Prior to joining the firm, Diane served as Senior Corporate Counsel at Time Warner, Counsel to the Quincy Jones Listen Up Foundation, and a Board Member of the Jonathan Levin Fund.
Capital Markets & Securities | Corporate | Patent Counseling & Prosecution | Privacy & Cybersecurity | Seed Stage Investing & Startups | Technology & Media Transactions | The Tech Group | Venture Capital & Tech M&A
In-house lawyers in industries far beyond the tech world–such as financial services, pharmaceuticals, insurance, and consumer electronics, to name only a few–need practical guidance on the many ways that cybersecurity and privacy issues can affect all stages of business, from the valuation of data as an asset to the allocation of risk.
In response to this need, Lowenstein Sandler has expanded our annual program to include an even deeper dive into cybersecurity issues of special interest to GCs, CPOs, and CIOs. Our interdisciplinary group of privacy and data security specialists has teamed with in-house counsel to develop programming aimed to help corporations and executives navigate the potential risks, regulations, and benefits at stake, as well as best practices to address these issues.
Program time: 7:30 a.m.-2:15 p.m.
Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500.
CLE credit available.
Wi-Fi access and conference space will be available to take phone calls and stay connected to your workday.
This is the fourth in a regular series relating to common IP mistakes early-stage companies make when building a business.
The California Consumer Privacy Act (CCPA) is slated to become effective on January 1, 2020. If you are reading this article, you have some inkling of its comprehensive nature and its status as an unprecedented state privacy law. Although unquestionably influenced by the EU’s General Data Protection Regulation (Regulation (EU) 2016/679, or the GDPR), CCPA is a unique framework. Although both CCPA and GDPR aim to establish privacy rights and enhance the protection of individuals’ personal data accessed by entities in the context of commercial interactions, CCPA is distinct from GDPR and, in some ways, goes further than GDPR does. CCPA, which applies to online and offline interactions, has adopted a broader definition of the term “personal information” (which includes business contact data and online identifiers such as IP addresses), a new defined term “sale,” distinct requirements in the areas of consent and privacy notices, an array of consumer rights, and the provision of a private right of action–on an individual or class action basis–for claims relating to data breaches. At the forefront of distinguishing features, however, is CCPA’s requirement that certain companies provide individuals with the ability to opt out of the sale of their personal information.
Companies that are GDPR compliant have taken a huge leap toward compliance with CCPA; however, GDPR compliance does not equal CCPA compliance. Given the different emphases, and the broader reach of CCPA, companies will have to make adjustments beyond existing GDPR compliance protocols. For companies that have not begun a GDPR compliance effort, the lift to become CCPA compliant is that much heavier. Below are some high-level areas to pay attention to as you navigate GDPR and CCPA compliance.
Undertaking a “data inventory” or “data mapping” process is essential to have a firm grasp of what personal information is collected (understanding the scope of the term “personal information”), the business purposes and any disclosures (understanding the scope of the term “sale”), and complying with CCPA. Retention practices should also be reviewed to limit the potential for stand-alone information not falling into the definition of personal information to be linked, integrated, or inadvertently morphed into “personal information” subject to protection under CCPA. The California attorney general recently released proposed regulations for CCPA, with a public comment period open until December 6. While the draft regulations provided some clarity on CCPA, they also imposed new and unexpected requirements. For more information on how the regulations may impact your startup, please see our Client Alert, “California Attorney General Releases Draft Regulations Under the California Consumer Privacy Act: New Concepts, New Questions, and Few Clarifications.”
CCPA grants consumers the right to pursue a civil suit and statutory damages ($100-$750 per incident or actual damages, whichever is greater) for a data breach involving their personal information if a business fails to fulfill its obligations with respect to security. This private right of action and the imposition of statutory damages removes the burden from impacted consumers to prove or quantify the damage suffered as a result of a data breach and increases the possibility of more lawsuits to redress violations. Coupled with a consumer’s direct right to bring an action for a data breach are the broad enforcement powers granted to the Attorney General of California, who may bring a civil action in the name of the people for CCPA violations and seek injunctive relief. In these actions, civil penalties are capped at $2,500 for each violation and $7,500 for each intentional violation of CCPA.
Hence, it is important to understand how your business interacts with the personal information of California consumers, that a business does not have to be located in California to be subject to the state’s provisions, and that California hosts the largest population in the United States. It is quite possible California consumers are interacting with you.
© Lowenstein Sandler LLP, 2020