While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading

As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.

  1. “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves.  As with HIPAA, there is no such thing as a stamp of “compliance” approval.  And, like bragging about your information security, warranting that you are “compliant” is just asking for that


Continue Reading

Well, if Star Wars (May 4) and doughnuts (first Friday in June) can have their own day, you would hope a day might be dedicated to reminding us all about the importance of privacy and increasing awareness of ways we can empower ourselves and our clients to better use and protect personal information. Data Privacy Day began as Data Protection Day in Europe. The day commemorates the signing of Convention 108, the first legally binding international treaty dealing with privacy
Continue Reading

As you put together your resolutions and plans for the new business year, it is important to remember that the European Union’s (“E.U.”) General Data Protection Regulation (“GDPR”) will go into effect on May 25, 2018. The impact that it could have on U.S. companies will depend on whether a company processes the personal data of E.U. citizens (note: the definition of “personal data” under the GDPR is quite broad). If you think this doesn’t apply to your company, think again – even without a physical presence in the E.U., the internet makes it easier than ever to collect personal data from E.U. residents while operating solely in the U.S. So, whether it’s the information of your customers, the customers of your clients, or even the personal data of your own employees, it is important to be aware of your obligations under GDPR and the ways by which you can comply.

As we introduced last year, underpinning the GDPR is the view that privacy is a fundamental human right. Accordingly, the GDPR takes a comprehensive approach to privacy law – much more so than the sectoral approach used here in the U.S. In the U.S., privacy tends to be regulated based on the category of information collected (e.g., protected health information under HIPAA). Under the GDPR, as well as its predecessor, the Data Protection Directive 95/46/EC, the focus is on personal data in all sectors of industry. And we should take a moment to remind everyone that stringent regulations on transferring personal data from the E.U. to the U.S. are not something new. U.S. companies should have been complying with the Data Protection Directive since 1995. Indeed, many companies are just now starting to do what they should have been doing for a long while. In truth, in some part, this lack of compliance or sufficient protection of personal data is why the GDPR has come to be.


Continue Reading