California Attorney General Proposes Further Modifications to Proposed CCPA Regulations


On March 11, 2020, the California Attorney General (“AG”) published a second round of modifications to the proposed regulations under the California Consumer Privacy Act of 2018 (“CCPA”). The AG initially published the proposed regulations in October 2019 and then published modifications to such proposed regulations in February 2020. The deadline for submitting comments on this draft of modifications to the proposed CCPA regulations is Friday, March 27, 2020, at 5:00 p.m. PDT.

The March 27, 2020, 5:00 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes.

What Has Changed?

The modifications are generally minor and technical, with a few exceptions. The modifications were made in response to approximately 100 comments received on the second draft of the proposed regulations that were submitted to the AG’s office between February 7, 2020 and February 25, 2020.

The most recent modifications to the proposed regulations include the following: Continue Reading

Update – ICO Issues Guidance on Data Protection and Coronavirus (COVID-19)

Further to our earlier blog on the data protection aspects of responding to COVID-19, we note that the ICO have now issued guidance on the matter, answering some of the key questions for organisations, businesses and employers.

This is helpful guidance, issued under a statement aimed at public bodies and health practitioners, (so could easily be overlooked), but is very relevant to the issues and worth reading in full.

In summary, the guidance covers questions on:

  • Data protection compliance (there is an understanding that resources might be diverted from the usual compliance efforts at this time);
  • Contacting individuals (the sending of public health messages without consent);
  • Homeworking for staff (and security measures needed);
  • Telling staff that colleagues may have potentially contracted COVID-19 (you can, subject to safeguards – read on);
  • Collecting health data (you can, but read on for how best to do this); and
  • Sharing information with authorities (you can, if it is necessary).

The ICO has stated that the safety and security of the public is their primary concern, which is reassuring and sensible, whilst maintaining that data protection principles still apply.

Data Privacy and Protection – A New Focus Within Australian Takeovers Law

Australian FlagThe previous decade saw the expansion of data privacy laws in Australia and throughout the globe in terms of their application, enforceability and scope, as well as the protections made available to individuals through primary legislation.[1] As we enter a new decade, we are beginning to see the evolution of privacy and data as a multi-regulatory compliance issue, as data protection issues start to permeate additional legal frameworks. Data privacy and protection is no longer confined to issues between a business and its customer, with a privacy regulator, such as the Office of the Australian Information Commissioner, overseeing this relationship in light of applicable laws. Instead, data privacy and protection is becoming increasingly relevant in previously unconsidered aspects of a business’ operational cycle. This article examines this trend by considering data privacy and protection developments within Australian takeovers and foreign acquisitions law. Continue Reading

Data Breach Enforcement in the UK and in the EU: Cross-Border Issues

EU FlagNow that the GDPR has been in force for nearly two years, the UK’s Information Commissioner’s Office (“ICO”), along with a number of other EU supervisory authorities, has begun to issue fines to infringing data controllers and processors for failure to adequately act upon their personal data breach notification obligations and protect personal data they handle.

In evaluating the enforcement of data breaches to date, this blog will first consider how the competent supervisory authority is determined, as well as how they investigate and decide on a data breach. We will reflect on the ICO’s role during and after the Brexit transition period, following which we will consider how fines for data breaches have been calculated in the UK. We will also briefly compare the UK approach to the German model. Continue Reading

Data Protection Issues Raised by Guidance and Efforts to Prevent the Spread of COVID-19

As government agencies and businesses attempt to deal with the ramifications of Covid-19, the potential impact on privacy rights should not be overlooked.  Certain measures that are under consideration to help combat the threat of the Covid-19 virus raise a number of questions about the practical impact of current guidance and efforts to prevent the spread of infection. Clearly, in light of the serious global threat posed by this virus, application of the data protection must be proportionate.  We examine the two questions frequently asked questions from our clients:

  • Can you ask employees about their travel plans (either before or after a holiday abroad)?
  • Can you require employees to undergo a medical examination or submit to tests to check their temperature?

Continue Reading

Final Call to Participate in the CNIL’s Consultation on Cookies Rules

On 21 January 2020, the CNIL launched a public consultation on the proposed guidelines for cookies and other trackers, which is open until 25 February 2020.

The proposed guidelines are presented as “non-binding” and aim to assist organisations to comply with the regulation by providing practical examples of how to obtain consent. However, the CNIL indicates that organisations may use other methods to obtain consent, provided that they comply with the guidelines. Nevertheless, the practical examples are a clear indication of what the CNIL expects. Continue Reading

PCI Data Security Standard Compliance Falling: What Could it Cost You?

Is compliance with payment card data security standards being ignored? In a world where data breach scrutiny and sanctions have increased dramatically, compliance with payment card security standards have fallen. Sam Tibbetts has drafted a post on our sister blog, Global IP & Technology Law, detailing the Payment Card Industry Data Security Standard, why businesses should care, possible reasons for the slump in PCI DSS compliance and key points for companies who process cardholder data. To read the full post, click here.

The Illinois Biometric Information Privacy Act (“BIPA”): When Will Companies Heed the Warning Signs?

Fingerprint Scanning on Blue TechnologyThe Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and has been a steady source of litigation ever since. This post summarizes the obligations BIPA imposes, the current state of BIPA litigation, and what steps businesses can take to reduce litigation risks.

What is BIPA?

The stated intent of BIPA was to address the heightened risk of identity theft associated with the processing of biometric data. The legislator’s findings state that, “unlike other unique identifiers that are used to access finances or other sensitive information,” when biologically unique data is compromised, “the individual has no recourse” because the individual cannot change these identifiers. Continue Reading

Public Consultation in France on the Transposition of the European Electronic Communications Code (Directive 2018/1972 of December 11, 2018)

The French government has launched a public consultation on the transposition of Directive (EU) 2018/1972 December 11, 2018, establishing the EU Electronic Communications Code (EECC), which must be transposed before December 21, 2020.

What Is It About?

The consultation concerns the draft modification of the French Postal Services and Electronic Communications (CPCE) and French Consumer Code, with a view to transposing the EECC.

What Is EECC? Continue Reading

California Attorney General Proposes Modifications to the Proposed CCPA Regulations

CCPA-California-Consumer-Privacy-ActOn February 7, 2020, the California Attorney General (AG) announced changes to the California Consumer Privacy Act of 2018 (CCPA) proposed regulations. The AG updated its announcement on February 10, 2020, to indicate that an additional provision was being modified. The modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. The deadline for submitting comments on the modified draft of the proposed CCPA regulations is Tuesday, February 25, 2020, at 5 p.m. (PST).

As discussed herein, the Tuesday, February 25, 2020, 5 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes. Continue Reading