On August 14, 2020, Attorney General Becerra announced that the California Office of Administrative Law (OAL) approved the final regulations related to the California Consumer Privacy Act (CCPA) an filed them with the Secretary of State. The regulations go into effect immediately.

The Attorney General’s office submitted the final proposed regulations to the OAL on June 1, 2020. As part of the final regulations package, the Attorney General requested an expedited review of 30 business days and that the regulations become effective upon filing with the Secretary of State. Although not satisfying the 30-day request, the OAL did complete its review in short order, particularly in light of two executive orders by California’s governor extending the OAL’s review period by an additional 120 days.

Continue Reading CCPA Final Regulations Approved and Effective Immediately

Keypoint: The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.

In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.

Continue Reading EDPB Issues Guidance for Cross-Border Data Transfers in Wake of Schrems II Judgment

Over the past few months, there have been numerous developments in state, federal and international privacy law. On Wednesday, August 5, 2020, from 12:00 – 1:00 C.T. members of Husch Blackwell’s privacy and data security practice group will present a webinar providing an overview of the rapidly changing privacy law landscape.  Click here for more information and to register.

In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.

Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient.  Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.

Continue Reading CJEU Invalidates EU-U.S. Privacy Shield; Upholds Standard Contractual Clauses

During a webinar last week hosted by the International Association of Privacy Professionals, a representative from the California Attorney General’s office confirmed that on July 1, the first date of the AG’s statutory enforcement authority, the office sent its first set of CCPA enforcement letters. Per the statute, businesses have 30 days to cure the violations before the AG’s office may commence a confidential investigation or initiate a lawsuit.

Continue Reading CCPA Update: AG’s Office Confirms CCPA Enforcement Has Begun

On June 24, 2020, the California Secretary of State announced that county election officials had validated enough signatures through the random signature validation process to make the California Privacy Rights Act of 2020 (a/k/a CCPA 2.0) eligible for the November 3, 2020 ballot. The final projected valid signatures based on the random sample validation process was 718,233 signatures, well in excess of the requirement.

The measure will now move to the November ballot. Polling previously released by the Californians for Consumer Privacy – the advocacy group that submitted the CPRA – indicated that 88% of California voters supported the measure.

If passed, the CPRA will significantly revise the CCPA’s requirements. For a discussion of the CPRA, see our on-demand webinar available here.

In early June, the California Attorney General filed final CCPA regulations with the California Office of Administrative Law. The final regulations were accompanied by a 59-page Final Statement of Reasons along with six appendices containing over 500 pages of comments on the regulations and the Attorney General’s responses to those comments. One of the many topics that the Attorney General’s office discussed was the final regulation’s requirements for drafting privacy policies. Given that the drafting of a privacy policy is a necessary part of CCPA compliance, it is worth analyzing those comments.

Continue Reading Analyzing the California Attorney General’s Comments on Drafting Privacy Policies

On May 26, the District Court found in the In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA)(ED VA) that a report prepared by Mandiant concerning the Capital One data breach (Breach Report) was not protected by the work product privilege and must be turned over to Plaintiffs. Continue Reading Breach Report in Capital One Litigation Not Privileged

The California Attorney General’s office just published final CCPA regulations. The Attorney General also submitted a written justification requesting an expedited review of the regulations and an effective date upon the filing of the regulations with Secretary of State.

Join us on Friday, June 5, 2020, from noon to 1:00 CDT for a live webinar taking a first look at the final regulations.

To register for the webinar, click here.