CPRAFirst Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

First Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

July marks the one-year anniversary of the California Consumer Protection Act (CCPA) and CCPA enforcement.  Just in time for this anniversary, the California Attorney General (“CA AG”) recently summarized its curative actions (i.e., notices of alleged noncompliance) and released a new consumer tool to assist consumers in notifying business of alleged CCPA violations.  The CA AG’s recent actions demonstrate the breadth of the CCPA’s application across a variety of industries as well as the AG’s commitment to enforcing the CCPA while equipping consumers with mechanisms to assist with enforcement efforts.  

Cure Notices as Effective Enforcement Mechanism  

Under the CA AG’s regulations, businesses found to be in violation of the CCPA receive a “notice to cure” that provides a 30-day window of time to remedy the alleged non-compliance. Rob Bonta, the CA AG, reports that 75% of the companies in receipt of a cure notice responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the middle of their 30-day cure period or under ongoing investigation. 

Following the press release, the CA AG’s Office published examples of the types of notices they have issued against businesses.  Some of the most frequent alleged violations include the following:  

  • There was no “Do Not Sell My Personal Information” Link on the businesses website; 
  • The Notice to Consumers was lacking or inaccurate, lacked the required notice of sale of personal information and notice regarding the minor’s personal information; 
  • The business maintained a non-Compliant Opt-Out process;  
  • The Privacy Policy failed to provide the required request methods for exercising rights; charging fees for the CCPA, and lacked a toll-free number;  
  • The business had defective methods for consumers to submit data subject access requests, provided untimely responses to requests, or charged fees for processing the requests;
  • The business failed to obtain the proper verification information when processing data subject requests or required the creation of a customer account as a means to verify identification;  

The enforcement examples show that the CA AG is looking for a wide range of CCPA violations across the various methods that businesses collect personal information from consumers, from online websites and platforms to mobile applications, and even in-person data collection.  

New Consumer Privacy Interactive Tool


The CA AG also launched a new interactive tool to help consumers notify businesses of alleged non-compliance with the CPPA for a lack of a clear and conspicuous “Do Not Sell My Personal Information” (DNSPI) link on its website.  While consumers cannot sue organizations directly yet, this new consumer tool provides a direct mechanism for consumers to issue a notice of noncompliance to a business, triggering the 30-day period to cure, which in turn triggers the Attorney General’s right to sue if a CCPA violation is not remedied. 

Although the new consumer tool for issuing notices only applies to the lack of a DNSPI link, this tool will likely be expanded for other CCPA rights.  

Overall Takeaways:  

  • Lack of a “Do Not Sell My Personal Information” Link Is An Easy Target – Not having an DNSPI link is an easy red flag for non-compliance that could likely trigger a notice to cure from the AG directly, or now from a consumer via the new tool   
  • Watch Out for AG Notice – The Attorney General’s Office is and will continue to use the notice to cure as effective way of CCPA enforcement. Organizations should clarify their CCPA obligations, take steps to be CCPA compliant to avoid triggering a notice to cure, and be prepared to respond and address promptly should you receive a notice.  
  • Watch Out for Consumer Notice – The new Consumer Privacy Interactive Tool streamlines the DNSPI link noncompliance notice process and will likely expand to other CCPA violations. Organizations should clarify their obligations to include a DNSPI link on their websites and implement where required.   
  • All Business Subject to Enforcement – All businesses across a variety of industries are ripe for enforcement actions under the CCPA.  
  • External and Internal Policies Matter – Organizations should review their external facing notices and internal processes in light of enforcement actions and update accordingly to meet compliance obligations. Be sure your Privacy Notice is up to date and accurate, including the notice of required CCPA rights, instructions on how to exercise those rights, and methods to exercise rights.  
  • Don’t Forget About Service Providers – Review agreements with service providers to be sure they adequately address data security and privacy by including provisions that impose restrictions on the use of personal information and other CCPA-specific provisions/addendums.  

In sum, companies subject to the CCPA should take initial steps to evaluate compliance obligations and implement proactive measures to minimize a potential enforcement action.  The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA enforcement risk.  From reviewing your external policies and data collection practices to reviewing your data mapping and data subject access right procedures, this last year of enforcement underscores the importance of operationalizing robust data security and privacy practice that can stand the test of time and adapt to the evolving consumer privacy landscape.   

