What brands can learn from a year of GDPR in preparing for the California Consumer Privacy Act

May 2019 marks the one year anniversary of the implementation of the General Data Protection Regulation (​GDPR), the most substantial change in data privacy regulation in decades. While the GDPR has done significant good in raising awareness around individuals’ rights when it comes to data, the story of enforcement has been entirely different.

The surprising lack of large fines and the continued misuse of third party data, which many thought would cease to exist altogether, has been glaring this past year. However, this can still change with the implementation of new legislation, such as the anticipated ePrivacy component — the next element of the EU’s data protection regime that is anticipated to go into effect soon — and a major data privacy development coming to the U.S. in January 2020: the California Consumer Privacy Act (CCPA). In this post, I’ll discuss lessons learned from the GDPR after one year and tips for how to best prepare for the CCPA and other more stringent legislation that’s anticipated in the near future.

Full Article Here

Study Shows Only 12% of Companies Are Ready For New CCPA Data Privacy Regulation

With just six weeks to go before the new California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, a surprisingly large percentage of companies are still not ready to handle the compliance demands of the new data privacy regulation. According to a study of 85 companies by New York-based data privacy technology company Ethyca, only 12% of companies have reach an “adequate state of compliance” ahead of the new data privacy regulation becoming law. Moreover, nearly four in ten companies (38%) need at least 12 months to become compliant. With the state attorney general’s office in California suggesting that enforcement actions will begin immediately, that could present a number of problems for compliance laggards.

Full Article Here

4 things every marketer needs to know about CCPA

First came GDPR, and now all the talk is squarely centered around a new acronym: CCPA.

Signed into law on June 28, 2018, the California Consumer Privacy Act (or CCPA) doesn’t just impact California-headquartered businesses like Facebook, Google and Apple. It also affects any company that does business in California. That’s a huge swath of businesses – large, medium and small – throughout the country. Oh, and it takes effect January 1, 2020 – less than two months from now.

So, this begs two questions – (1) how will it impact general marketing, digital and programmatic advertising, industry players and partnerships, data access, and data usage, and (2) are you ready?


Full Article Here

New Report Suggests Initial Compliance Costs for CCPA Could Reach $55 Billion

For months, there has been speculation about how much the new California Consumer Privacy Act (CCPA) would wind up costing California businesses as they prepare for the sweeping new privacy legislation, which is set to go into effect on January 1, 2020. According to a new economic impact assessment prepared for the California state attorney general by independent economic research firm Berkeley Economic Advising and Research, initial CCPA compliance could cost companies as much as $55 billion. In addition, there will be compliance costs related to ongoing compliance with the privacy legislation.

Full Article Here

Health Sector Does Not Completely Avoid the CCPA by HIPAA Exemption (4 Months to Go)

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.

As the countdown to the January 1, 2020 effective date for the CCPA quickly approaches, healthcare entities and businesses in the health sector should exercise caution not to rely too heavily on the law’s HIPAA-related exceptions as a complete pass to avoid complying with the CCPA. The CCPA is the most comprehensive and toughest privacy law in the U.S. to date. Although a California law, the CCPA imposes stringent requirements on businesses nationwide that collect personal data from Californians (and meet certain thresholds ). Those requirements include a number of on-going obligations to consumers and are accompanied by strong enforcement powers for non-compliance as well as a private right of action for certain data breaches. HIPAA does not provide a private right of action. While the CCPA exempts certain entities and data governed by HIPAA from CCPA’s scope, healthcare entities and related service providers should evaluate their systems, processes and data repositories to determine what (if any) personal information they collect is not outside the CCPA’s reach. They could find themselves with certain data subject to the CCPA and some outside of its scope. What does this mean for the healthcare industry? Perhaps it’s time to start thinking in terms of “HIPAA Plus” in a healthcare setting. Regulators, if the CCPA heralds a trend, are imposing new obligations related to the other personal data a healthcare entity, health plan, or related business maintains about a particular patient, employee, website visitor, or other person.

Full Article Here

Ready, Set, Sustain: Six Steps Toward CCPA Compliance

The California Consumer Privacy Act (CCPA) is the first major piece of United States privacy legislation, but it won’t be the last. There are already similar bills in the works in Washington, Hawaii, Massachusetts, New Mexico, Rhode Island and Maryland. Introduced on June 28, 2018, the CCPA adopts much of its framework from the European Union General Data Protection Regulation (GDPR) – although there are some subtle differences. For example, the CCPA extends its protections to households and devices, not just individuals, and includes the right to opt-out of the sale of personal information.

Full Article Here

A Closer Look at the CCPA’s Private Right of Action and Statutory Damages

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

While consumers already had the right to bring suit under California’s data breach law, the CCPA’s provision allowing consumers to sue, known as a private right of action, adds a few new wrinkles. First, it provides for statutory damages. In many data breaches, demonstrating and quantifying damages caused by the breach can be difficult, making it hard for plaintiffs to successfully sue and obtain monetary damages. Statutory damages eliminates that hurdle by dispensing with the need to prove actual damages. Plaintiffs’ attorneys may be more likely to bring class action lawsuits on behalf of groups of data breach plaintiffs with this new tool in hand. The CCPA provides courts with a laundry-list of considerations for determining the amount of statutory damages to award. That list includes “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.” Id. § 1798.150(a)(2).

Full Article

How Can Marketers Handle All the Layers of Privacy Regulations?

Marketers are currently facing what might be called the Layer Cake Era of consumer privacy.

A little more than a year ago, the European Union’s General Data Protection Regulation (GDPR) began implementation, sending waves of data wariness through brands and vendors who collect and use data from European consumers.

Then California passed the California Consumer Privacy Act (CCPA), hurried through the legislature to head off a pending referendum. It set up its own data privacy requirements for larger California companies.

Full Article

140 Days Until the California Consumer Privacy Act Becomes Law – Why Aren’t More Businesses Complying?

California, for better or for worse, has a reputation as being a trendsetter, and has taken the lead in the United States by passing the “California Consumer Privacy Act,” or “CCPA.” This massive law has been on the books since 2018, but hasn’t taken effect yet. However, the timeframe for businesses to be in compliance is rapidly diminishing. Currently, there are less than five months for businesses to (a) familiarize themselves with what the law requires; (b) determine how and if they are affected by the law; and (c) determine how to be in compliance with the law’s demands. Right now, Companies aren’t making a rush to become CCPA compliant, but this is a mistake. Below are a few of the misconceptions, that businesses have, as well as the realities.

Full Article

CCPA Update – Maybe Employees Are “Consumers” After All – Employee PI is Still In Play

If you have been tracking the proposed amendments to the California Consumer Privacy Act (CCPA), you know that businesses and stakeholders have been clamoring to shape the new sweeping law in a number of ways. We reported earlier this year on some of the potential changes approved by the California Assembly Privacy and Consumer Protection Committee, which moved on for further consideration. Upon arrival at the Senate Judiciary Committee, several of these business-friendly changes met some resistance, including AB 25 which generally would have excluded employee personal information from being covered under the CCPA.

While employers had hoped AB 25 would amend the CCPA to exclude information gathered in the employment context outright, on July 9, 2019, the California Senate Judiciary Committee clarified that will not be the case.

As we previously noted, the Privacy and Consumer Protection Committee in April unanimously approved AB 25 which sought to modify the definition of “consumer” under the CCPA to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”

Full Article Here