On election day, California State voters passed Proposition 24, the California Privacy Rights Act (“CPRA”), a measure that strengthens consumer data privacy rights that were originally created by the California Consumer Privacy Act (“CCPA”). The amendments to the CCPA implement a regulatory framework that is, in some respects, closer aligned with that of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). With the passage of these additional California State consumer data restrictions, businesses should work with a CPRA lawyer to help navigate their compliance obligations. Failure to do so may result in private rights of action and/or investigations by California’s State Attorney General.
October 4, 2019
On October 1, 2019, the Court of Justice for the European Union (“CJEU”) issued an important opinion regarding the scope of consent in the context of the General Data Protection Regulation (“GDPR”). Specifically, the Court determined that a company cannot validly obtain a user’s consent to install cookies on his/her computer device through means of pre-checked boxes. Instead, the Court ruled that for a user’s consent to be valid under the GDPR, consent must be both active and unambiguous.
Why don’t pre-checked boxes constitute valid GDPR consent? [Read More]
November 28, 2018
On November 23, 2018, the European Data Protection Board (EDPB) adopted new draft guidelines intended to provide clarity with respect to the territorial scope of the Europe Union’s General Data Protection Regulation (GDPR). The highly-anticipated GDPR guidelines provide needed clarification on several key issues, including how the GDPR will be applied to business entities located in different parts of the world, and which businesses will need to appoint a representative in the European Union (EU) to act as a liaison with local supervisory authorities.
Given the severity of the penalties for violations of the GDPR, all US and EU-businesses should closely follow the newly-released guidelines in order to ensure that they are in full compliance with the GDPR.
What Do the New GDPR Guidelines Mean for My Business?
October 15, 2018
On June 28, 2018, California passed the most comprehensive and consumer-friendly privacy law in the United States: the California Consumer Privacy Act (“CCPA”). In many respects, the framework of the CCPA is similar to the Europe Union’s recently enacted General Data Protection Regulation (“GDPR”). While many businesses took measures to comply with the provisions of the GDPR (which went into effect on May 25, 2018), the GDPR was somewhat limited in applicability for US-based businesses that have little to no EU contacts.
The California Consumer Privacy Act, on the other hand, will affect almost all US-based businesses that collect consumer data, in any form, from California State residents, and it contains provisions that differ from the GDPR in important ways. Therefore, all US-businesses should ensure that they are in full compliance with the CCPA, which goes into effect on January 1, 2020.
How Do I Best Ensure that My Business Complies with the California Consumer Privacy Act (CCPA)?
May 31, 2018
On May 25, 2018, Europe’s General Data Protection Regulation (“GDPR”) went into effect with the aim of standardizing data protection laws for businesses that, among other things, collect, retain and/or use the personal data of European Union (“EU”) residents. Businesses across the world are trying to determine what impact the GDPR data rules will have on their operations. Larger companies, such as Google and Facebook, are already facing GDPR compliance challenges: multi-billion-dollar lawsuits have been filed against some companies for allegedly forcing consumers to consent to the collection of their personal data for targeted advertising purposes.
Over time, the enforcement of the GDPR will become more predictable and businesses will get more comfortable with the data collection and use restrictions imposed by the GDPR. However, in the first few days following the GDPR’s effective date, there are still several questions surrounding the scope of enforcement. One of those questions is:
What GDPR data can I maintain when a consumer has directed that her/his data be deleted?