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Beckage will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

GDPRThe EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

The EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

One of the most highly contentious areas under the European Union’s General Data Protection Regulation (“GDPR”) is the cross-border data transfer of Personal Data out of the EU and into other regions, especially the US. Last year, the Court of Justice released its highly anticipated decision, Schrems II, where it invalidated the EU-US Privacy Shield as a lawful mechanism to transfer Personal Data into the US but upheld the continued use of the Standard Contractual Clauses (“SCCs”). However, the Court signaled a heightened tension around the transfer of data, even using the SCCs, from the EU to the US, directing companies to consider whether those transfers would require “supplemental measures” prior to utilizing the SCCs to transfer Personal Data from the EU to the US.

In the wake of that decision, the EU Commission, charged with adopting the SCCs, announced its plans to update the SCCs to align with the Schrems II decision, to generally update the document. To date, the current form SCCs used for cross-border data transfers were adopted under the GDPR’s predecessor, the EU Directive on Data Protection, in 2001.

For the last two decades, companies across the globe leveraged the SCCs to validate the on-going transfers of personal data across many borders. However, with the increasing complexities of technology and multi-party data transactions, the limited form and nature of the SCCs continued to create challenges in leveraging the standard documents to fit varying types of cross-border data transfers. On Friday, June 4, 2021, the EU Commission released its long anticipated updated form of the Standard Contractual Clauses, available here.

The New Form Standard Contractual Clauses

The new SCCs include robust obligations on both importers and exporters of personal data under the GDPR and the Schrems II decision. Further, the new SCCs are intended to provide more flexibility and options for companies to better address the complex nature of data transfers.

The new SCCs also include modules for entities to leverage depending on the relationship between the parties involved in the transfer, i.e., controller to processer; processor to processor; etc.  These changes are intended to further align with modern data transfers and to promote the free flow of data. In the EU Commission Press-Release, Vice-President for Values and Transparency, Vera Jourová emphasized that the SCCs provide a useful tool for the free-flow of data:

“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

The Impact of the New SCCs

The new SCCs are expected to impact and streamline the process of adopting the appropriate contractual language to allow for the cross-border exchange of personal data. Further, the clauses are intended to align closer to the GDPR requirements, which went into effect in 2018, and the recent Schrems II guidance. Commissioner for Justice, Didier Reynders, emphasized that:

“In our modern digital world, it is important that data can be shared with the necessary protection – inside and outside the EU. With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”

The updated SCCs focus on the following key updates:

  • Align with the GDPR and Schrems II decision;
  • Provide simple and flexible model clauses for international transfers;
  • Include more robust data protection obligations (e.g., requiring importers to allow regular audits upon exporter request); and
  • Allow for third parties to acceded to existing SCCS as data exporter or importer (under the Docking Clause).

Transition to New SCCs

The new SCCs go into effect in approximately 20 days. Businesses leveraging previous versions of the SCCs have 18 months to transition to the new SCCs.

Overall, these new SCCs will allow companies to use contractual agreements in the cross-border transfer of personal data that better align to the increasingly complex nature of these transactions. Further, the new versions come at a critical juncture, when companies are struggling to implement the guidance of Schrems II and continue to leverage data processing in multiple regions around the world.  In the wake of the invalidation of the EU-US Privacy Shield, and heightened challenges with cross-border data transfers, the SCCs demonstrate the EU’s commitment to addressing data protection while continuing to allow the continued data flows out of the EU.

In light of this critical development, Beckage recommends that clients taken immediate steps to evaluate all existing agreements that will need to be updated with the new SCCs.  As stated above, companies will have up to 180 days to amend previously executed DPAs to include the new form SCCs. As such, companies will need to discuss a process to review its previously executed contracts and develop a plan to roll out amendments. Additionally, moving forward, companies will need to leverage the updated form SCCs in all new Data Processing Agreements.

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address the new SCCs.  

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to ourNewsletter

FingerprintBiometric Litigation Continues To Rise As Businesses Work To Minimize Risk

Biometric Litigation Continues To Rise As Businesses Work To Minimize Risk

In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (“BIPA”) with the purpose of recognizing a person’s privacy right to their “biometric information” and “biometric identifiers”.  BIPA was enacted in response to the growing use of biometrics by businesses.   

In part because of its private right of action, by which plaintiffs may bring suit against businesses directly, BIPA litigation remains at the forefront of the data privacy litigation landscape as businesses continue to collect the biometric identifiers of their employees.  Recent BIPA class action settlements with major tech companies like Facebook and TikTok have been in the hundreds of millions of dollars, but the majority of BIPA litigation is brought against small and medium sized enterprises who collect biometric information in employee timekeeping or for access controls to physical spaces.   

To date, defendants have found courts to be generally unwilling to dismiss BIPA litigation at early motion practice.  Two recent cases, Thornley v. Clearview AI and Barton v. Swan Surfaces, demonstrate that there are some potential limits to BIPA litigation. 

