Photo of Alysa Zeltzer Hutnik

 

Email
(202) 342-8603
Bio

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes


Continue Reading

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain

The Northern District of California recently ruled on DIRECTV’s motion for judgment on partial findings in a case where the FTC is seeking $3.95 billion in damages. The FTC’s case alleges that DIRECTV engaged in misleading advertising over a span of more than a decade and across a variety of media channels ranging from television

Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.

Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.

Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda.
Continue Reading

California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison.
Continue Reading

On June 28, 2018, Governor Brown signed into law the “California Consumer Privacy Act of 2018.” The legislation was a compromise to avoid a ballot initiative that was more closely modeled after the European Union’s General Data Protection Regulation (GDPR). This Act is scheduled to go into effect on January 1, 2020.

The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.

Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included.
Continue Reading