Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Similar documents
What U.S.- Based Investment Advisers Should Know

California s Groundbreaking Privacy Law: The New Front Line in the U.S. Privacy Debate

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

CCPA and GDPR Comparison Chart

GlobalNote October 2012

California s Consumer Privacy Act Vs. GDPR

Are You Prepared for the California Consumer Privacy Act?

California Consumer Privacy Act: What you need to know now. July 24, 2018

Overview of the New California Consumer Privacy Law

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

The California Consumer Privacy Act of 2018

GDPR CCPA LGPD. Protected information

Preparing for California's New Privacy Law Will Make for a Busy 2019 for Legal, IT and Info Governance Departments

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

H 7111 S T A T E O F R H O D E I S L A N D

New legislation brings changes to how data is handled

California Consumer Privacy Act of 2018

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Consumer Federation of America Best Practices for Identity Theft Services. March 10, 2011

Determining Whether You Are a Business Associate

Man and Machine - Data Protection Policy

H 7789 S T A T E O F R H O D E I S L A N D

JOSTENS EUROPEAN PRIVACY POLICY

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

DATA PROCESSING TERMS DEFINITIONS

Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016

DATA PROTECTION NOTICE

The General Data Protection Regulation s Impact on M&A

Cyber Insurance 2017:

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

H 6087 S T A T E O F R H O D E I S L A N D

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

DATA PROTECTION POLICY

CyberMatics SM FAQs. General Questions

DATA PROTECTION POLICY. AtonLine Limited

Summary Comparison of Current Senate Data Security and Breach Notification Bills

LGIM Liquidity Funds plc Privacy Policy

Beyond the General Data Protection Regulation (GDPR)

DATA PROTECTION NOTICE. The protection of your personal data is important to the BNP Paribas Group 1.

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

All Sorts UK Limited Data Protection Policy 17 th May 2018

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

WEBSITE TERMS OF USE

RAMS Privacy Policy. When you trust us with your personal information, you expect us to protect it and keep it safe.

Privacy and Data Breach Protection Modular application form

GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Pension Trustees. Final Countdown to the GDPR

Cyber, Data Risk and Media Insurance Application form

H E A L T H C A R E L A W U P D A T E

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

Georgia Power Valdosta Federal credit union Privacy Policy

Data Protection Privacy Notice for people not directly involved in the accident

EMPLOYEE PRIVACY STATEMENT

DATA PROTECTION NOTICE

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Limited Data Set Data Use Agreement For Research

CHARITY & NFP LAW BULLETIN NO. 419

Understanding the Regulatory Regime Governing the Use of Social Media by Hedge Fund Managers and Broker-Dealers

Healthcare Industry Key Issues kkk

(c) "Subject" means the commercial enterprise about which a commercial credit report has been compiled.

CYBER INSURANCE. Tel No: E Riley Road, Riley Road Office Park, Bedfordview, Gauteng, 2008

Westpac Privacy Policy.

An Overview of Cyber Insurance at AIG

CUEd In: The Law and Business of Employee Benefits for Credit Union Executives. In this Issue

AS PASSED BY HOUSE AND SENATE H Page 1 of 37 H.764. An act relating to data brokers and consumer protection

Pension Trustees Final Countdown To GDPR

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

DOJ Postpones Website Accessibility Proceeding: How Businesses Can Prepare in Anticipation of a Lawsuit and How to Maximize Your Insurance Once Served

Lake County Library District Circulation Policy 1. Circulation Policy

General Data Protection Regulations Briefing (the presentation you ve all been waiting for)

Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

Why your board should take a fresh look at risk oversight: a practical guide for getting started

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Anatomy of a Data Breach

GUIDELINES ON AGENT BANKING FOR BANKS AND FINANCIAL INSTITUTIONS,

This Policy also explains how we collect information through the use of cookies and related technologies which are relevant if you visit our Site.

