Employee Training and Record-Keeping Requirements in the Final CCPA Regulations and a Preview of New Retention Requirements in the CPRA

The California Consumer Privacy Act (CCPA) does not in itself outline specific employee training or record-keeping requirements that demonstrate business compliance with the law. However, the California attorney general’s final CCPA Regulations, intended to guide the application of the CCPA, detail that specific types of employee training and record-keeping are required for CCPA compliance.

Specifically, the Regulations require that people who handle inquiries related to a business’s privacy practices, CCPA compliance or CCPA-related consumer requests be trained in all aspects of the CCPA, including the Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA related to consumer requests. The Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights. To accomplish this, businesses are required to develop, document and comply with a CCPA training policy. Continue Reading

Return to Work: What Employers Should Know About AB 1281, CCPA Notice Requirements and Recent Labor Law Guidance

While most privacy news and alerts have been focused on the collection and processing of customer data (see our earlier posts about interest-based advertising and the House Judiciary Committee’s Antitrust Hearing with Big Tech, for example), privacy issues related to data collected from employees and business-to-business (B2B) contacts increasingly are becoming a concern for businesses. As we have highlighted in the past, laws outside the U.S., like the EU General Data Protection Regulation (GDPR), have extraterritorial scope, and they provide equal protections to all natural persons, including customers, employees and B2B contacts. The California Consumer Privacy Act (CCPA) follows this global trend and defines “consumers” as California residents, thus providing the same level of rights to employees and B2B contacts who are California residents as well as customers. This article provides an overview of the latest legislative changes under the CCPA as they relate to company obligations concerning employee and B2B data, including exemptions, as well as practical tips for assessing when a company should reexamine employee and B2B privacy issues, including return-to-work (RTW) strategies. Continue Reading

IAB Launches CCPA Benchmark Survey

The Interactive Advertising Bureau (IAB), a leading advertising industry organization, has launched a CCPA Benchmark Survey to assess how companies across the digital advertising ecosystem are approaching CCPA compliance. The survey provides an opportunity for companies to anonymously report on their handling of various CCPA matters, including to provide statistics relating to the number of access, deletion, and “Do Not Sell” requests organizations have received, and to weigh in on the vexing issue of whether and in what context the use of cookies and other tracking technologies constitute a “sale” of “personal information” as defined in the CCPA. Continue Reading

Podcast: CA Privacy Law Reboot – CCPA 2.0

The California Privacy Rights Act (CPRA) is going to be on the November 3 ballot. The CPRA would amend the California Consumer Privacy Act (CCPA) to provide a greater level of rights for consumers and more stringent restrictions on data practices of businesses, including regarding the use of personal info for advertising and marketing purposes.

Listen to the episode

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn

CCPA Final Regulations, with a Few Unexpected Changes

CCPAOn Friday, August 14, 2020, California Attorney General Xavier Becerra announced approval by the Office of Administrative Law (OAL) of final regulations (Final Regs) under the California Consumer Privacy Act (CCPA). Proposed final regulations were submitted to the OAL by the Office of the Attorney General (OAG) on June 1, 2020. During OAL’s review process, additional revisions were made to the proposed regulations. The approved regulations are now, according to the OAG and OAL, in effect along with the CCPA, which went into effect on January 1, 2020. The OAG gained enforcement authority as of July 1, 2020, which will now include enforcement of the Final Regs. It has been reported that dozens of CCPA compliance investigations have commenced. Continue Reading

Big Day for Big Tech: CEOs Testify in House Antitrust Hearing

On Wednesday, July 29, 2020, the House Judiciary Committee’s Subcommittee on Antitrust conducted its sixth hearing into online platforms and market power, welcoming as witnesses the chief executive officers of Amazon, Apple, Google, and Facebook. The hearing lasted more than five hours and was styled as “Examining the Dominance of Amazon, Apple, Facebook and Google.” Due to COVID-19, the CEOs testified virtually, adding an ironic digital twist with the tech titans appearing together in video tiles on a screen with no big-tobacco moment standing side-by-side to take their oath.

