California OAG Proposes New CCPA Regs Two Weeks Before Voters Decide on the Fate of CCPA 2.0

On Monday, Oct. 12, the California Office of the Attorney General (the Attorney General or OAG) released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations (the Regulations). The full text can be found on the Attorney General’s website here. The proposed modifications to the Regulations are limited to four sections. While the proposed changes are relatively minor in substance, they nevertheless provide helpful and important guidance on the following topics:

  1. Requirement to provide notice at collection (and prohibition of new or secondary uses of personal information);
  2. Requirement for offline notice of right to opt-out;
  3. Requirement to make it “easy” for consumers to submit opt-out requests;
  4. Methods for verifying an authorized agent request; and
  5. Requirements for Notices to Minors Under 16 Years of Age.

Continue Reading

Jeewon Kim Serrato Co-Authors Article about Pricing, Value of Consumer Data and CCPA’s Non-Discrimination Requirement

Partner Jeewon Kim Serrato co-authored an article published in the California Lawyer Association’s Fall 2020 issue of the “Competition Journal” of the Antitrust, UCL and Privacy Section.  The article, “Privacy, Pricing, and the Value of Consumer Data: Complex Nature of the CCPA’s Non-Discrimination Requirement,” discusses the intersection of privacy and competition law and provides an in-depth examination of the non-discrimination right under the California Consumer Privacy Act, which is a first-of-its-kind law to require companies to calculate whether pricing differences are reasonably related to the value of the consumer data.

Privacy Pricing and Value of Cons Data.

Was OFAC’s Advisory an October Surprise or More of the Same?

Ransomware has hit pandemic proportions and there does not seem to be a clear end in sight. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding ransom payments and the risk of sanctions violations associated with such payments.


Ransomware has been around for decades. For many years, ransomware was more of a nuisance issue only involving a small number of computers than a real business disrupter. In recent years, we’ve seen increased sophistication and threat actors increasing the impact of an incident by finding ways to encrypt many devices at the same time and deleting or encrypting backup files, too. Additionally, many of the ransomware threat actors are exfiltrating data before spreading ransomware. Thus, even if the company can restore data from backups it still faces the extortion component. Continue Reading

Podcast: BakerHostetler Blockchain University: What is Blockchain and Why Should I Care?

Blockchain technology is widely anticipated to disrupt major industries and business operations over the next several years. But with all of the “hype” in the blockchain market, at times it can be difficult to separate fact from fiction and identify the real value in this new technology. To help bring things into focus, we’ve crafted a five-part series to introduce blockchain from a technological, market, and legal perspective.

Our first episode provides an introduction to what blockchain is, how it works, and the key blockchain networks that everyone should know about.

Listen to the episode

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Employee Training and Record-Keeping Requirements in the Final CCPA Regulations and a Preview of New Retention Requirements in the CPRA

The California Consumer Privacy Act (CCPA) does not in itself outline specific employee training or record-keeping requirements that demonstrate business compliance with the law. However, the California attorney general’s final CCPA Regulations, intended to guide the application of the CCPA, detail that specific types of employee training and record-keeping are required for CCPA compliance.

Specifically, the Regulations require that people who handle inquiries related to a business’s privacy practices, CCPA compliance or CCPA-related consumer requests be trained in all aspects of the CCPA, including the Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA related to consumer requests. The Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights. To accomplish this, businesses are required to develop, document and comply with a CCPA training policy. Continue Reading

Return to Work: What Employers Should Know About AB 1281, CCPA Notice Requirements and Recent Labor Law Guidance

While most privacy news and alerts have been focused on the collection and processing of customer data (see our earlier posts about interest-based advertising and the House Judiciary Committee’s Antitrust Hearing with Big Tech, for example), privacy issues related to data collected from employees and business-to-business (B2B) contacts increasingly are becoming a concern for businesses. As we have highlighted in the past, laws outside the U.S., like the EU General Data Protection Regulation (GDPR), have extraterritorial scope, and they provide equal protections to all natural persons, including customers, employees and B2B contacts. The California Consumer Privacy Act (CCPA) follows this global trend and defines “consumers” as California residents, thus providing the same level of rights to employees and B2B contacts who are California residents as well as customers. This article provides an overview of the latest legislative changes under the CCPA as they relate to company obligations concerning employee and B2B data, including exemptions, as well as practical tips for assessing when a company should reexamine employee and B2B privacy issues, including return-to-work (RTW) strategies. Continue Reading

IAB Launches CCPA Benchmark Survey

The Interactive Advertising Bureau (IAB), a leading advertising industry organization, has launched a CCPA Benchmark Survey to assess how companies across the digital advertising ecosystem are approaching CCPA compliance. The survey provides an opportunity for companies to anonymously report on their handling of various CCPA matters, including to provide statistics relating to the number of access, deletion, and “Do Not Sell” requests organizations have received, and to weigh in on the vexing issue of whether and in what context the use of cookies and other tracking technologies constitute a “sale” of “personal information” as defined in the CCPA. Continue Reading

Podcast: CA Privacy Law Reboot – CCPA 2.0

The California Privacy Rights Act (CPRA) is going to be on the November 3 ballot. The CPRA would amend the California Consumer Privacy Act (CCPA) to provide a greater level of rights for consumers and more stringent restrictions on data practices of businesses, including regarding the use of personal info for advertising and marketing purposes.

Listen to the episode

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn

CCPA Final Regulations, with a Few Unexpected Changes

CCPAOn Friday, August 14, 2020, California Attorney General Xavier Becerra announced approval by the Office of Administrative Law (OAL) of final regulations (Final Regs) under the California Consumer Privacy Act (CCPA). Proposed final regulations were submitted to the OAL by the Office of the Attorney General (OAG) on June 1, 2020. During OAL’s review process, additional revisions were made to the proposed regulations. The approved regulations are now, according to the OAG and OAL, in effect along with the CCPA, which went into effect on January 1, 2020. The OAG gained enforcement authority as of July 1, 2020, which will now include enforcement of the Final Regs. It has been reported that dozens of CCPA compliance investigations have commenced. Continue Reading

Big Day for Big Tech: CEOs Testify in House Antitrust Hearing

On Wednesday, July 29, 2020, the House Judiciary Committee’s Subcommittee on Antitrust conducted its sixth hearing into online platforms and market power, welcoming as witnesses the chief executive officers of Amazon, Apple, Google, and Facebook. The hearing lasted more than five hours and was styled as “Examining the Dominance of Amazon, Apple, Facebook and Google.” Due to COVID-19, the CEOs testified virtually, adding an ironic digital twist with the tech titans appearing together in video tiles on a screen with no big-tobacco moment standing side-by-side to take their oath.

The Subcommittee’s hearing culminated its year-long investigation into Big Tech, and the questioning was informed by requests for information posed to each tech company last September, which generated millions of pages of documents and hundreds of hours of interviews. Subcommittee Chair Cicilline opened the hearing by describing each of the tech companies as a “bottleneck for a key channel of distribution,” whether that be a channel of retail distribution, distribution of software applications, or distribution of information. Chair Cicilline began and ended the hearing by expressing concerns about the dominance of each firm and abuse of their purported monopoly power. Continue Reading