Update: The Governor signed the law on Friday, September 25, 2020.

Life science and healthcare companies operating in California face unique challenges regarding California Consumer Privacy Act (CCPA) compliance because of existing inconsistencies between the CCPA and the Health Insurance Portability and Accountability Act (HIPAA). California Assembly Bill (AB) 713 addresses these inconsistencies by easing burdens imposed by the CCPA on medical research and by bringing certain provisions of the CCPA in line with HIPAA and other federal and state health data regulations. At the same time, the bill will impose additional requirements on the use of deidentified health data. AB 713 has passed the California legislature unanimously and will be signed or vetoed by Governor Newsom by September 30, 2020. If signed, the bill will immediately go into effect.
Continue Reading The CCPA May Soon Be Amended to Strengthen CCPA Exemptions for Medical and Research Data

The attorney general’s office has posted a set of FAQs and corresponding responses on its California Consumer Privacy Act (CCPA) site. While aimed at providing guidance to consumers about the CCPA, the FAQs can also serve as a quick reference for businesses regarding their CCPA compliance obligations. Below are the highlights.

  • Right to Opt Out of Sale: California residents have the right to request that businesses stop selling their personal information (PI), which is an “opt-out request” that can be submitted via the “Do Not Sell My Personal Information” link that businesses must conspicuously provide on their websites and privacy policies. Businesses cannot require residents to create an account to submit opt-out requests, and if businesses ask for PI to complete these requests, they can only use such information to verify the consumers’ identities. Upon receipt of an opt-out request, a business must stop all sales of the consumer’s PI and wait 12 months before prompting the consumer to opt back in. Common exceptions to this opt-out right include sales that are necessary to comply with legal obligations and certain exempted medical or credit report information. Opt-out requests should be submitted to the businesses themselves and not their service providers, as service providers are not responsible for responding to such requests. Businesses can only sell PI of a child under the age of 16 if they have received affirmative “opt-in” consent. If the child is under the age of 13, that consent must come from the child’s guardian.


Continue Reading The AG Publishes Its FAQs on the CCPA

The California Consumer Privacy Act of 2018 (CCPA) regulates a company’s offerings of financial incentives and price or service differences related to the collection, retention, or sale of personal information. Cal. Civ. Code Section 1798.125(a)(2); Final Text of CCPA Regulations, 999.301(j), 999.307, 999.336. Although the CCPA became effective on January 1, 2020, the regulations were not issued in final form until June 1, 2020. As a result, many companies are still in the process of developing their approach to complying with the CCPA’s requirements–particularly those that relate to financial incentives. If your company offers programs that may fall within the definition of “financial incentives” or “price or service differences,” you should be aware of the CCPA’s requirements related to those types of offerings, including the requirement to provide notice of the financial incentive and disclose a good faith estimate of the value of the consumer’s data that forms the basis of the offering. The California Attorney General is expected to begin enforcing the CCPA on July 1, 2020.

Continue Reading CCPA Compliance: Financial Incentives Requirements

The California Consumer Privacy Act (CCPA) went into effect three months ago, on January 1, 2020. Although enforcement by the California attorney general cannot begin until July 1, private plaintiffs have been able to bring claims under the law’s limited private right of action since the beginning of the year.

The CCPA is already having an impact on litigation. Two high-profile cases filed after January 1 directly allege violations of the CCPA and have attracted attention. Other cases that either allege CCPA violations or otherwise cite to the statute have received less notice. Even if the cases do not result in decisions that are binding on future litigants, the arguments are worth a look because they may signal trends for which privacy litigators should be prepared. To that end, this privacy quick tip aims to paint a broader picture of how the CCPA has been referenced in litigation and identify a few potential trends to keep an eye on.
Continue Reading CCPA in Litigation: 2018 to Present

COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1. In a pandemic environment, companies, employers, and public institutions are grappling, outside the HIPAA context, with unique privacy, data security, and cybersecurity implications of their responses to the coronavirus. From a compliance perspective, businesses are considering under what circumstances they can disclose consumer or employee health conditions or geolocation information in the service of greater public health. Other companies —and governmental institutions at every level—are confronting the very real, and often opportunistic threats to data security posed by aggressive thieves who use crises as cover to commit an assortment of cybercrimes. Privacy and security requirements vary by jurisdiction, so businesses should be mindful of potentially divergent and overlapping approaches and responsibilities as the situation continues to evolve.

We offer a few updates and practical tips for best practices to promote compliance with privacy and data security requirements.

Continue Reading CCPA & COVID-19: A Practical Guide to Addressing Privacy and Data Security Implications of the Coronavirus

The California Consumer Privacy Act of 2018 (CCPA) is a sweeping new privacy statute that grants rights to consumers and imposes corresponding obligations on subject businesses. The CCPA defines consumers to mean California residents, and generally defines “business” as for-profit entities that meet certain threshold requirements. Cal. Civ. Code § 1798.140(g) (consumer), (c) (business). The CCPA went into effect on January 1, 2020.
Continue Reading Business Solutions for CCPA Compliance

On Friday the 13th of September 2019—the last day of California’s Legislative Session—California lawmakers updated, finalized and sent six bills that would amend the California Consumer Privacy Act (CCPA) to Governor Newsom’s desk for signature. Despite months of efforts from various groups, the CCPA made it through the legislative session with relatively fewer changes than

The CCPA grants consumers the right to request deletion of any personal information which a business has collected from the consumer. Cal. Civ. Code § 1798.105. It also requires a business to fulfill deletion requests, and to direct service providers to do the same, within 45 days of receiving a “verified” or “verifiable” request from the consumer. Cal. Civ. Code § 1798.140(y).
Continue Reading CCPA 12-Month Compliance Series Part 6: Retaining and Deleting Data

As we approach the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, brick-and-mortar businesses that increasingly engage with consumers online will have to begin their compliance efforts. However, two challenges unique to brick-and-mortar businesses might hamper these efforts: (1) providing required disclosures to consumers before or at the point of data collection; and (2) knowing your data in a multi-channel environment.

The CCPA requires businesses to give consumers notice of their rights and/or data collection practices on three separate occasions: (1) in the online privacy policy [section 1798.130(a)(5)]; (2) “at or before the point of collection” [section 1798.100(b)]; and (3) in response to a verifiable consumer request. The later business obligation is straight forward. But providing privacy notices at or before the point of collection might be challenging for brick-and-mortar businesses.

Continue Reading Compliance Challenges for Brick-and-Mortars Under the CCPA