This is the third installment in Hogan Lovells’ series on the California Consumer Privacy Act.
What personal information do you have about California consumers and households?
The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
Mapping data accurately and efficiently can be challenging. It requires an understanding of the law and the practical consequences. But when done correctly, data mapping can deliver significant value. For example, beyond the immediate benefit of assessing risks and identifying legal obligations, a data mapping exercise can promote organizational hygiene, identify problematic practices and security risks, and uncover operational inefficiencies.
KEY DATA MAPPING QUESTIONS
The goal of a CCPA-focused data mapping exercise is to answer the following questions:
- What PI does the organization collect and possess?
- How is the PI collected?
- Where and how is the PI stored?
- To what entities does the organization transfer PI?
- What is the nature of the transfers (e.g., sale, provision of service)?
By mapping data flows with a critical eye on the key CCPA legal issues and business operations, organizations can get ahead of the compliance curve and begin to develop thoughtful strategies to mitigate risk. And as discussed below, most companies likely will not be able to rely on GDPR compliance efforts alone for their CCPA compliance. Continue Reading
This is the second installment in Hogan Lovells’ series on the California Consumer Privacy Act.
Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act.
As we detailed in earlier blog posts and our webinar, CCPA’s enactment stems out of the Californians for Consumer Privacy ballot initiative. The initiative proposed burdensome obligations that would be difficult to revise if it passed the popular vote. It was on track to appear on the California ballot in November 2018. But then the chief sponsor agreed to withdraw the Initiative from the ballot if the California legislature could quickly pass substantially similar legislation. Accordingly, the California legislature moved to enact a bill that became the CCPA. This law shares much in common with the initiative, but some of the language was modified as part of the compromised legislation. On August 31, the California legislature adopted technical amendments, which further refined a number of terms and concepts in the CCPA.
The CCPA’s unusual legislative process from consumer-driven initiative to fast-tracked legislation likely contributed to the ways in which some of the act’s key terms differ from other American privacy laws’ use of similar terms. Unless addressed in future legislative activity in 2019, these differences will have significant implications for what covered organizations must do to comply with the CCPA. We thus focus here on detailing some of the CCPA’s key definitional terms, organized into topical categories. Continue Reading
Groundbreaking. Watershed. Unprecedented.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy.
We will explore the ramifications for businesses of this seminal legislation in this multi-part series, The Challenge Ahead, authored by members of Hogan Lovells’ CCPA team. Each post will provide analysis of key legal issues implicated by the CCPA along with practical takeaways. The series builds on the CCPA overview we recently presented via webinar.
In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Future posts will:
- highlight key terms used by the law that are fundamental to planning compliance;
- compare the CCPA to Europe’s General Data Protection Regulation (GDPR), including learnings from GDPR compliance that can be applied in the United States;
- analyze how the act will interact with existing regulations covering organizations in healthcare, financial services, and beyond;
- share practical steps companies are taking now to plan for compliance;
- address the new private right of action established by the law; and
- provide additional CCPA analyses and reports.
Innovation, products & managing risk – Navigating global challenges for you and your products
Our 2018 Global Products Law Summit in London is brought to you this year in collaboration with our Global Insurance Team, and focuses on all things product safety, compliance, and product liability. Valerie Kenyon, Matthew Felwick and Victor Fornasier, leading Products Law partners in our London office, along with London insurance lawyer Clare Douglas will provide insights on cyber security risks, the use of AI, its corresponding regulation, as well as practical implications for product manufacturers and overlapping issues.
Our Global Products Law Practice Head, Lauren Colton along with our New York Partner Phoebe Wilkinson will present alongside our team to highlight the latest developments in U.S. and EU “hot topics” for product companies. Our team will be joined by guest speakers from the UK Office for Product Safety and Standards, techUK, Capsicum Re, Basis Technology and Canon for three interactive panel sessions:
- Insights from the UK Office for Product Safety and Standards and industry – perspectives on Brexit (are your products ready for a possible ‘no deal’?) and what the future holds in the world of product safety.
- How can we harness the capabilities of artificial intelligence to encourage innovation, while still providing adequate safeguards?
- What’s happening in class actions and other ‘hot’ products law topics?
Join us from 3:00pm to 6:45pm – followed by drinks reception. Please contact Laura Pettit for registration or more information.
On 4 September, the Legislative Decree no. 101 of 10 August 2018 (the “Decree”) for the national implementation of General Data Protection Regulation (EU) 2016/679 (the “GDPR”) has been published in the Official Journal. The approach of the legislator was to maintain the structure of former Legislative Decree 196/2003 (the “Privacy Code”) which, however, has been extensively amended and integrated, and now contains only some residual provisions in addition to those of the GDPR which are directly applicable. The Decree will enter into force on 19 September 2018.
The Decree first of all integrates the provisions of the GDPR that were left to the autonomy of the Member States, for instance, by introducing limitation on the processing of particular categories of data, establishing the age of consent for children in relation to information society services, and describing the functions of the Data Protection Authority (the “Garante”) and the remedies available to Italian data subjects. Also, the Decree governs the transition from the current to the future regime. In this respect, the general decisions and guidelines previously issued by the Garante shall apply to the extent that they are compatible with the GDPR; the same applies, within the limits set out below, to the general authorisations already issued. The provisions of the Privacy Code adopted to implement the e-Privacy Directive will of course remain in force. Continue Reading
After weeks and weeks of debate and the failure to reach a parliamentary consensus in July, the European Parliament today paved the way towards the long-awaited start of the trilogue negotiations amongst the Parliament, the Council and the Commission. The copyright reform is therefore progressing, which is good news as such.
However, it was once again a rather close vote as regards Articles 11 and 13 of the draft directive, which concern the new neighbouring right for press publishers and the tightening of the liability scheme for online content sharing providers. In both cases close to 300 MEPs voted against the proposed language. However, in the end we can say that the Parliament is, by way of parliamentary majority, in favour of such a neighbouring right as well as of a stricter regime for content sharing platforms. Rapporteur Voss has ultimately succeeded in winning a majority for his ideas. Continue Reading
We are pleased to invite you to the next webinar in our Internet of Things (IoT) series. As IoT technology and devices continue their rapid advancement, they will have a very real role in litigation. In this 60-minute webinar, we’ll help you prepare for the expected and the unexpected, focusing on risk assessment, rising issues, and key challenges, so you can have a strong litigation strategy in place – whether you’re designing a device, using the technology, or facing a current issue.
Join two highly experienced litigators, partners Christine Gateau and Michelle Kisloff, as they examine the topic with a close lens, leveraging their knowledge and insights from both sides of the Atlantic.
Key points to be addressed are:
- Handling negotiations and litigation around IoT
- Current regulatory enforcement and future regulations that could impact litigation
- Litigation risks to keep in mind when designing IoT products
We hope you’ll join us for the discussion.
Date: Tuesday, 2 October 2018
Time: 6:00 pm CEST, 5:00 pm BST, 12:00 pm EDT, 9:00 am PDT
Click here to register for this webinar.
Once again, the debate regarding the controversial DSM Copyright Directive is picking up steam. This week, the European Parliament will liaise about the various amendments that will be tabled by a number of different groups of parliamentarians from various political backgrounds.
As mentioned in our previous blogs and videos, on 5 July 2018, the European Parliament rejected by 318 votes against, 278 in favour and 31 abstentions the compromise position adopted a week earlier by the Committee on Legal Affairs (JURI). The attached negotiation mandate was thereby revoked, and the opening of the interinstitutional negotiations (trilogue) further delayed.
The still controversial debate focuses on basically two provisions of the original proposal (COM(2016) 593) and the corresponding recitals: Article 11, which holds a new neighbouring right for publishers of press publications, and Article 13, which is about to introduce new monitoring and filtering obligations for certain online platform providers. Continue Reading
In St. Louis Heart Center v. Nomax, Inc., the Eighth Circuit held that an “alleged failure to provide a technically compliant opt-out notice” in a fax advertisement, without more, does not give a plaintiff Article III standing to bring a Telephone Consumer Protection Act (“TCPA”) claim.
The Eighth Circuit’s decision requires that the alleged injury be “traceable” to statutory non-compliance. In other words, the plaintiff must show a causal connection between the harm she suffered and the defendant’s TCPA violation.
By way of background, the TCPA and FCC’s TCPA regulations prohibit unsolicited fax advertisements unless they contain a notice that gives the recipient certain information that would allow it to opt out from future faxes. Here, St. Louis Health Center sued pharmaceutical manufacturer Nomax, Inc. for: (1) sending fax advertisements without the plaintiff’s consent; and (2) failing to provide a proper opt-out notice on each advertisement.
After removing the case to federal court, Nomax moved to dismiss for lack of Article III standing. To establish Article III standing, a plaintiff must show “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).
Please join us for our September 2018 Privacy and Cybersecurity Events.
|Mark Brennan will lead a session at the CTIA Mobile World Congress Americas where he will discuss text messaging privacy and other regulatory issues.
|Location: Los Angeles
|Harriet Pearson is a featured speaker at The Atlantic’s forum on “Protecting Privacy.” Policymakers, technology industry leaders, and experts will discuss the future of privacy in the digital world. For more information on the event and how to register, please click here.
|Location: Washington, D.C.
|The Future of Digital Privacy
|Eduardo Ustaran is speaking about the Future of Digital Privacy during an interactive privacy workshop at Crownpeaks’s Empower 2018 conference.
|Location: New York City