Privacy Professionals on California Consumer Privacy Act Readiness: 5 Takeaways
The California Consumer Privacy Act hits in less than a year, but its broad definitions and lack of precedent have left many impacted in-house counsel stumped on compliance efforts.
April 16, 2019 at 01:52 PM
3 minute read
The original version of this story was published on Corporate Counsel
The California Consumer Privacy Act hits in less than a year, but its broad definitions and lack of precedent have left many impacted in-house counsel stumped on compliance efforts.
Data privacy professionals teamed up to provide their CCPA compliance advice at a recent webinar on adapting compliance strategies from the European Union's General Data Protection Regulation to fit California's law.
Jerrod Bailey, the chief strategy officer of blockchain company Truyo, and Dominique Shelton Leipzig, the co-chair of Perkins Coie's ad tech privacy and data management practice, discussed some of the CCPA's confusing points and how in-house counsel can get their company ready. Here are five takeaways:
- Keep track of requests in one place. CCPA-impacted companies can expect a flood of data subject requests in 2020, Leipzig said. Companies hit by GDPR have already seen “thousands” of data subject requests, she said, so legal departments should “keep a centralized area for responding to consumer requests.” If requests aren't stored and handled in a centralized location, it's more likely they'll be lost or forgotten, possibly leaving companies open to legal liability. She said U.S. companies are operating in a more established culture of class actions than European counterparts and could see suits once CCPA is effective.
- Have a 'do not sell' button. This is required by CCPA and it's an obligation even GDPR-impacted companies haven't faced before. All companies impacted by CCPA must place a “clear and conspicuous” link button titled “Do Not Sell My Personal Information” on its online homepage. Bailey said companies with apps should also consider whether they'll include the button in their app; at the moment, he said the law isn't clear whether this is required. He added companies may respond to these requests using a mix of automation and manual work.
- Data's 'sale' is complicated. Companies may not swap data for cash, but under CCPA the definition of sale is “very broad,” Leipzig said, and includes “any transfer of personal information of California residents for which there is valuable consideration” even if no money is exchanged. She offered this example: retailers exchanging email lists for a joint promotion campaign because it will enable more sales and higher profit in the future.
- Keep California separate? The 'do not sell' button is only required for California residents, but Bailey said many companies plan to offer it to all U.S. users. ”Will I selectively display this link? Am I going to show it to everyone who comes to my website?” Bailey said. “Or am I going to somehow try to fence off California citizens and only show them the link? … For this particular use case, it's a hard thing to do.”
- Verify users' identity. If companies do choose to keep California residents separate, they'll need to identify which consumers are from the state, the privacy professionals said, and that can get complicated. Leipzig advised against collecting data such as uploaded driver's license photos; it just adds to the data a company needs to protect. At a minimum, Bailey said websites should include CAPTCHA tests and emailed verification to prevent bots from spamming 'do not sell' links.
Read More:
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Trending Stories
- 1'I'm Staying Everything': Texas Bankruptcy Judge Halts Talc Trials Against J&J
- 2What We Know About the Kentucky Judge Killed in His Chambers
- 3Judge Blasts Authors' Lawyers in Key AI Suit, Says Case Doomed Without Upgraded Team
- 4Federal Judge Won't Stop Title IX Investigation Into Former GMU Law Professor
- 5Ex-Prosecutor and Judge Fatally Shot During Attempted Arrest on Federal Corruption Charges
Who Got The Work
Charles A. Weiss of Holland & Knight has entered an appearance for Rafael Badalov in a pending trademark infringement lawsuit. The suit, filed July 26 in New York Eastern District Court by Lee Law on behalf of Otter Products LLC, accuses the defendant of selling counterfeit phone cases and accessories bearing the plaintiff's 'OtterBox' trademark. The case, assigned to U.S. District Judge Nina R. Morrison, is 1:24-cv-05214, Otter Products, LLC v. Badalov et al.
Who Got The Work
Gibson, Dunn & Crutcher partners Benjamin Hershkowitz, Richard W. Mark and Casey J. McCracken and R. Scott Johnson, Thomas M. Patton and Cara S. Donels have entered appearances for Berkshire Hathaway Energy Co. and MidAmerican Energy Co., respectively, in a pending patent infringement lawsuit. The case, filed July 17 in Iowa Southern District Court by Nyemaster Goode PC and Caldwell Cassady & Curry on behalf of Midwest Energy Emissions Corp., asserts six patents related to sorbents for the oxidation and removal of mercury. The case, assigned to U.S. District Judge Stephen H. Locher, is 4:24-cv-00243, Midwest Energy Emissions Corp. v. Berkshire Hathaway Energy Company et al.
Who Got The Work
Michael J. Hickey and Michael L. Jente of Lewis Rice LLC have stepped in to represent Tidal Wave Management in a pending trademark infringement lawsuit. The case, filed July 18 in Missouri Western District Court by Husch Blackwell on behalf of Waterway Gas & Wash Co., accuses the defendant of using a mark that's confusingly similar to the plaintiff's 'Clean Car Club' mark. The case, assigned to U.S. District Judge Fernando J. Gaitan Jr., is 4:24-cv-00471, Waterway Gas & Wash Company v. Tidal Wave Management LLC.
Who Got The Work
Wachtell, Lipton, Rosen & Katz partners Lauren M. Kofke and William Savitt have stepped in to represent CVS Health and and its top officials in a pending shareholder derivative lawsuit. The complaint, filed Aug. 30 in New York Southern District Court by the Brown Law Firm on behalf of Chaya Sara Kaufmann, accuses the defendants of failing to disclose that they used misleading forecasts to set premium plans which overstated the profitability of the company's health care benefits segment. The case, assigned to U.S. District Judge Margaret M. Garnett, is 1:24-cv-06595, Kaufmann v. Lynch et al.
Who Got The Work
Robert L. Wallan from Pillsbury Winthrop Shaw Pittman has entered an appearance for Findlay Management Group in a pending complaint for declaratory judgment. The complaint, filed on Aug. 8 in Nevada District Court by Gordon Rees Scully Mansukhani and Skarzynski Marick & Black on behalf of Houston Casualty Co., seeks to declare that no insurance policy exists between Houston Casualty and Findlay due to there not being an adequate form of delivery and claims that if delivery was substantiated it is rescinded based on material omissions and misrepresentations. The case, assigned to U.S. District Judge Gloria M. Navarro, is 2:24-cv-01459, Houston Casualty Company v. Findlay Management Group.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250