Data Security Law Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Consumer Reports Opposes Efforts to Delay CCPA Enforcement Due to COVID-19

by Jonathan (Yoni) Schenker, Alejandro H. Cruz and Peter A. Nelson on March 25, 2020

Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.

Industry Groups Request Delay in CCPA Enforcement Due to COVID-19

by Andrew M. Willinger, Jonathan (Yoni) Schenker and Peter A. Nelson on March 24, 2020

On March 17, 2020, a group of thirty-two trade associations and two corporations formally requested that the California Attorney General (AG) delay enforcement of the California Consumer Privacy Act (CCPA) until January 2, 2021, due to the ongoing COVID-19 pandemic. The trade associations represent leading companies in a wide range of industries, including healthcare and pharmaceuticals, transportation, logistics, advertising, insurance, entertainment, real estate, banking and finance, and technology.

CCPA Update: California AG’s Modified Proposed Regulations

by Andrew M. Willinger, Jonathan (Yoni) Schenker and Peter A. Nelson on March 13, 2020

This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.

The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.

CCPA Update: Key Proposed Regulations on Verification of Requests & Non-Discrimination

by Julia R. Livingston, Jonathan (Yoni) Schenker and Peter A. Nelson on December 20, 2019

On January 1, 2020, the California Consumer Privacy Act (CCPA) becomes operative. As we reported last month, the California Attorney General (AG) released long-awaited draft regulations to the CCPA. This is the third installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses the key regulations on business verification of requests made by consumers and the non-discrimination provision of the CCPA.

CCPA Update: Key Proposed Regulations for Business Practices for Handling Consumer Requests

by Jeffrey C. Skinner, Jonathan (Yoni) Schenker and Peter A. Nelson on November 21, 2019

As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”

CCPA Update: Key Proposed Notice and Privacy Policy Regulations

by Jonathan (Yoni) Schenker and Peter A. Nelson on November 7, 2019

As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.

CCPA Update: California Attorney General Releases Proposed Regulations

by Kade N. Olsen, Jonathan (Yoni) Schenker and Peter A. Nelson on November 5, 2019

On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.

A Closer Look at the CCPA’s Private Right of Action and Statutory Damages

by Jonathan (Yoni) Schenker, Michael F. Buchanan and Alejandro H. Cruz on August 22, 2019

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

Part III: Our Last Look at the CCPA’s Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 24, 2019

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

Part II: A Closer Look at the CCPA’s Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 16, 2019

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.”

Part I: A Closer Look at California’s New Privacy Regime: The Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 9, 2019

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.

A Closer Look at California’s New Privacy Regime: Two Critical Definitions

by Jonathan (Yoni) Schenker on January 8, 2019

Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.

New Year’s Resolution 2019: Compliance with California’s Consumer Privacy Act

by Jonathan (Yoni) Schenker on December 19, 2018

With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.

Obsolete Device Woes: What To Do?

by Jonathan (Yoni) Schenker on August 27, 2018

It seems like a victimless crime. Toss out an old computer or post it for sale on the Internet for a few bucks. Not a big deal, right?

Not so fast.

U.S. Supreme Court Watch: Whether to Resolve Circuit Split on Standing for Data Breach Plaintiffs

by Jonathan (Yoni) Schenker on February 1, 2018

At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.

More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification

by Jonathan (Yoni) Schenker on January 30, 2018

In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.