California Consumer Privacy Act

Comments to the final California Consumer Privacy Act regulations asked if the  CCPA carve-out regarding the Gramm Leach Bliley Act (GLBA), the data protection law governing US financial institutions, applies to:

  1. Financial institutions under GLBA
  2. Service providers that must comply with GLBA
  3. Sources of information that are subject to GLBA
The California Attorney General’s Answer:

Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores?

The California Attorney General responded:
  • Inferences derived from personal information to create a profile about a consumer are personal

Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?”

The California Attorney General’s Response: Yes. There is no exception

Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).

Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.

The California Privacy Rights Act (CPRA) is going on the November ballot and, if passed, will bring California data protection law closer to the European Union’s General Data Protection Reguation (GDPR), implementing concepts such as:

  • data minimization
  • retention limitation
  • sensitive information limitation
  • data protection risk assessments; and
  • strong buttoning down of downstream service providers

This

On the first day the California Consumer Privacy Act became enforceable, California Attorney General Xavier Becerra issued the following public statement:

“Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californians to know their rights to internet privacy and every business to know

The California Privacy Rights Act (CPRA) is on its way (if approved by voters in November), but what does this mean for you?

  •  First: Assess your core California Consumer Privacy Act (CCPA) compliance, enforcement starts tomorrow. July 1, 2020.
  • Second: Look beyond the consumer facing CCPA “must haves” and button down other CCPA