain apps to track their movements or share certain information with the world.  There are many instances where people give up part of their privacy rights without even knowing it.

There are a host of areas that people in the United States think of as “privacy” rights, some of which are (1) our individual right to choosing to be alone (to not be taped or viewed in private), (2) decisional privacy (right to contraception, access to abortion, right to marry whomever you choose, right to procreate), (3) information privacy (right to not have your information disclosed to third parties), and (4) others. Each of the privacy rights that we hold as individuals may arise from different areas of law including constitutional law, statutory law, agency regulations and even social norms. Read more