Last week, a coalition of over sixty trade associations and businesses representing almost every business sector authored a joint letter to the California Attorney General requesting that the Attorney General defer enforcement of the CCPA in light of the COVID-19 pandemic.  Although the CCPA has been in effect since January 1, 2020, the Attorney General is not set to commence enforcement actions under CCPA until July 1, 2020.  The basis for the request to defer enforcement of the CCPA centered on two grounds: (1) the significant challenges associated with implementing compliance with a new law when the majority of businesses are either closed or operating remotely and (2) the lack of final regulations providing critical guidance about interpreting the CCPA from the Attorney General.
Continue Reading

The California Consumer Privacy Act (“CCPA”), Cal. Civ. Code 1798.100-199, presents some interesting questions for mobility businesses and service providers that handle data developed or transmitted by vehicles. Although the CCPA was passed with an effective date of January 1, 2020, the regulations implementing it are still in flux—and are on their second iteration. But whether final regulations are in place or not, enforcement by the California Attorney General’s office could start as early as July 1, 2020.  Because the CCPA provided only limited exemptions for information collected by the automotive industry—information collected under the Driver’s Privacy Protection Act of 1994 and certain information developed and exchanged by new auto dealers and vehicle manufacturers in connection with warranty work or vehicle/part recalls—significant questions remain as to how the CCPA will be applied to the mobility industry.

For the past hundred or so years, most vehicles did not have the electronic brains to require a CCPA “gut check.” When electronics made their debut in automobiles, tools like OBD allowed vehicles to store diagnostic codes, and eventually event recorders (now regulated by the Driver Privacy Act of 2015) recorded pre-accident conditions. Telematics began to change the picture in the late 1990s, with automobiles transmitting information to central locations using cellular (and now wireless) technology. Modern connected vehicles can collect vast amounts of data when driven—and they can pass large amounts of it to manufacturers and service providers. And even when they are not actively transmitting this information, such information can be extracted from vehicles by service personnel. SAE Level 4 and Level 5 autonomous vehicles will necessarily be more dependent on connectivity both to central data sources and to each other—and can be expected to drive an explosion in data transmitted and analyzed on a central basis. Some of this will be regulated by data privacy laws, such as the CCPA, despite the above noted exceptions for automotive information.
Continue Reading

Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading

As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading

After a busy year of legislative activity that brought forth many proposed amendments to the California Consumer Privacy Act (CCPA), Governor Gavin Newsom will be presented with six bills that will alter and/or clarify the scope of the CCPA. He is expected to sign all of them into law in October.

Employee Data:  The original version of the CCPA did not contain an exemption for employees’ personal information. Assembly Bill 25 brings needed clarity to the question of whether employee data will fall under the CCPA. This is a critical issue, given that certain personal information is necessarily used on a daily basis for business. Under AB 25, employees and prospective employees are excluded from most of the CCPA’s protections, which include: the right to request deletion of personal information; the right to inquire about what personal information is collected; the right to inquire about the sources of personal information; the right to inquire about the purpose for collecting or selling personal information; and the right to inquire about the categories of third parties with whom the employer or prospective employer shares their personal information. 
Continue Reading

This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first and second posts here and here.

Thanks for reading!


Continue Reading

April was another busy month for legislative activity on the California Consumer Privacy Act (CCPA), following a very busy February [see our prior post here]. A proposed sweeping revision to the CCPA, AB 1760, was withdrawn, while three key amendments, AB 25, AB 873, and AB 874, are up for a floor vote. Meanwhile, SB 561, which greatly expands the private right of action under the CCPA, is now in the Senate Appropriations Committee’s Suspense File awaiting a May 17, 2019 deadline for a vote as to whether it makes it out of the Suspense File. 
Continue Reading

This blog post is the first in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). We received questions both before and during the webinar, and over the coming weeks we will be posting our responses. We will answer the most commonly-asked questions first, so please stay tuned if you don’t see your question in the first one or two posts. And, of course, please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

Thanks for reading! 
Continue Reading

February was a busy month for those monitoring the latest developments with the California Consumer Privacy Act (CCPA). After the month kicked off with a series of California Attorney General Informational Sessions, the California State Assembly’s Privacy and Consumer Protection Committee conducted a hearing with testimony from interested parties, including Alastair Mactaggart (the architect of the initiative that led to the enactment of the CCPA), representatives from the California Attorney General’s Office, public interest groups, and industry groups. This hearing also coincided with the introduction of new proposed amendments to the CCPA that would, among other things, require businesses to disclose an estimate of what they paid or received for the sale of consumer data. The month culminated with the introduction of a Senate Bill that would greatly expand the reach of the CCPA by, among other things, granting consumers a private right of action for all CCPA violations and not just data breach violations. 
Continue Reading