California, Here We Come: Getting Ready for the CCPA

With the California Consumer Privacy Act deadline fast approaching, we're thrilled to welcome a relentless advisor of consumer privacy, data security and identity protection, Tracy Shapiro, Partner DLA Piper, as our guest author. Tracy's insight into privacy protection is invaluable and her article is a must-read for companies and consumers alike.

At privacy conferences around the country, you can’t throw a rock without hitting someone discussing the newly-enacted California Consumer Privacy Act (CCPA). This game-changing privacy law creates sweeping new rights for Californians, including the right to access personal information and have it deleted and to opt out of the “sale” of personal information (defined broadly to include any disclosure in exchange for valuable consideration). The law also raises the stakes in the event of a data breach by including a private right of action and statutory damages for breaches that result from a failure to implement reasonable security measures.

The CCPA applies to covered entities, regardless of location, that collect personal information about California residents, and applies to an entity’s B2C, B2B, and employee data. The law includes an expansive definition of personal information that, in addition to traditional forms of personal information, includes elements such as IP address, device identifiers, and biometric, audio, and location information.

Covered entities will be subject to meaningful disclosure and compliance obligations, and will need to map data flows, update user interfaces, revise privacy policies, and revisit vendor contracts. Compliance will also demand that entities establish effective, sustainable processes and controls.
While the CCPA has been called California’s GDPR, there is significant daylight between the two. Entities that have undertaken GDPR compliance may have a leg up in tackling the CCPA, but they shouldn’t assume their GDRP compliance efforts alone will suffice.

We’re now less than a year away from the CCPA’s January 1, 2020, deadline. The Attorney General, which will be clarifying the law in a rulemaking, has begun hosting a series of forums to provide the public an opportunity to share on-the-record comments. Those looking for insights from the Attorney General, however, should sit this one out. So far, the regulators have been strictly in listening mode. Further legislative amendments are also anticipated, but the operational challenges of the law are so significant that entities will need to begin their compliance efforts before the ink is dry on any CCPA clarifications.

About Tracy Shapiro

Tracy Shapiro advises on privacy, data security and advertising issues and defends clients in investigations and enforcement actions brought by the Federal Trade Commission (FTC), state attorneys general and self-regulatory bodies. She helps technology companies comply with federal and state privacy laws, including the FTC Act, COPPA, VPPA, FCRA, student privacy laws and the California Consumer Privacy Act.

Tracy spent six years as an attorney at the FTC in the Bureau of Consumer Protection's Division of Privacy and Identity Protection and the Division of Advertising Practices, where she investigated and brought enforcement actions related to consumer privacy, data security and advertising. She helped create principles for industry self-regulation in the area of online behavioral advertising, and she led the FTC's first enforcement action involving online behavioral advertising. She also brought actions enforcing the FTC's Endorsement Guidelines and litigated spyware and adware cases.

To learn more about Tracy visit: http://bit.ly/2HEB6oU #privacy #jwmc