Best Practice: Responding to a Privacy Breach

Purpose Explanation Legal basis Data processing duration

Management of Personal Information Policy (Privacy Policy)

PRIVACY POLICY: INSURANCE OPERATIONS

Impact of the European General Data Protection Regulation on U.S. M&A

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

DATA PROTECTION ADDENDUM

DATA PROTECTION AND PERSONAL INFORMATION FAIR PROCESSING POLICY

DFARS Cyber Compliance And Potential For FCA Risk

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

CENTURYLINK ELECTRONIC AND ONLINE PAYMENT TERMS AND CONDITIONS

General Data Protection Regulation (GDPR)

HEALTHCARE BREACH TRIAGE

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

PRIVACY POLICY 1 INTRODUCTION

Adjustable Block Program Guidelines for Distributed Generation Marketing Materials and Marketing Behavior

Cyber Security Liability:

South Carolina General Assembly 122nd Session,

California Transparency in Supply Chains Act First 90 Days

Transcription:

2018 Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer Privacy Act of 2018 (the CCPA ) on June 28, 2018. The CCPA is a comprehensive new data privacy law that will impact businesses around the world that obtain, use, store or otherwise process the personal information of California residents (including California residents who are temporarily located in other places). The CCPA was enacted very quickly, to forestall a proposed November 2018 statewide ballot initiative that would have imposed even more restrictions on businesses. The CCPA represents a rough compromise between the government and the proponents of the ballot initiative. Shortly after Governor Brown signed the bill, the ballot initiative s proponents agreed to withdraw that initiative. The purpose of the CCPA is to give California residents an effective way to control their personal information, by ensuring the following rights: The right to know what personal information is being collected about them. The right to know whether their personal information is sold or disclosed and to whom. The CCPA will become effective on January 1, 2020. Because the law was drafted so hastily in light of the pending proposed ballot initiative, many of its provisions are confusing, and may conflict with other California laws. Accordingly, one should not be surprised if the law is amended sometime before its effective date. Moreover, this law may be subject to future challenges in court. As a general matter, the requirements under the new law are similar to those of the European Union s General Data Protection Regulation ( GDPR ), which came into force on May 25, 2018. Howeverthe CCPA as currently drafted is even more severe than the GDPR in many respects. Thus, even businesses that are currently GDPR-compliant will need to take additional steps by January 1, 2020 to become compliant with the CCPA. Unfortunately for businesses that are not GDPR-compliant, or that are not subject to the GDPR, they will have even more work to do before 2020. I. Whose Personal Information is Protected Under the California Consumer Privacy Act? The CCPA is designed to protect California residents, who are generally defined as: Individuals who are in California for other than a temporary or transitory purpose, and The right to say no to the sale of personal The right to access their personal The right to the same service and the same price, even if they exercise their privacy rights. Individuals who are domiciled in California but who are physically outside the state for a temporary or transitory purpose. (This means that the CCPA will protect the personal information of California residents, even if they are not physically in California at the time the personal information is processed.)

II. What Types of Personal Information Will Be Protected? The CCPA defines the term Personal Information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The term Personal information is defined very broadly and includes (but is not limited to): The real name, alias, postal address, unique personal identifier, online identifier Internet Protocol (IP) address, email address, account name, Social Security Number, driver s license number, passport number, or other similar identifiers. Characteristics of protected classifications under California or federal law. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Biometric psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes. Personal information does not include publicly available information, which is any information that is lawfully made available from government records. Notably, however, many types information that one might expect to be considered publicly available are not within the scope of the term publicly available under the CCPA. For example, the CCPA specifies that information is not considered publicly available if it is used for a purpose that is not compatible with the purpose for which it is maintained and made available in the government records. Moreover, publicly available does not include consumer information that is de-identified or aggregate consumer III. What Types of Businesses Will Be Subject to This Law? The CCPA applies to for-profit entities that do business in California (including any samebranded parent or subsidiary company) that meet any one of the following three criteria: Has gross revenues of more than $25 million; Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer s interaction with a website, application, or advertisement. Geolocation data. Receives or shares personal information for more than 50,000 consumers, households or devices; or Receives more than 50 percent of its annual revenue from the sale of personal Audio, electronic, visual, thermal, olfactory or similar Professional or employment-related Education information that is not publicly available. Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer s preferences, characteristics, A company that lacks a physical presence in California might not be subject to this law, so long as it is not doing business in the State of California. However, the concept of doing business in California is interpreted very broadly. Accordingly, businesses that may think they are not subject to this law may find that they indeed will be ensnared. 2

