Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. The CCPA will apply to any for-profit business that collects the personal information of California residents (including individuals, households and devices) and meets at least one of the three following criteria:
Until recently, companies have struggled with compliance preparation for the CCPA, as the law has been a moving target. Companies now have some guidance on what the law will require, with the governor signing, on October 11, amendments providing, among other things, clarification that employees are excluded under the definition of "consumer" for the first year,[1] and the California Attorney General publishing, on October 10, draft regulations interpreting the law.
The draft regulations, which are expected to be further revised to account for the recently adopted amendments to the CCPA, provide a detailed framework of obligations of companies subject to the CCPA, most notably in the below areas:
• The draft regulations clarify the content requirements and format of notices to consumers regarding a business's collection and use of personal information.
• At the time of collection, businesses must provide a notice informing consumers of the categories of personal information to be collected and, for each, the purpose(s) for which the personal information will be used.
• Initial notice must include details of the consumers’ right to opt out of the sale of their personal information, including an opt-out link and a link to the business’s privacy policy.
• Privacy policies must include specific details set forth in the draft regulations, including the consumers' various rights under the CCPA, details of the business’s collection of personal information, the purpose for such collection, and the categories of third parties with whom the business may share, sell or disclose such information.
• Notices and privacy policies must be written and presented in an easy-to-read, understandable and ADA-accessible format.
• The draft regulations provide extensive standardized procedures for handling consumer requests, including requirements on methods of submitting requests, confirmation of receipt of requests, response formats and time frames, and minimum response content, depending on the nature of the request.
• Businesses must implement procedures for verifying the identity of consumers making requests.
• For businesses with consumer accounts, the existing authentication procedures are generally acceptable.
• For businesses that must verify requests from those who do not hold accounts, the regulations provide a framework for verification.
• For minors under the age of 13, businesses must obtain parental consent for opting in to the sale of personal information. The draft regulation establishes rules and methods for obtaining parental consent for minors under the age of 13, consistent with the Children's Online Privacy Protection Act.
• For minors ages 13 to 16, businesses must provide a process for such minors to opt in to the sale of their personal information.
These draft regulations are open for public comment until December 6. Final rules are expected no later than July 2020. While the CCPA remains an evolving law, the draft regulations provide some preliminary guidance for companies to at least begin implementing policies and procedures for compliance preparation. Day Pitney will continue to monitor and track the CCPA to help clients understand and comply with the regulations as they take final form.
As we await final regulations, we continue to encourage for-profit businesses that collect, buy, rent, receive, obtain, or otherwise gather or access any personal information of California residents, whether actively or passively, including by just observing individuals' behavior, to consider whether the CCPA will apply. We recommend that our clients contact us long before the January 1, 2020, implementation date to make sure they are prepared to meet their legal obligations.
[1] The exemption for employees will automatically sunset on January 1, 2021, by which date it is expected that the California Legislature will introduce a separate bill specifically addressing companies' obligations with respect to the personal information of California-resident employees.
Day Pitney Data Privacy, Protection and Litigation Associate Stephanie Gomes-Ganhão was featured in the Medical Technology Schools magazine article, "What Is Information Blocking Compliance in Healthcare and Why Is It Prevalent?"
Day Pitney Data Privacy, Protection and Litigation co-chair William Roberts' discussion with attendees of the Connecticut Water Works Association workshop on being "Breach Ready," was featured in an article for In Flow- Line, the official publication for the CWWA.
Naju R. Lathia, White Collar and Commercial Litigation partner in the New Jersey office of Day Pitney and co-chair of Day Pitney’s Data Privacy, Protection and Litigation Practice Group, was featured in Diverse Lawyers Network newsletter for her South Asian Bar Association (SABA) North America Rising Star Award.
Day Pitney Data Privacy, Protection and Litigation group co-chair William Roberts was featured in InformationWeek article, "Biometric Data Privacy: Instagram to Pay $68.5M in Class Action Settlement."
On July 31, Day Pitney co-chair of Data Privacy, Protection, and Litigation group William Roberts will be speaking at Lex Mundi's 2023 Data Privacy Practice Group Regular Update – North Americas.
Day Pitney Press Release
Day Pitney co-chair of Data Privacy, Protection and Litigation William J. Roberts and Associates Stephanie M. Gomes-Ganhão and Colton J. Kopcik authored the article, "Connecticut: Expanding Online Privacy and Safety Procedures," for OneTrust DataGuidance.
Day Pitney's Family Office practice chair R. Scott Beach and co-chair of the firm's Data Privacy, Protection and Litigation group William Roberts were featured in Acclaim Magazine article, "Day Pitney's Sophisticated Cybersecurity Services for Family Offices," discussing the cybersecurity services the firm offers to its family office clients.
Day Pitney's Data Privacy, Protection and Litigation group co-chair William Roberts was featured in the Hartford Courant Q&A titled, "Connecticut's New Data Privacy Law Takes Effect July 1. What You Need to Know."
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – June 2023
Copyright © 2023 Day Pitney LLP, all rights reserved.