As we head into the new year, the CDAS Digital Media and Technology group would like to remind you about new developments in privacy law that might affect your business.
Greater Transparency and Access Under New California Consumer Privacy Act (CCPA)
Taking effect on January 1, 2020, the new California Consumer Privacy Protection Act requires businesses, both inside and outside California, to provide increased transparency and access regarding their collection and monetization of personal data from California residents. Companies that, on an annual basis, have gross revenues of at least $25 million, obtain personal information of at least 50,000 California residents, households, and/or devices, or generate at least half of its revenue from selling California residents’ personal information must disclose data collection practices to Californians upon both request and collection, delete personal information about a consumer upon request, provide consumers the opportunity to opt out of the sale of personal information, and comply with certain data security procedures or else face lawsuits from those consumers subject to a data breach. Non-compliant companies are subject to fines of $2,500 per violation and up to $7,500 for each “intentional violation,” as well as damages in a possible consumer data breach lawsuit. If you believe CCPA might apply to your business now or at any point in the future, contact our team for a briefing on compliance.
EU Court of Justice: Active Consent Required for Cookie Collection from EU Citizens
New York is Next
This summer, New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which requires companies that buy or license New York residents’ private information to develop, implement, and maintain reasonable physical, technical, and administrative safeguards to better protect the security, confidentiality, and integrity of personal information. Based on the passage of the SHIELD Act, privacy lawyers and policy experts alike anticipate a robust data privacy law will be enacted in New York similar to CCPA. The New York State Senate is currently considering the New York Privacy Act (SB S5642), which would regulate the storage, use, disclosure, and sale of consumer personal data by businesses operating or marketing products and services in New York by requiring companies to “act in the best interests of the consumer without regard to the interest of the entity, controller or data broker” and provide their consumers with a “clear, meaningful privacy notice” and an opportunity to opt in or out opt of providing personal data. Companies that fail to comply would be subject to enforcement actions by the New York Attorney General under deceptive trade practices and unfair competition laws. Most recently, the bill was discussed in committee; stay tuned for further updates from CDAS as this legislation progresses.
CDAS counsels businesses on data privacy regulations and best practices and can provide guidance and strategy on how to comply with CCPA or GDPR. Contact our Digital Media and Technology group for a compliance evaluation and advice on best practices.