California Consumer Privacy Act

Subscribe to California Consumer Privacy Act

Significant New CCPA Compliance Requirements Likely on the Way

On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:Continue Reading CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments

On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).

For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted.
Continue Reading Third Time’s the Charm? Newest Round of Modifications to Proposed CCPA Regulations Issued by the California Attorney General

On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than the CCPA in many respects. Here are the key takeaways from the law:
Continue Reading Nevada Follows California in Enacting New Privacy Law Giving Consumers the Right to Opt Out of Certain Data Sales

On September 23, 2018, Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the California Consumer Privacy Act (CCPA or the Act). The controversial privacy law, which is set to take effect in 2020, recently sparked a war of words among industry, privacy advocates, and the California Attorney General, each of whom sent letters to the California legislature urging amendments to the legislation. The California Chamber of Commerce, along with 36 business coalitions (Industry), submitted a letter to California Senator Bill Dodd in August, calling the Act “unworkable,” urging both technical and substantive cleanup of the Act, and introducing 21 proposed amendments. A coalition of 20 consumer privacy advocate groups (Advocates) responded with their own letter, highlighting the negative consequences Industry’s proposed changes would have on consumer rights.

The Industry and Consumer Advocates did not wholly disagree. Both coalitions urge the legislature to make technical fixes, such as clarification that businesses do not have to collect extra information to comply with the Act, as well as clarification of the definition of de-identified information. The California Attorney General also weighed in with comments, requesting specific amendments and additional time to issue regulations. In response to the input from these various stakeholders, the legislature amended the Act on August 31, 2018 and sent it to the Governor’s desk. This article sets forth the principal issues discussed in the letters and the legislature’s response.
Continue Reading California Consumer Privacy Act: Industry, Advocate, and Enforcement Concerns and Legislative Amendments

In a surprising twist, the California legislature rushed last week to pass one of the most comprehensive privacy laws in the country. The bill was introduced only a week prior, and within hours of passage,
Continue Reading California Enacts Sweeping Privacy Law to Avert Potential Ballot Measure