Privacy & Data Security

California Consumer Privacy Act

CCPA Compliance News

Fox Rothschild monitors the latest developments in California's implementation and enforcement of the California Consumer Privacy Act (CCPA) to keep clients ahead of the compliance curve. The law took effect on Jan. 1, 2020, but California state lawmakers continue to consider amendments and other measures that could affect companies' obligations. Check this page for updates from our Privacy Compliance & Data Security Blog:

Recent Blog Posts

  • CCPA Regulations: Are Session Cookies Unique Personal Identifiers? Commentors on the final California Consumer Privacy Act regulation queried: “Are session cookies a “unique personal identifier?” The California Attorney General replied: Maybe, depending on the context. A “unique personal identifier” is a persistent identifier that can be used to recognize a consumer. If a session cookie cannot be used to recognize a consumer, family or device that is linked to a consumer or family, over time and across services, it would not fall within this definition. This is fact-specific and contextual and you... More
  • CCPA Regulations: What Does it Mean to Permanently Delete Data? Commenters on the final California Consumer Privacy Act (CCPA) regulations asked specifically what it means to delete personal information under CCPA? The California Attorney General’s response? You decide. ... More
  • CCPA Regulations: Opt Out and the Privacy Notice Commenters to the final California Consumer Privacy Act (CCPA) regulations asked if it is possible to provide information about, and access to the “Do not Sell” link and/or opt out opportunity in the privacy notice? The California Attorney General’s answer: No. The notice of right to opt out is a separate obligation from the CCPA’s requirements for a privacy notice. The requirement to provide a clear and conspicuous link to “Do Not Sell My Personal Information” is a separate obligation from what a... More
  • CCPA Regulations: Free Stuff and Financial Incentives Commenters on the final California Consumer Privacy Act (CCPA) regulations asked if a company gives you a product without charge but in consideration for your information,  could that still be deemed a financial incentive requiring the company to calculate and disclose the value of the consumer’s data? The California Attorney General’s answer: Yes. If you offer a service or a product in exchange for data you are bound by the “financial incentive” and “price difference” requirements to the same extent as if... More
  • Key Takeaways From the IAPP’s CCPA Enforcement Keynote Session Compliance takeaways from the International Association of Privacy Professionals (IAPP) California Consumer Privacy Act (CCPA) Enforcement Keynote Session: It is important for businesses to understand the law. It is complex and has many nuances. Your customers are looking, your competitors, your employees are looking, and the CA AG is looking at the private class actions to see if there is something they should independently enforce. You will have a hard time navigating without being compliant with CCPA. View a video of the presentation.... More
  • CCPA Regulations: To Whom Does the Gramm Leach Bliley Carve-Out Apply? Comments to the final California Consumer Privacy Act regulations asked if the  CCPA carve-out regarding the Gramm Leach Bliley Act (GLBA), the data protection law governing US financial institutions, applies to: Financial institutions under GLBA Service providers that must comply with GLBA Sources of information that are subject to GLBA The California Attorney General’s Answer: No. The exemption does not extend to entities subject to GLBA , nor to sources subject to GLBA. Rather, it applies to personal information collected, processed, sold or disclosure pursuant... More
  • CCPA Regulations: Attorney General Addresses Transparency in Algorithms Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores? The California Attorney General responded: Inferences derived from personal information to create a profile about a consumer are personal information under CCPA. If a data broker collects this type of personal information – they would need to disclose it in a response to a verifiable access request. Per... More
  • CCPA Regulations: Access Requests and Litigation Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?” The California Attorney General’s Response: Yes. There is no exception that lets you refuse for this reason. This is very much in line with European Union supervisory authorities’ approach and some case law regarding this question. See this... More
  • Effort to Extend CCPA’s Employee and B2B Exemptions Advances To extend or not to extend? AB 1281, extending the employee and B2B exemptions for the California Consumer Privacy Act, has been amended in the California Senate. Previously a bill dealing with limitations on facial recognition, the legislation now focuses only on the CCPA exemptions. If passed, the exemption, currently set to expire on January 1, 2021 will be extended until January 1, 2022. Credit for the news to colleague Alanna Elinoff. Read the full text of the bill.... More
  • CCPA Regulations: What Are Reasonable Security Procedures and Practices? Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit). Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures. The answer: This is a fact specific determination and would be too limiting to prescribe. What to do in the meantime? Use a known data protection framework: e.g. NIST... More