IV. What Rights and Obligations Do the CCPA Impose? The CCPA provides the following rights to California residents and imposes obligations on businesses that process California residents personal information: Up to two times in any 12-month period, California residents may request that businesses disclose the categories and specific pieces of personal information that they collect, the types of sources from which the businesses collect the personal information, the business purposes for collecting or selling the personal information, and the types of third parties with which the information is shared. businesses will not be able to charge the consumer who opts out a different price or providing the consumer a different quality of goods or services (except if the difference is reasonably related to the value provided by the consumer s data). Businesses will be prohibited from selling the personal information of a child, unless they obtain an opt-in from an appropriate party. Children between the ages of 13 and 16 can opt in for themselves. For children under the age of 13, businesses must obtain an opt-in from a parent or guardian. (Note that the online collection of data of children under the age of 13 remains subject to the federal Children s Online Privacy Protection Act.) California residents will have the right to request deletion of personal information, with certain exceptions. Businesses will be required to delete such information upon receipt of a verified request, as specified. California residents will have the right to request that a business that sells the consumer s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to a verifiable consumer request. California residents will have the ability to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a clear and conspicuous link to the homepage, titled Do Not Sell My Personal Information. The business must wait at least 12 months before requesting to sell the personal information of any California resident who has opted out. Businesses will be prohibited from discriminating against the consumer for exercising their right to opt out of the sale of their personal For example, V. How Does the CCPA Differ From the GDPR? The CCPA: Defines personal information more broadly than the term personal data is defined under the GDPR. Requires the use of disclosures, communication channels and other measures that are not required under the GDPR. Establishes broad rights for California residents to direct the deletion of their personal information (a.k.a., the right to be forgotten ), with different exceptions than those available under GDPR. Establishes broader rights to access personal information than the GDPR offers. Requires businesses not to discriminate against a consumer because he or she exercised any rights under the law. Imposes more rigid restrictions on data sharing for commercial purposes than the GDPR does. 3

VI. What Steps Should Businesses Consider Taking? The CCPA may be revised before its January 1, 2020 effective date, and the law may still be challenged in court. Nevertheless, because eighteen months come and go quickly when there is much work to do, businesses should consider taking several actions in the near future to prepare for the CCPA. Such steps may include: Determining and mapping where the business maintains the personal information of California residents, households and devices. Establishing a mechanism for California residents to make requests as to their personal information, including a toll-free telephone number. Implementing appropriate technological and organizational systems to comply with the law s new requirements. Updating privacy policies to explain California residents rights under the CCPA. Implementing processes to obtain the appropriate affirmative consent with respect to sharing of children s personal VII. What Are the Potential Penalties For Non- Compliance? Businesses may face penalties of up to $7,500 for each intentional violation of any provision of the CCPA. Additionally, businesses that suffer a data breach may be obligated to pay damages of not less than $100 to $750 per California resident and incident. If you have any questions about this article, please contact Michael J. Riela at riela@thsh.com or your usual contact at Tannenbaum Helpern. About Tannenbaum Helpern s Cybersecurity and Data Privacy Practice Tannenbaum Helpern s Cybersecurity and Data Privacy Practice regularly advises investment advisers and other types of clients in managing and responding to the ever-evolving data privacy and cybersecurity landscape. We provide the following types of services: 1. Prevention: Helping clients develop proactive procedures and policies designed to mitigate their risk of data security breaches, and to help them be prepared to deal with security breaches efficiently when they inevitably do occur; 2. Compliance: Helping clients comply with applicable privacy and security laws and regulations, including the California Consumer Privacy Act of 2018 (CCPA) and the European Union s General Data Protection Regulation (GDPR); 3. Risk Reduction: Negotiating contractual protections with vendors and contractors who have access to clients and their customers information, conducting employee training to recognize and avoid security threats, and directing clients in how to obtain appropriate cybersecurity insurance protection; 4. Response: Responding to data breach incidents when they occur, including implementing breach response and notification plans as required by applicable law, and liaising with law enforcement and other immediate responders such as insurance companies, forensic experts, technical consultants, and public relations professionals; and 5. Dispute Resolution: Defending clients in connection with any disputes and legal claims that arise from cyber breaches. The effective management of cyber risk often requires input from insurance professionals, information technology experts, forensics 4

experts, public relations experts and others. Our Cybersecurity and Data Privacy Practice can connect you with qualified professionals in these fields. About Tannenbaum Helpern Syracuse & Hirschtritt LLP Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction proficiency to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit www.thsh.com. Follow us on LinkedIn and Twitter: @THSHLAW. 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback