On October 12, 2020, less than a month before California will vote on a referendum potentially overhauling the California Consumer Privacy Act (the “CCPA”), the California Attorney General published further proposed...more
The CCPA defines both “aggregate consumer information” and “deidentified information.” Aggregate consumer information is defined to mean “information that relates to a group or category of consumers, from which individual...more
No.
By its terms, the definition of personal information excludes aggregated or de-identified information....more
$7,500 per violation.
There is no private right of action for violations of the CCPA related to an individual’s right to be forgotten. The CCPA provides that the maximum fine that may be imposed by the Attorney General is...more
No.
Unlike a request for access, a business’s deletion obligation extends to all data held by the business regarding a consumer, unless an exception applies, irrespective of when that data was collected, generated or...more
Not immediately, but yes.
The CCPA does not distinguish or make allowances for backup and other less accessible systems when determining the scope of a business’s obligation to delete the personal information of a consumer...more
Not necessarily.
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021....more
Likely no.
Neither the CCPA nor the proposed regulations explicitly address the issue of imposing fees or costs on consumers for responding to requests for access or requests for deletion. However, the CCPA does prohibit...more
Yes, if currently pending regulations are made final.
As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for...more
When the CCPA was enacted last year, BCLP published a Practical Guide to help companies reduce the requirements of the Act into practice. Following publication of the Guide, we wrote a series of articles that addressed...more
3/11/2020
/ Advertising ,
Behavioral Advertising ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cookie Banners ,
Cookies ,
Opt-Outs ,
Personal Information ,
Private Right of Action ,
Statutory Penalties ,
Websites
To help identify trends in privacy representations, BCLP reviewed the websites and privacy notices of Fortune 500 companies identified as primarily engaged in the banking and financial service sectors.
The following...more
2/28/2020
/ Adtech ,
Banks ,
Behavioral Advertising ,
California Consumer Privacy Act (CCPA) ,
Cookies ,
Data Privacy ,
Data-Sharing ,
Financial Services Industry ,
Opt-In ,
Right to Delete ,
Surveys
Yes.
In fact, businesses may be required to obtain such confirmation from verified consumers under the current (non-final) regulations. As an initial matter, the CCPA states only that a business may have to delete the...more
Likely, yes.
A consumer’s right to deletion is subject to a number of exceptions. One of these exceptions is to “comply with a legal obligation.”...more
To help identify trends in privacy representations, BCLP reviewed the websites and privacy notices of those Fortune 500 companies that are primarily engaged in the property and casualty insurance industries.
The data shows...more
The CCPA only applies to personal information about “consumers,” a term which is defined as “a natural person who is a California resident.” As corporations or other legal entities are not people, the CCPA does not apply to...more
Likely not.
While the UK’s Privacy and Electronic Communications Regulation suggests that, in some circumstances, consent may be inferred when a subscriber amends or sets controls in an internet browser, the ICO has...more
No.
The English supervisory authority, the ICO, has stated that consent requests must be “clearly distinguishable from other matters” and that bundling consent as part of terms and conditions in impermissible. According to...more
The Information Commissioner’s Office or the “ICO” is the British supervisory authority charged with enforcing GDPR. The Commission Nationale de l’informatique et des libertes (the “CNIL”) is the French supervisory authority....more
So far, the German, French and British supervisory authorities have released guidance specifically addressing cookies in 2019. The German guidance was published in April 2019...more
$2,500 for each violation and $7,500 for each intentional violation.
The CCPA only provides a private right of action to any consumer whose unencrypted sensitive-category information has been breached as a result of a...more
On October 1, the European Court of Justice (the “ECJ”) confirmed recent guidance from the UK and CNIL regulators in finding that the use of pre-checked boxes does not constitute consent for processing of personal information...more
10/3/2019
/ CNIL ,
Consent ,
Cookies ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Lottery ,
Online Advertisements ,
Personal Information ,
Sweepstakes ,
UK ,
Websites
The California Consumer Privacy Act ("CCPA") was put together quickly (in approximately one week) as a political compromise to preempt a proposed privacy ballot initiative that contained a number of problematic provisions. ...more
Maybe.
The GDPR does purport to allow data subjects to bring private rights of action. Likewise, certain implementations of the ePrivacy Directive, like the Privacy and Electronic Communications Regulations, allow for...more
No.
The requirement to disclose “sales” of “personal information” to consumers is derived from the California Consumer Privacy Act (the “CCPA”), not European data privacy law....more
Yes, provided that the “opt-out” selection is the default when the banner loads and no behavioural or analytics cookies load prior to an “opt-in” by the data subject.
A data subject’s consent to the use of analytics or...more