The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.
Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”
The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come. In the latest installment of the CCPA blog series, we describe these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.
This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA). The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
On July 24, members of the Hogan Lovells global privacy team presented a webinar on the new California Consumer Privacy Act, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. In this post, we provide links to the recorded webinar and slide deck.
On June 28, 2018, California’s governor signed Assembly Bill 375, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. Particularly in light of California’s status as the world’s 5th largest economy, many are wondering how the new California Consumer Privacy Act will affect them. Please join members of the Hogan Lovells global privacy team for a live webinar on July 24 to learn what you should be focusing on now.
California continues to be a first mover in privacy in the United States, enacting the US’s toughest and most comprehensive privacy legislation on Thursday, June 28, 2018. Unlike existing state and federal privacy legislation that has generally focused on specific sectors or privacy issues, the California Consumer Privacy Act of 2018 (AB 375), applies broadly to businesses that collect personal information about California consumers and aims to create significant new consumer privacy rights. In doing so, it creates significant new obligations for businesses.
On June 22, California lawmakers announced Assembly Bill 375, a broad-based consumer privacy bill that is intended to serve as an alternative to the California Consumer Privacy Act, a far-reaching consumer privacy initiative that is on track to be on the California ballot this November. The chief sponsor of the CCPA, Alastair Mactaggart, has stated that he will withdraw the initiative from the ballot if AB 375 is passed this week.
A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.
For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems, including, but not only, through privacy-related legislation.. In the 2014 session, one bill passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment. The bill is codified at California Civil Code section 1708.8. In the 2015 session, the California Legislature introduced five more bills, covering a range of issues.
Is data security legislation coming to a state near you? With data breaches continuing to make the headlines, 60 Minutes reporting that breaches are inevitable and federal legislation seeming unlikely, consumers and advocates may press state lawmakers to address data security. We have already seen state data breach notification laws proliferate following California’s enactment of the first such law in 2002. We may see data security laws spread in a similar fashion. In this post, we look at current and proposed state data security laws and consider their potential impact.
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking.
California recently passed a law updating its breach notification requirements and making it the first state to expand the definition of personal information to expressly include login credentials for online accounts. Under the new law, companies would be required to notify individuals if and when their passwords, usernames, or security question and answers are compromised or stolen. The latest amendments become effective as of January 1, 2014.
On Wednesday, Harriet Pearson, a partner in Hogan Lovells’ Privacy and Information Management Practice, appeared on the Cyberlaw and Business Report Internet radio show to discuss newly enacted California privacy laws. This blog post contains a link to the interview and a downloadable podcast.
On August 26, the California legislature passed AB 370, which would require commercial websites and other online services such as mobile apps to include language in their privacy policies disclosing whether the service uses third-party vendors to track users across a network of other websites or online services, and how the users can opt out of such tracking using a centralized “do not track” signal or other mechanism. If signed by the governor, as expected, this bill would apply de facto to most websites and mobile apps by virtue of their accessibility in California, and would require revision of many privacy policies as a result.
On February 4, 2013 a sharply divided California Supreme Court held in Apple, Inc. v. Superior Court (Case No. S199384) (“Apple”) that the Song-Beverly Credit Card Act (the “Act”) does not apply to online purchases in which products are downloaded. The Act prohibits retailers from requesting or requiring consumers to provide personal identification information (“PII”) […]
James Denvil, an associate in our Washington office, contributed to this entry. This week, Washington lawmakers and California’s Attorney General focused their attention on mobile privacy. The Senate Judiciary Committee is considering a measure that would establish legal requirements for apps that collect or share location information from mobile devices. A Democratic congressman released for […]
On Tuesday, October 30, the California Attorney General Kamala Harris announced that her office has begun “formally notifying” mobile device application (“app”) operators that they are out of compliance with the notice provisions of the California Online Privacy Protection Act of 2003 (“CalOPPA”). The letters are a reminder that app developers and their partners should review their app data privacy and security practices and ensure that any apps collecting PII comply with the CalOPPA requirements, as well as other applicable Federal and state laws.
A new law that amends the California Confidentiality of Medical Information Act (CMIA) may provide some relief to HIPAA covered entities and business associates, some of whom have faced class action lawsuits seeking millions in statutory damages under the CMIA for large-scale data breaches. The changes to the CMIA are summarized in this entry.
California has become the latest state to pass a law prohibiting employers from requesting access to employees’ and job applicants’ social media information or accounts.
A new agreement this week between mobile app platform operators and the California Attorney General effectively creates enforceable, nationwide mobile app privacy standards that companies will need to follow going forward.