What You May Have Overlooked in the Run-Up to CCPA Compliance
From how to handle web browser cookies to overlooked security requirements, here are four things to consider before the CCPA compliance date.
December 26, 2019 at 09:00 AM
4 minute read
The original version of this story was published on Legal Tech News
With just days to go before the California Consumer Privacy Act (CCPA) compliance date, some companies may be scrambling to get their data collection and management processes in order. Others, however, might be taking a wait-and-see approach before fulling investing into large-scale changes. Whatever an organization's plan, there are certain things all covered entities should know about the far-reaching privacy law before January 2020.
From how to handle web browser cookies to overlooked security requirements, here are four things to consider before the compliance date:
|The CCPA Is Mostly Ready
Those waiting to see how the "final" CCPA takes shape may be too late. Amendments to the CCPA that passed California legislature in September 2019 have been signed into law, and the state's Attorney General released proposed CCPA regulations in October 2019. As of the end this year, the CCPA is ready for prime time.
"I would say 95% of the puzzle is [set] so companies should get on that 95% instead of waiting for that 5% to be finalized around the edges," said Dominique Shelton Leipzig, chair of adtech privacy and cybersecurity group at Perkins Coie.
To be sure, the attorney general's regulations are only proposed. But while the CCPA will evolve over time, Leipzig believes any changes will likely be minor. "I wouldn't expect radical departures from what we see in the regulations already."
|Cookies Are Likely for Sale
One of the unique mandates of the CCPA is allowing customers to opt out of having their data sold to third parties. While that may seem straightforward, it can get complicated when considering what exactly constitutes a sale. Take for example, "cookies," which are lines of code that track a user's web browsing and often used to create targeted online advertisements.
"I would think seriously about having a do not sell link if a company has third-party cookies on their site," Leipzig said. "There are different points of view in terms of whether cookies constitute a sale, but I can say that my understanding is the Attorney General's Office considers third-party cookies that go across multiple websites to be a sale under the statute."
Of course, this view could change over time. "As we know the California Attorney General regulations are still proposed; they're not finalized—and we won't see a finalized version for some months," said Mark Schreiber, partner at McDermott Will & Emery. But as for now, it might be better to safe than sorry.
|Enforcement Action Is Delayed, but Not Litigation
Those waiting to see how enforcement action will shape up under the CCPA will have to wait a while longer. While the compliance date for the regulation is Jan. 1, the date the state attorney general can start enforcing the CCPA is set to be no later than July 1.
But even without an active attorney general, there are likely to be plenty of CCPA battles before the summer. "With regard to the private right of action that exists under the statute, there is no delay to bring [those] actions," Leipzig said.
And there are already signs that litigation may ramp up quickly. "We are already seeing that there are some 13 cases in California that have already been filed that expressly mention the CCPA, and there's another 14 that lift language from the CCPA," Leipzig added.
|'Reasonable' Security Is Required
The CCPA isn't all about privacy. In fact, the regulation also mandates that covered entities maintain reasonable security procedures, something that does not get as much attention as the data handling requirements. "It certainly hasn't been focused on and it ought it to be," Schreiber said.
To be sure, exactly what constitutes "reasonable" security isn't clarified in the CCPA. Still, Schreiber said that there are hints in what the state expects given its past positions. "The California attorney general years ago in other pronouncements identified the 20 CIS [security] controls —which is this fairly intense and robust set of security standards—as being what California would look to. So that's been out there for some years and those are fairly granular in terms of the different components that need to be looked at."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWill Trump Be a Boost to Quinn Emanuel's Fortunes in China?
Pa. Judicial Nominee Advances While Trump Demands GOP Unity Against Biden Picks
4 minute readTrump's SEC Overhaul: What It Means for Big Law Capital Markets, Crypto Work
Law Firms Mentioned
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250