While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.
Continue Reading
Don’t Let COVID-19 Lure You In: Phishing and Malware Attacks Skyrocket During Coronavirus Crisis
In our previous COVID-19 bulletin, we discussed the importance of companies maintaining information system and data security while allowing employees to work remotely. Over the last week, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scammers have taken advantage of vulnerable telecommuters. For example, in just the past week, media outlets have reported on the following scams:
- Email Phishing. According to a Kaspersky study and the FTC, email phishing schemes include the use of organizations’ names that would normally seem legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). The emails have the CDC or WHO logos and headings or have email addresses that, in a quick glance, look to be official (such as cdc-gov.org). The links in these emails may infect the user’s device with malware or even ask them to enter in an email and password for their Microsoft Outlook account.
- Domains and Apps. There are website domains that appear to keep track of COVID-19 updates and health information. Instead, these domains prompt users to download apps to access this information. In particular, there is an Android App that, once downloaded, infects the device with ransomware and demands payment or else the data on the device will be erased. Additionally, there is an interactive infections and deaths map circulating that is being used to spread password-stealing malware.
- Goods Delivery. While goods and supplies, such as cleaning and household supplies, are running out at local stores, there are online sellers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Employers, or employees in charge of supplies, should be cautious of online retailers and conduct additional research into the seller to verify legitimacy.
- Fake Charities. As with any major event or crisis, there are scammers trying to take advantage of people’s good intentions. This can take form in fake charities or fake donation pages. The fake charity can be a completely made up organization or one that closely resembles names of established charities.
How am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications
Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.
Continue Reading
How am I supposed to do this?: California AG issues proposed regulations for making CCPA a reality
In Taft’s Privacy and Data Security Insight, we have been writing regularly on the California Consumer Privacy Act and what to expect as it goes into effect in January. Like many new privacy laws, panic begins to set in about how to actually address the new approach towards consumer privacy (remember the great GDPR panic of May 25, 2018?) In our last blog, we told you about the final amendments to the CCPA and how the language of the law will finally read. The next step to the implementation of the United States’ most comprehensive state privacy law is the issuance of the Attorney General’s Proposed Regulations, a Notice of Proposed Rulemaking Action, and an Initial Statement of Reasons. These draft documents attempt to answer the question burning in the minds of lawyers and businesses around the country: HOW am I supposed to actually do this? With these draft documents finally out (awaiting public comments until December), we have what we are to understand as the AG’s guidance to businesses on how to comply with the provisions of the CCPA, including, but not limited to:
- How to properly notify consumers;
- How to handle consumer requests;
- How to verify the identity of consumers;
- Collecting personal information of minors; and
- How the value of consumer data is calculated.
The California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020.
California Raisin’ the Stakes: Final CCPA Amendments Pass CA Legislature
As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.
I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.