Privacy & Data Security

California Consumer Privacy Act

CCPA Compliance News

Fox Rothschild monitors the latest developments in California's implementation and enforcement of the California Consumer Privacy Act (CCPA) to keep clients ahead of the compliance curve. The law took effect on Jan. 1, 2020, but California state lawmakers continue to consider amendments and other measures that could affect companies' obligations. Check this page for updates from our Privacy Compliance & Data Security Blog:

Recent Blog Posts

  • CCPA Compliance Principles CMOs Need to Keep in Mind The California Consumer Privacy Act has significant implications for Chief Marketing Officers. Here are some important principles CMOs should keep in mind when planning compliance efforts, included in my recent presentation to The CMO Club. Know what personal information you collect, and use, and share, and with whom. Know where that information came from. Yes, that means leads you bought, or were given, or scraped from the web. Yes, that also includes cookie information. Yes, that also includes custom audiences or adtech or targeted advertising. No, a... More
  • Key Points on CCPA for Employers Here are some key points for employers to keep in mind related to the California Consumer Privacy Act (CCPA), which were included in my presentation to a recent meeting of Fox Rothschild’s Labor & Employment Practice Group. Most employee rights were carved out of CCPA, but only until Jan. 2, 2021.  Employers that are “businesses” under CCPA must provide their employees with a CCPA-compliant privacy notice. A data breach of HR data stemming from a lack of reasonable protections could be the trigger... More
  • Children’s Privacy Tops Regulators’ List of 2020 Privacy Priorities “European and U.S. regulators are likely to ramp up enforcement of privacy laws this year, especially children’s privacy.” “The Federal Trade Commission is looking to update Children’s Online Privacy Protection Act rules. State attorneys general offices have said they’ll focus on protecting kids’ data. Irish data privacy enforcers said children’s privacy protections will be a major focus.” Details from Bloomberg Law.... More
  • Florida Lawmakers Introduce Nevada-like Data Privacy Legislation A Florida privacy bill, resembling one passed last year in Nevada, would introduce significant new privacy notice requirements for Florida operators similar to the California Consumer Privacy Act, and require giving consumers the ability to opt out of a sale of information. The privacy “notice” would need to include several items.  Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and... More
  • California Attorney General Issues Consumer Advisory on CCPA “In California we are rebalancing the power dynamic by putting power back in the hands of consumers. I encourage all Californians to take a moment to understand their new rights and exercise these rights to take control of their personal data,” wrote California Attorney General Xavier Becerra. “Becerra has issued an advisory for consumers highlighting their new rights as part of the California Consumer Privacy Act (CCPA), which went into in effect on January 1, 2020. The advisory describes consumers’ basic... More
  • Could California Earn Its Own Data Transfer Adequacy Status With the EU? “Adequacy” seems to be the hardest word. On the brink of Brexit and the UK becoming a “third country” without a so called “adequacy” status for the cross border transfer of personal data from the European Union — Could California have its own Privacy Shield arrangement separate from the rest of the U.S.? This question emerged during the third annual review of the data-transfer agreements at the European Parliament. If the Court of Justice of the EU invalidates Privacy Shield, and California applied... More
  • CA Senate Proposes Expanded CCPA Carve-Outs Related to HIPAA, Biomedical Research On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out. AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research. Specific carve-outs: De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information “Business associates” Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule. Personal information collected for or used in research,... More
  • With Fate of Federal Privacy Law Uncertain, More States Expected to Follow California’s Lead “Though it’s hard to predict what will happen with regard to a federal privacy bill in 2020, the reality is that the CCPA is here and other states will surely follow,” writes Jedidiah Bracy of the International Association of Privacy Professionals. “In addition to driving policy talks in the nation’s capital, the CCPA may also become a blueprint for other U.S. states to issue their own laws. New York, Illinois and Washington state are all expected to issue draft laws in... More
  • Digital Advertising Alliance’s CCPA Opt Out Tools Launch January 1 The Digital Advertising Alliance (DAA) announced that its web- and app-based tools are expected to go live on Jan. 1, 2020, as the California Consumer Privacy Act (CCPA) takes effect. The web-based tool will enable consumers to express an opt out from sale of their personal information, including its use for interest-based advertising, by companies that collect data across sites and are offering a CCPA opt out to the sale of information through the tools. (An app version of the... More
  • California AG Releases Title and Summary of CCPA 2.0 Ballot Measure California Attorney General Xavier Becerra released the title and summary for the CCPA 2.0 ballot initiative, the California Privacy Rights Act. Key provisions: Right to amend inaccurate information Right to restrict the use of “Sensitive Personal Information” which includes finances, race, biometric information or information revealing health status or precise location. Data minimization (collect only what you need) Retention limitation (retain only for as long as necessary for the purpose) Increase fines for violations regarding use of children’s information Transparency regarding automated decision making Establish a new authority... More