Jul. 1, 2020

In-Depth on the CCPA

This week, to mark July 1, 2020, the day the California Attorney General can begin to enforce the California Consumer Protection Act, we are looking back at some of our articles that analyze the CCPA and give guidance on compliance, such as how to handle vendor contracts, stem the tide of private litigation, and understand notice and consent requirements.

Stemming the Tide of CCPA Litigation and Avoiding Claims Under Other Statutes

As of the CCPA’s January 1, 2020, implementation date, California consumers can pursue class actions after data breaches and seek high per-capita damages. The first article in this series, “How to Stem the Coming Tide of CCPA Litigation,” examined the CCPA’s limited private right of action, which gives consumers a right to sue over data breaches, with insights from Perkins Coie and Skadden lawyers. In the second part, “How to Avoid Claims Under Other Statutes,” lawyers at Perkins Coie, Manatt Phelps and Sidley Austin provided insight on how to address hidden litigation perils in the new business and privacy practices that companies are rolling out to satisfy the CCPA.

Updating Vendor Agreements to Comply With CCPA

In the past five years, organizations have had to update their data contracting and vendor management strategies to account for the invalidation of the U.S.-E.U. Safe Harbor framework, and then for the GDPR. Now, the CCPA warrants yet another review of vendor contracts. The first article in this series, “Service-Provider Exemption and Corporate Approaches,” analyzed the CCPA’s new definitions and the service provider exemption, and their implications for vendor contracting, and provided examples of how companies have managed updates. The second article, “Non-Third Parties and Key Steps,” contained advice from privacy counsel regarding the non-third-party exemption and the B2B moratorium, and included relevant case studies and key steps for ensuring CCPA-compliant vendor contracts. 

Privacy Settings May Serve as One-Step CCPA Opt-Out From Sale

In its June 1, 2020, message accompanying the final CCPA regulations, the California AG firmly told businesses that they must “treat user-enabled global privacy controls” as a valid request to opt out from the sale of personal information. It is still unclear, however, whether the familiar global privacy settings in major operating systems and device platforms like Apple, Google, Amazon and Roku already meet the AG’s standard. In this article, the Cybersecurity Law Report shared insights from interviews with lawyers from Kelley Drye & Warren, ALC Inc., Lucid Privacy Group, the Network Advertising Initiative and the ACLU of Northern California about the AG’s statements on global opt-out, the advertising and marketing industry’s concerns about the provision, and the technological and practical feasibility of complying with it.

CCPA Compliance for the Financial Sector

In the first part of this interview article series, “Review of Amendments and How to Prepare for Compliance,” Ropes & Gray partner Melissa Bender and counsel Catherine Skulan discussed how to approach CCPA compliance, including an explanation on how to conduct and use a data-mapping exercise, what future enforcement may look like. In the second part, “Examining the GLBA Carve-Out and How Financial Institutions Can Evaluate Applicability,” they discussed how fund managers can determine if they are subject to the CCPA, including how the carve-out for entities subject to the GLBA will provide some, but likely not complete, relief from compliance with the CCPA.

How to Approach CCPA’s Under-16 Opt-In Consent

The CCPA extends child privacy protections to California teens under the age of 16, meaning that websites, apps and other digital properties now must not sell the personal information of teens under 16 unless they obtain opt-in consent. The law also tightens a key standard from COPPA, the federal children’s privacy stricture, a change which could lead many major consumer brands to start screening for users’ ages. This article looked at regulators’ declared focus on children’s privacy and the initial reactions of companies to the new law. It also provided practical insights for implementing opt-in for teens between 13 and 15. 

CCPA Priorities: A Program Shift, Data Subject Rights and Vendor Management

In the first installment of a two-part article series, “Turning Legislation Prep Into a Program Shift,” we explored recommended privacy program goals in light of the CCPA, how to make the case for a holistic approach to implementation and why detailed compliance work should be ongoing. The second part, “Tackling Data Subject Rights Requests and Vendors,” focused on how companies should prepare for two areas of the CCPA requirements – vendor management and data subject rights requests.

How to Comply With Key CCPA Notice and Consumer Request Requirements

Some of the California AG’s final CCPA Regulations shed light on the AG’s enforcement priorities, and other provisions appear to go beyond the language of the statute. In this guest article, Quarles & Brady partner Hilary Lane examined the Regulations and the CCPA’s provisions on consumer notices and requests, and offered steps companies should take to be prepared to comply with the relevant requirements by the July 1, 2020, enforcement date.