Privacy & Data Security

California Consumer Privacy Act

CCPA Compliance News

Fox Rothschild monitors the latest developments in California's implementation of the California Consumer Privacy Act (CCPA) to keep clients ahead of the compliance curve. The law is scheduled to take effect in 2020, but California state lawmakers are considering amendments that could affect companies' obligations. Check this page for updates from our Privacy Compliance & Data Security Blog:

Recent Blog Posts

  • Verifying Consumer Data Requests Under CCPA May Pose Business Risk “Companies need to be vigilant as they set up their consumer response processes. This ‘verified consumer’ part is no small thing. It requires a robust commitment to accurately sourcing your verification data, skill in identifying dubious requests, and some healthy skepticism wouldn’t hurt. The emphasis now is to bend over backward to help consumers to invoke their new rights, but if this is not done well, consumers will ultimately be hurt by fraudsters tampering with their data using the consumer... More
  • CISO White Paper on CCPA Compliance Guides Cybersecurity Leaders in Retail and Hospitality CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA). Key recommendations from the white paper: Consider contract language that prevents third-parties from selling personal information sold to them unless the consumer has received explicit notice and has been provided the opportunity to exercise their right to opt-out Consider expanding cookie opt-out functionality to go beyond Interest Based... More
  • New International Standard Guides Company Data Privacy Management The International Organization for Standardization (ISO) published a standard for company’s to implement personal information management systems (PIMS). The ISO’s guidance aims to assist businesses with compliance goals and further the emphasis on personal data protection. In the wake of the detailed privacy framework requirements of the recent FTC Facebook settlement and the California Consumer Privacy Act’s (CCPA) upcoming effectuation, this standard may help establish a benchmark for companies to establish and maintain a privacy framework. Ready the ISO standard here.... More
  • The Difference Between Anonymization and Deidentification Anonymization vs. Deidentification “Anonymization is hard. Just like cryptography, most people are not qualified to build their own. Unlike cryptography, the research is far earlier stage, and the pre-built code is virtually unavailable.” “Deidentification doesn’t tend to successfully anonymize data because there are so many sources of data in the world that still have identifying information in them; figure out where some identified dataset and the deidentified data align, and you’ve re-identified the dataset. If the dataset was anonymized, it would have... More
  • Compliance With Brazil’s New Privacy Law Will Be Ongoing Process “To be compliant with the Brazilian General Data Protection Law (LGPD) is a temporary status, which should be maintained on a day-to-day basis. In other words, there is no final line in the LGPD compliance program, since new projects and business plans should always be evaluated according to the new data protection rules and principles.” True for preparing for the new Brazil privacy law. Equally true for preparing for the California Consumer Privacy Act (CCPA) and for continued compliance with GDPR. Details... More
  • NY State Privacy Act Fails to Pass, Remains on Hold “Though it was hailed as a potentially groundbreaking bill, the New York Privacy Act (NYPA) failed to materialize during the state’s most recent session. Had it done so, the bill would have introduced a regulatory framework that rivaled or potentially even surpassed that of the California Consumer Privacy Act (CCPA), the first major piece of data privacy legislation in the United States.” Details from GovTech.... More
  • Multiple Proposed CCPA Amendments Survive Senate Judiciary Committee Here’s the list of California Consumer Privacy Act (CCPA) amendments that passed the Senate Judiciary Committee and will move on to the Senate Appropriations Committee for a hearing in September, reports Stacey Gray of The Future of Privacy Forum. Employee data used in context of employment relationship is out of scope BUT: (1) new disclosure requirement re: what type of information employers are collecting and the reason for doing so and (2) sunset clause for Jan 1, 2021! (AB-25) Customer loyalty programs exempted... More
  • Tips for Verifying Individual Requests for Data Access or Deletion Under CCPA and GDPR How do you verify the identity of an individual requesting access to their data or that data be deleted? The Dutch Data Protection Authority, Autoriteitpersoonsgegevens, offers guidance which can be helpful and instructive not only for GDPR but for CCPA as well: If at all possible, refrain from asking for a copy of a formal ID. Some alternatives may be: Via an existing login system. A form of two-factor authentication. For example: After receiving a request via e-mail request a confirmation by SMS. This mobile number... More
  • Is Your Privacy Notice ‘An Incomprehensible Disaster’ A New York Times review of 150 website privacy notices argues there is still work to be done to make privacy disclosures say what the law requires and be an effective tool for the user. “The vast majority of…privacy policies exceed college reading level… That means a significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.” “Despite efforts like the General Data Protection Regulation to make policies more accessible, there seems to... More
  • Questions in Swedish DPA’s Spotify Data Access Request Inquiry Can Aid GDPR, CCPA Compliance Efforts The Swedish Data Protection Authority has initiated an inquiry into how song streaming provider Spotify handles data access requests. The questions posed in the inquiry can be useful to companies in structuring their procedures for responding to access requests under the General Data Protection Regulation and/or the California Consumer Privacy Act (especially re: profiling and encrypted data): What information is provided and how (e.g. online, in the copy of personal data or otherwise)? If only provided on the web, how do you see... More