Privacy Professionals on California Consumer Privacy Act Readiness: 5 Takeaways
The California Consumer Privacy Act hits in less than a year, but its broad definitions and lack of precedent have left many impacted in-house counsel stumped on compliance efforts.
April 16, 2019 at 01:52 PM
3 minute read
The California Consumer Privacy Act hits in less than a year, but its broad definitions and lack of precedent have left many impacted in-house counsel stumped on compliance efforts.
Data privacy professionals teamed up to provide their CCPA compliance advice at a recent webinar on adapting compliance strategies from the European Union's General Data Protection Regulation to fit California's law.
Jerrod Bailey, the chief strategy officer of blockchain company Truyo, and Dominique Shelton Leipzig, the co-chair of Perkins Coie's ad tech privacy and data management practice, discussed some of the CCPA's confusing points and how in-house counsel can get their company ready. Here are five takeaways:
- Keep track of requests in one place. CCPA-impacted companies can expect a flood of data subject requests in 2020, Leipzig said. Companies hit by GDPR have already seen “thousands” of data subject requests, she said, so legal departments should “keep a centralized area for responding to consumer requests.” If requests aren't stored and handled in a centralized location, it's more likely they'll be lost or forgotten, possibly leaving companies open to legal liability. She said U.S. companies are operating in a more established culture of class actions than European counterparts and could see suits once CCPA is effective.
- Have a 'do not sell' button. This is required by CCPA and it's an obligation even GDPR-impacted companies haven't faced before. All companies impacted by CCPA must place a “clear and conspicuous” link button titled “Do Not Sell My Personal Information” on its online homepage. Bailey said companies with apps should also consider whether they'll include the button in their app; at the moment, he said the law isn't clear whether this is required. He added companies may respond to these requests using a mix of automation and manual work.
- Data's 'sale' is complicated. Companies may not swap data for cash, but under CCPA the definition of sale is “very broad,” Leipzig said, and includes “any transfer of personal information of California residents for which there is valuable consideration” even if no money is exchanged. She offered this example: retailers exchanging email lists for a joint promotion campaign because it will enable more sales and higher profit in the future.
- Keep California separate? The 'do not sell' button is only required for California residents, but Bailey said many companies plan to offer it to all U.S. users. ”Will I selectively display this link? Am I going to show it to everyone who comes to my website?” Bailey said. “Or am I going to somehow try to fence off California citizens and only show them the link? … For this particular use case, it's a hard thing to do.”
- Verify users' identity. If companies do choose to keep California residents separate, they'll need to identify which consumers are from the state, the privacy professionals said, and that can get complicated. Leipzig advised against collecting data such as uploaded driver's license photos; it just adds to the data a company needs to protect. At a minimum, Bailey said websites should include CAPTCHA tests and emailed verification to prevent bots from spamming 'do not sell' links.
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHow Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Aggressive FTC May Force Merging Companies to Bolster Legal Defenses
4 minute readBest Legal Departments: How Blackstone's Legal and Compliance Team Got the All-Clear to Grow Business
CEOs Want Data-Based Risk Management; GCs Lack the Tech to Do So.
Trending Stories
- 1Friday Newspaper
- 2Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 3Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 4NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 5A Meta DIG and Its Nvidia Implications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250