The Subcommittee’s hearing culminated its year-long investigation into Big Tech, and the questioning was informed by requests for information posed to each tech company last September, which generated millions of pages of documents and hundreds of hours of interviews. Subcommittee Chair Cicilline opened the hearing by describing each of the tech companies as a “bottleneck for a key channel of distribution,” whether that be a channel of retail distribution, distribution of software applications, or distribution of information. Chair Cicilline began and ended the hearing by expressing concerns about the dominance of each firm and abuse of their purported monopoly power. Continue Reading

New York Brings Long-Awaited Cybersecurity Message Case

Ever since the New York State Department of Financial Services (DFS) instituted its first-in-the-nation Cybersecurity Regulation[1] in 2017 (covered in our post here), banks, insurance companies, and others in the financial services industry wondered what would trigger an enforcement action under its broad purview. At long last, the industry now knows. On July 22, 2020, the DFS announced a statement of charges against First American Title Insurance Company (First American) alleging violations of the regulation for not properly safeguarding customer information. Because First American stated it will contest these charges at a hearing scheduled for October 2020, the industry will have to wait a little longer for more concrete guidance from this proceeding, including the potential consequences of not complying with the regulation. Nevertheless, the allegations in the statement of charges still provide the clear message that the DFS is now enforcing this regulation against perceived violators. Continue Reading

Context Matters: An ‘Established Business Relationship’ Can Be Created During a ‘Telephone Solicitation,’ Thus Preventing Subsequent Calls From Violating the TCPA

Group of people standing in line and looking at their smart phonesA federal court has ruled that an “established business relationship” can be created during a call, even if that call is a “telephone solicitation” that violates the Telephone Consumer Protection Act (TCPA). Charvat v. Southard Corp., No. 2:18-cv-190 (S.D. Ohio). A copy of the opinion is attached; the defendants in this matter are represented by BakerHostetler. Southard stands for the proposition that the context of a call is important and must be considered in determining whether the TCPA was violated. Southard appears to be the first decision that specifically addresses this issue and could impact the amenability of certain types of TCPA class actions to certification under Federal Rule of Civil Procedure 23.

For the TCPA, Congress intended a “balanced approach … [to] ensure a robust telemarketing industry while giving consumers relief from unwanted telephone solicitations.” See 137 Cong. Rec. S8784 (Daily Ed. Nov. 27, 1991) (statement of Rep. Hollings). But, as any entity operating in the digital media and advertising space can attest, the TCPA lawsuit juggernaut has undermined this balance. Even a perfunctory Internet search will reveal numerous seven-figure (or more) TCPA judgments and settlements. Southard, however, may help restore the balance that Congress sought with respect to calls to persons on the National Do Not Call Registry (NDNCR). Continue Reading

5 Key Things to Know about the Landmark Schrems II Decision

Quick Links

1. Is the EU-U.S. Privacy Shield framework dead?

Yes, the Privacy Shield framework has been invalidated. The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework based on its finding that the framework does not sufficiently protect EU personal data from U.S. national security and surveillance laws  that allow access and use of personal data by U.S. public authorities. The Court held that U.S. surveillance law does not include the safeguards required to meet EU data protection principles concerning proportionality (e.g., collection is not limited to what is necessary, no limitations with respect to non-U.S. persons). Also, the CJEU found that European data subjects do not have a meaningful remedy before a body that offers guarantees substantially equivalent to those under EU law. In particular, the CJEU reasoned that the Privacy Shield’s Ombudsperson is not sufficiently independent and is unable to adopt decisions that bind U.S. intelligence services. Continue Reading

California AG Begins CCPA Enforcement

Last week, the International Association of Privacy Professionals hosted a keynote session with Stacey Schesser, supervising deputy attorney general (AG) of the California Department of Justice, to discuss the July 1 start of the AG’s enforcement authority under the California Consumer Privacy Act (CCPA).

The deputy AG discussed the current scope of the AG’s enforcement authority and confirmed that on July 1, the Office of the Attorney General (OAG) sent businesses an initial round of letters, which included notices of alleged violations. The AG will open an investigation or file a lawsuit against companies that do not come into compliance within 30 days of receiving such notice letters. Continue Reading