November 13, 2020 – In a notable event on Election Day this November, California voters approved amendments to the California Consumer Privacy Act (CCPA) and enacted a new statute – the California Privacy Rights Act (CPRA). The new statute expands California residents’ rights with respect to how businesses collect and use personal information. For instance, the new law expands an individual’s ability to control personal information by opting out of sharing information with third parties like online advertisers, and consumers will now have the ability to correct personal data that was previously collected by companies.
The new statute also establishes the California Privacy Protection Agency, a new regulatory body tasked with enforcing California’s privacy laws, a job that had previously been left to the state’s attorney general. The California Privacy Protection Agency will be the first state regulator in the country whose sole purpose is the implementation and enforcement of state data-privacy laws.
Although no other state currently has a law as stringent as California’s CCPA or CPRA, 30 or more states have legislation in the works that contain at least some of the same requirements. As such, businesses should consider employee privacy policies now to comply with the CCPA even if they currently have no employees in California, since other states are likely to enact similar statutory requirements that mimic those of the CCPA.
Businesses should also implement a written information security program (known as a “WISP”). That is because, since 2010, the state of Massachusetts has required every business that owns or licenses personal information about a Massachusetts resident to develop, implement, and maintain a comprehensive and written information security program. The WISP must contain appropriate administrative, technical, and physical safeguards to protect personal information.
No enforcement actions have been filed to date, but we have seen recent evidence that the Massachusetts Attorney General may be gearing up to enforce this requirement. Indeed, Massachusetts requires all businesses that make the required report of a data breach to the attorney general to also indicate whether the business has a WISP. Given that many companies may own, license, or make use of personal information about Massachusetts residents, whether because the company has employees or customers in Massachusetts, and given that other states may at some point soon also require WISPs, we advise businesses to develop a WISP now.
The best time to review your privacy policies and procedures is before you are faced with a data breach that invites scrutiny from state regulators or a state regulatory enforcement action. Ulmer’s Cybersecurity & Privacy Practice Group stays ahead of developing laws like the CCPA and CPRA and can help make sure that you comply with these and other potentially applicable privacy requirements. If you have any additional questions, please reach out to our experienced data-privacy attorneys.
The information provided in this client alert speaks only to the information and guidance we have available as of the date of publication and is subject to change. We will continue to follow further issued guidance and regulations and endeavor to post those updates via our website. Please continue to follow these updates at ulmer.com. This legal update was created by Ulmer & Berne LLP, and is not intended as a substitute for professional legal advice. Receipt of this client alert, by itself, does not create an attorney client relationship. For any questions, or for further information, please contact Frances Floriano Goins at firstname.lastname@example.org, Michael A. Marrero at email@example.com, or Michael Davis Hoenig at firstname.lastname@example.org.