As most people started to wind down for the July 4th holiday week, California was just ramping up its “as California goes” focus on data privacy. On June 28, 2018, California passed a comprehensive data privacy bill that has been touted as the strictest in the nation.
The good news first—businesses have until January 1, 2020, to revamp privacy compliance programs, update policies, procedures and processes, and operationalize the sweeping new changes passed by the California legislature. The not-so-good news for businesses, however, is that this new law proposes a significant number of restrictions to the way businesses collect, use, store, and share personal data. In addition, consumers now have a private right of action for certain disclosures or loss of personal data. While the new California Consumer Privacy Act of 2018 amends Sections 1798.100 through 1798.198 of the California Civil Code, there is still a lot of uncertainty as to what specific requirements may be revised in the next 18 months.
This initial overview provides a few high-level practical questions to help your company get a head start on determining how best to implement this new legislation. Bradley will continue its review and coverage of this law in an ongoing series devoted to state privacy law updates, so please check back here for more information.
Who Is Affected?
According to some accounts, the act will apply to more than 500,000 U.S. companies and has the potential to affect hundreds of thousands more companies worldwide. Additionally, even though the law does not apply to information already regulated under various federal laws, it does apply to entities traditionally covered by regulations such as the Gramm-Leach Bliley Act, the Fair Credit Reporting Act, and the Health Insurance Portability and Accountability Act.
Any company that meets certain criteria and receives personal data from California residents must comply with the new statute. Note that although the act is touted as a “consumer privacy” law, California has broadly defined consumer to include “any natural person who is a California resident.”
Under the act, any company that (1) has an annual gross revenue of $25 million, (2) obtains personal information of 50,000 or more California residents, households or devices annually, or (3) derives 50 percent or more annual revenue from selling California residents’ personal information would be a covered entity under the statute. Note that parent companies and subsidiaries using the same branding are covered, even if those companies and subsidiaries do not exceed the applicable thresholds.
Why Is This Different?
In passing the act, legislators declared that it was their intent to provide Californians with specific rights to privacy, including: (1) the right to know what personal information is being collected about them; (2) the right to know whether their personal information is being sold or disclosed and to whom; (3) the right to say no to the sale of personal information; and (4) the right to access and delete their personal information.
Additionally, as currently drafted, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The broad nature of this definition encompasses data that relates not just to a single individual, but an entire household—effectively encompassing information regarding web browsing histories, IP addresses, energy consumption, or other general information—even if no individual name is associated with it.
What Can I Do Now?
First and foremost, understand what data you collect. The concept of data mapping has been recommended by privacy professionals for some time, however, this new act makes it even more pertinent that companies map and inventory data. What information does your company collect on California residents? What are those sources of data? Is the information shared with third parties and in what context? These and many other questions will need to be answered before an entity can evaluate whether the new act will apply and in what ways the company may need to alter its practices or update its policies and procedures.
In addition, companies should start to consider whether or not current systems and processes will allow compliance with the new rights afforded to consumers, such as the ability to verify the identity of persons who make requests for data deletion, access or transfer. Also, how will companies store and maintain records on consumers who have opted out of data sharing or made a request for information?
Although the implementation of the new act is still another 18 months away, companies should begin the process of assessing the act’s impact on business processes, operations and data handling practices. Additionally, anyone affected by the act should pay close attention to potential revisions and changes to the law as we move toward January 1, 2020.
The Bureau of Consumer Financial Protection has once again been deemed unconstitutional, this time in an 
In a highly anticipated decision, the United States Supreme Court ruled the practice employed for years by the Securities and Exchange Commission of choosing administrative law judges to hear SEC enforcement actions, violates the Appointments Clause of the Constitution. The Supreme Court, in 
Security Group, Inc. and several of its wholly owned subsidiaries entered into a 
Late last month, the CFPB took the extraordinary step of joining two trade groups in requesting a stay of a case challenging the bureau’s final payday/auto title/high-rate installment loan rule (“Payday Rule”) pending the CFPB’s reconsideration of the rule promulgated under the prior administration. Significantly, the joint motion also seeks a stay of the Payday Rule’s compliance date. The CFPB’s decision to join the plaintiff in requesting the stay of the rule is a firm indication of the bureau’s altered priorities under Director Mick Mulvaney. Indeed, the joint motion goes so far as to state that the CFPB’s rulemaking “may result in repeal or revision of the Payday Rule and thereby moot or otherwise resolve this litigation or require amendments to Plaintiffs’ complaint.” On this basis, the CFPB and the trade groups asked the federal court in Texas to stay the compliance date until 445 days from the date of final judgment in the litigation.
Described as “
Since 1996, when California became the first state to legalize marijuana (at the time, for medicinal purposes only), 28 additional states and the District of Columbia have legalized marijuana to some extent. Public support for legalization continues to rise as more and more jurisdictions loosen their marijuana laws, 
On May 8, 2018, President Donald Trump announced that the United States would no longer participate in the Joint Comprehensive Plan of Action (JCPOA), the international agreement regarding Iran’s nuclear activities and sanctions imposed on Iran that was entered into in July 2015. The Treasury Department’s Office of Foreign Asset Control quickly issued a frequently asked questions bulletin explaining how the U.S. will re-impose sanctions that had been lifted pursuant to the JCPOA. The U.S. withdrawal from the deal will occur over either a 90-day (ending August 6, 2018) or 180-day (ending November 4, 2018) wind-down period, depending on the type of activity at issue. Here are some key takeaways:
Reverse mortgage lenders received a significant victory in Florida’s Third District Court of Appeal last week when the court issued its decision in 
The Federal Financial Institutions Examination Council (FFIEC) has issued a 