California Consumer Privacy Act

Keypoint: After an active winter of proposed state privacy laws, it appears that all eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature.

Over the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story.  However, a lot has changed in a short period of time.

First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the Coronavirus pandemic.

Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.


Continue Reading

Keypoint: The California Attorney General’s office does not currently plan to extend the CCPA’s enforcement deadline but left the door open to reconsider its position as the coronavirus crisis unfolds.

As we previously reported, on March 17, 2020, over thirty trade associations, companies, and organizations sent a letter to California Attorney General Becerra requesting that, in light of the coronavirus crisis and unfinished status of the regulations, he “forebear from enforcing the CCPA until January 2, 2021 so businesses are able to build processes that are in line with the final regulations before they may be subject to enforcement actions for allegedly violating the law’s terms.”


Continue Reading

Keypoint: The California Attorney General’s office has not addressed whether businesses may delay responding to CCPA requests due to the Coronavirus pandemic; however, businesses can look to the CCPA’s 45-day extension for relief, at least with respect to responding to requests to know and delete.

To state the obvious, businesses subject to the California Consumer Privacy Act (CCPA) may have more urgent matters to handle these days than responding to CCPA consumer requests.

Yet, the California Attorney General’s office – the CCPA’s enforcement arm – has been silent on whether it will take into account these extenuating circumstances when exercising its enforcement authority come July 1. This may be due to the unique circumstance in which the Attorney General finds itself – i.e., stuck between the CCPA’s effective date and enforcement date.

Before the Coronavirus pandemic, the Attorney General publicly stated that CCPA enforcement actions can cover activities between January 1 and July 1 (see here and here). Whether or not that position is ultimately legal, it places businesses in a difficult situation when balancing Coronavirus-related business disruptions and responding to CCPA consumer requests in a timely manner.


Continue Reading

On March 11, 2020, the California Attorney General’s office published a second set of modified proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, March 17, from 12:00-1:00 p.m. CT, to analyze the second set of modified proposed regulations. Click here to register.

Keypoint: This modified draft of proposed regulations retracts some of the modifications as published on February 10 and adds new revisions. There is an additional comment period, which delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020 enforcement date.

On Wednesday, March 11, 2020, the California Attorney General’s office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The Attorney General’s office also published redline and clean versions of the second set of modified regulations.

In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.


Continue Reading

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: The modified proposed regulations make substantial changes to the proposed regulations, including modifying how consumer notices must be drafted and changing some of the requirements for receiving and responding to consumer requests.

On Friday, February 7, 2020, the California Attorney General’s office published a notice of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The AG’s office also published redline and clean versions of the modified regulations.

The changes modify the proposed regulations published by the Attorney General’s office on October 11, 2019. The changes are the result of four public hearings held in December 2019 and the submission of over 1,700 pages of written comments. The Attorney General’s notice states that the department will accept written comments on the proposed changes until 5:00 p.m. on February 24, 2020.

Based on guidance previously published by the Attorney General’s office, this abbreviated comment period reflects the Attorney General’s determination that the changes are “substantial and sufficiently related,” but not “major,” which would require a new 45-day comment period. Following review of written comments, the Attorney General’s office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.

Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Wednesday, February 12 at noon CST to review and discuss the modified regulations. To register, click here.

Below is our analysis of the modified regulations.


Continue Reading

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.


Continue Reading

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: Those hoping that the final CCPA regulations will clarify its requirements may be disappointed. 

According to an article in Bloomberg Law, California Attorney General Becerra does not anticipate his office making substantial changes to the regulations as proposed when it issues the final regulations.

The AG’s office published the proposed regulations on October

With less than 60 days until the California Consumer Privacy Act (CCPA) goes into effect, businesses need to aggressively focus their compliance efforts. Although each organization will face unique compliance challenges, all businesses need to tackle a discrete set of tasks – at a minimum – to comply by January 1, 2020.

Join us on