Thornley  v. Clearview AI 

In Thornley, Melissa Thornley accused Clearview AI of scaping publicly available photos from her social media accounts for facial recognition purposes and selling her biometric information to third parties without her consent.  Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1242-1243 (7th Cir. 2021).  Thornley initially filed a complaint in Illinois state court, alleging as a class representative, that Clearview violated § 15(c) of BIPA, which requires in relevant part, that “[n]o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.”  Id. at 1246.  Clearview removed the case to federal court on the basis that the allegation of a statutory violation gave rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  Id. at 1243.  Under the Constitution, a plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).  In Spokeo, the Supreme Court of the United States held that a statutory violation could be sufficient to constitute an injury in fact; however, it did not provide any analysis as to which types of statutory violations necessarily implicate concrete and particularized injuries in fact.  Id.   

The district court held that Clearview alleged violation of § 15(c) of BIPA was “only a bare statutory violation, not the kind of concrete and particularized harm that would support standing”, the case must be remanded to the state court.  Thornley., 984 F.3d at 1242.  Clearview then appealed to the Seventh Circuit, who concurred with the District Court and remanded the case back to the Illinois State Court for much the same lack of standing.  Id.  Clearview has now petitioned the Supreme Court of the United States to take its case.  See Porter Wells, Clearview AI Will Take BIPA Standing Challenge to Supreme Court. 

Barton v. Swan Surfaces, LLC 

In Barton, a unionized employee of Swan Surfaces, LLC (“Swan”) was required to clock in and out of her employer’s manufacturing plant using her fingerprints as part of company protocol.  Barton v. Swan Surfaces, LLC, No. No. 20-cv-499-SPM, 2021 WL 793983 at *1 (S.D. Ill March 2, 2021).  On May 29, 2020 Barton filed a complaint in the United States District Court for the Southern District of Illinois alleging that she represented a class of individuals who “while residing in the State of Illinois, had their fingerprints collected, captured, received, otherwise obtained and/or stored by Swan”.  Id. at *2.  Barton asserted Swan violated BIPA in: (1) failing to institute, maintain, and adhere to publicly available retention schedule in violation of 740 ILCS 14/15(a); and (2) failing to obtain informed written consent and release before collecting biometric of information.  Id.  On July 31, 2020, Swan filed a Motion to Dismiss, asserting in relevant part, that Barton’s BIPA claims were preempted by § 301 of the Labor Management Relations Act (“LMRA”).  Id.  

On March 2, 2021, the court held that as Barton was a unionized employee, her Collective Bargaining Agreement (“CBA”), which contained a management rights clause and grievance procedure, controlled and as such Barton’s BIPA claims were preempted by § 301 of the LMRA.  In coming to its conclusion, the court heavily relied on the courts holding in Miller v. Southwest Airlines, Inc., 926 F.3d 898 (7th Cir. 2019). Id. at *6. In Miller, the Seventh Circuit held an adjustment board had to resolve the employees’ dispute over the airline’s fingerprint collection practices because their unions may have bargained over the practice on their behalf.  Miller, 926 F.3d 898.  The court in Barton noted that the United States “Supreme Court has held that the RLA preemption standard is virtually identical to the pre-emption standard the Court employs in cases involving § 301 of the LMRA” and therefore the same outcome should apply.  Barton, 2021 WL 793983 at *4. 

Key Takeaway 

While these cases demonstrate the potential to circumvent or limit BIPA litigation, the increased volume of biometric information being used by companies and the push for biometric policies that govern the use of these technologies and promote safeguards for consumers will undoubtedly continue.  

With many states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. We have a team of highly skilled lawyers that stay up to date on all developments in case law on BIPA and who can help your company best defense given the current legal landscape. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies. 

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

VirginiaWhat You Need to Know About Virginia’s New Consumer Data Protection Act

What You Need to Know About Virginia’s New Consumer Data Protection Act

On March 2, 2021, Virginia enacted the Consumer Data Protection Act (the “CDPA”) with the goal of establishing a framework for controlling and processing the personal data of Virginia Residents. Where the CDPA resembles California’s Consumer Privacy Act (“CCPA”) in some regards and resembles the European Union’s General Data Privacy Regulation (“GDPR”) in others, the CDPA is likely the first step in a line of new state laws governing the processing of a consumers’ data.  As such, companies should use this time to familiarize themselves with the intricacies of the CDPA so as to begin to adapt to the intricacies of handling consumer data.

Who Does the CDPA Apply to?

