As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace. This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted. Continue Reading
In a surprising turn of events, the California State Senate significantly amended California Assembly Bill 1281 (“AB-1281”) late last week. AB-1281 initially proposed enhanced protections for the use of facial recognition technologies, which have now been removed. The amended AB-1281 now focuses on extending by one year the B2B and employee exemptions provided for under the California Consumer Privacy Act (“CCPA”), previously discussed here. Those exemptions currently become inoperative on January 1, 2021; if AB-1281 is enacted, they would become inoperative on January 1, 2022. Note, however, that if the California Privacy Rights Act (read our recent analysis here) passes on the upcoming November 3rd ballot, these exemptions will be extended for an additional year, and will become inoperative on January 1, 2023. Continue Reading
As of today, July 1, 2020, the California Attorney General (“AG”) will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”), which went into effect on January 1, 2020. Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation. The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information; indeed, a significant amount of CCPA class action litigation has already been filed. See our prior posts for a detailed analysis of the CCPA and its requirements. In connection with the commencement of CCPA enforcement activity, California AG Xavier Becerra issued the following statement:
Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says “Do Not Sell My Personal Information.” Click on it. Remember, it’s your data. You now get to control how it’s used or sold.
The AG has the authority to bring enforcement actions that cover business activities going back to the CCPA’s effective date. The AG has denied repeated requests from California businesses to delay enforcement due to challenges in complying brought on by the COVID-19 pandemic.
This despite the fact that the AG’s proposed regulations clarifying certain CCPA obligations are not yet final. On June 1, 2020, the AG filed the regulations with the Office of Administrative Law (“OAL”) and requested an expedited review to make them effective on July 1, 2020. As of the time of this writing, the OAL had not yet given its final approval to the proposed regulations. The OAL has 30 working days (plus an additional 60 calendar days pursuant to an Executive Order currently in place) to review and approve the proposed regulations, then file them with the California Secretary of State. This could mean that the regulations will not take effect until October 1, 2020. For more details, see our prior post.
As we await a potential wave of AG enforcement and the finalization of the CCPA regulations, the state of California’s privacy laws remains fluid. On June 24, 2020, the California Secretary of State confirmed that the California Privacy Rights Act (“CPRA”) has officially obtained enough signatures to appear on the November 2020 ballot. If approved by California voters, the CPRA will significantly expand the requirements of the CCPA and create a new Privacy Protection Agency in California to enforce California’s privacy laws. See our prior post for more details.
However, given that the AG is now enforcing the CCPA, businesses need to take action as quickly as possible to update privacy notices, implement processes to comply with individual rights requests, ensure that contracts are in place with service providers, and address other applicable CCPA requirements.
For more information, please contacat the author or your usual Squire Patton Boggs contact.
The number of verified signatures necessary to put the California Privacy Rights Act (“CPRA”) on the November ballot cleared its final hurdle on June 24, 2020. This means November 3, 2020 will be a pivotal day for privacy law in California, and will also impact the US more broadly. Continue Reading
In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020. Continue Reading
A financial institution has asked a Virginia federal court to overturn a magistrate judge’s order to disclose its forensic report, detailing its 2019 data breach. If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events and attorney work product privileges. Here we provide the following practical takeaways: Continue Reading
The advocacy group, Californians for Consumer Privacy, is going to court in an effort to ensure that California residents have the ability to vote on the proposed California Privacy Rights Act (“CPRA”) in a referendum in November. Continue Reading
Maintaining a positive and productive work environment helps retain valued employees and aids in recruiting new talent, ultimately saving costs and providing an advantage over competitors. To monitor employee satisfaction organizations are increasingly turning to conducting workplace surveys.
On June 16, 2020 at 4:00p CEST Annette Demmel and Tarek Hajj-Khalil of our Data Privacy & Cybersecurity team will discuss what companies should consider when implementing and conducting employee surveys in order to be in line with applicable data protection laws, in particular the GDPR.
They will explain the different legal bases for acquiring employee feedback; which information has to be given to the employees prior or during a survey; what needs to be taken into account when survey results are being evaluated; as well as how to avoid unnecessary risks in this context.
Additional information and registration is available here.
1.0 hour CLE available for CA, NJ and NY
1.0 hour CPE (IAPP).
After months of waiting, on June 1, 2020, the California Office of the Attorney General (“AG”) unveiled the final proposed California Consumer Privacy Act (“CCPA”) regulations, which are unchanged from the last version circulated in early March 2020 (summarized here). The AG also published extensive materials, including more than 500 pages of responses to public comments, that provide a wealth of (non-binding) guidance on tricky issues. Finally, the AG requested the Office of Administrative Law to expedite its review to make the regulations effective July 1, 2020, but it is unclear whether that will occur. Continue Reading
In considering methods to relax the COVID-19 lockdown measures and revive the economy, while at the same time containing the spread of the virus, the EU and national EU governments have been actively pursuing the development and use of contact tracing apps.
To be effective, any contact tracing app would require the majority of the population to use it. Of course, there are reservations about the overall benefit of such an app as a means of responding to the COVID-19 crisis (among others because it may lead to false positives or negatives, the technology may be unable to distinguish between people in crowded places, as well as because of the possible abuse of the data). Continue Reading