The CDPA applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia, and that:

  1. during a calendar year, control or process personal data of at least 100,000 consumers; or
  2. control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. 

Equally important is who is exempted from the CDPA.  Va. Code Ann. § 59.1-572(A).  To that end, the CDPA does not apply to i) any governmental body within Virginia; ii) financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); or iii) any covered entity or business associate governed by the privacy, security, and breach notification under HIPAA or HITECH.  Va. Code Ann. § 59.1-572(A).

What is “Sensitive Data” Under the CDPA?

Understanding what constitutes as “sensitive data” under the CDPA first requires an understanding of what is “personal data” under the CDPA.  The CDPA defines personal data as being “any information that is linked or reasonably associated to an identified or identifiable natural person”.  Va. Code Ann. § 59.1-571.  Nevertheless, personal data under the CDPA does not include de-identified data or “publicly available information”.  Id.

The CDPA more heavily regulates a covered business’ processing and handling of sensitive data.  Under the CDPA sensitive data is defined as including:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. the personal data collected from a known child; or
  4. the precise geolocation of an individual.  Va. Code Ann. § 59.1-571. 

Moreover, the CDPA provides certain exceptions for data which is not to be considered sensitive data, including, but not limited to:

  1. protected health information under HIPAA; information used only for public health activities under by HIPAA; information derived from any of the health care-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; patient identifying information for purposes of 42 U.S.C. § 290dd-2;  information created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.) or  the Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);
  2. information collected and maintained regulated and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.); and
  3. personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.).  Va. Code Ann. § 59.1-571(C).

What is My Business Required to Do if it is a Covered Business?

Under the CDPA, a covered business is required to:

  1. adopt data minimization practices;
  2. disclose their privacy practices through a “meaningful privacy notice”;
  3. implement data security measures;
  4. refrain from discriminating against consumers who exercise their rights under the CDPA; and
  5. obtain consent prior to processing sensitive data, as defined below.  Va. Code Ann. § 59.1-574. 

Moreover, a covered business may be required to conduct risk assessments on their data protection practices.  These risk assessments must be taken where the covered business activities involve:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk;
  4. the processing of sensitive data; and
  5. any processing activities involving personal data that present a heightened risk of harm to consumers.  Va. Code Ann. § 59.1-576.

Does the CDPA Provide Any Rights to Virginians?

Under the CDPA, Virginians are provided certain individual rights including:

  1. the right to access their data;
  2. the right to amend their data;
  3. the right to delete their data;
  4. the right to transfer their data; and
  5. the right to opt out of certain uses of their personal data.  Va. Code Ann. § 59.1-573(A)(1-5). 

What Happens If My Business Violates the CDPA?

CDPA does not contain a private right of action.  Va. Code Ann. § 59.1-579(C).  As such, enforcement is the exclusive jurisdiction of the Virginia Attorney General.   Va. Code Ann. § 59.1-579(A).  Under the CDPA, the Virginia Attorney General is required to provide the covered business a letter outlining the provisions of the CDPA that have been, or are alleged to have been, violated.   Va. Code Ann. § 59.1-579(B).  The covered business than has 30 days to cure any alleged violations.  Id.  If the covered business cures the alleged violations of the CDPA “and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur” then Virginia Attorney General is not to seek statutory damages against the covered business.  Id.  Nevertheless, if the covered business fails to cure the alleged violations of the CDPA, it may be “subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.  Va. Code Ann. § 59.1-580(B).

When Will the CDPA Become Effective?

The CDPA will become effective on January 1, 2023.  Va. Code Ann. § 59.1-581.  Moreover, in contracts to the new California Consumer Privacy Rights Act (“CPRA”), the CDPA does not contain a twelve-month lookback period, and thus compliance with the CDPA will only be required moving forward.

What Do I Do Next?

Now is the time to prioritize developing a robust, scalable data privacy program within your organization.  First and foremost, conducting an assessment to determine what laws and regulations, such as the CDPA, CCPA, or GDPR, apply to your organization is a great starting place. Your business may be required to make additional disclosures surrounding your data collection practices and how consumers can exercise certain rights to that data.

Beckage’s dedicated data privacy attorneys routinely provide guidance on various consumer data privacy regulatory regimes and are especially adept to help your business adapt to the changing legal landscape.  We recommend reviewing all cookie consent banners and just in time notices to evaluate whether they provide the necessary opt out consent for targeted advertising as required by the CDPA and other evolving laws.  Based on the above, if you believe that the CDPA may impact your business, reach out to Beckage for assistance.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

1 2 3 9