David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

If a service provider agreed to a data processing addendum that complied with the CCPA will a new addendum be needed for the CPRA that includes additional use restrictions?

By David A. Zetoony on November 24, 2020

Posted in California, CCPA, CPRA, Privacy Legislation

It depends.

As discussed in Q 223, the CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023. Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that…

If a service provider agreed to a data processing addendum that complied with the CCPA will a new addendum be needed for the CPRA that specifically prohibits selling or sharing of data?

By David A. Zetoony on November 23, 2020

Posted in California, CCPA, CPRA, Privacy Legislation

It depends.

Does the CPRA require data minimization with regard to the storage of information?

By David A. Zetoony on November 19, 2020

Posted in California, CCPA, CPRA

Yes.

Data minimization is not addressed by most privacy laws in the United States and was not mandated by the CCPA. Privacy laws in the United States that do touch upon data minimization generally do not require it; instead, they recommend it as a best practice or as a condition for achieving a safe harbor…

Under the CPRA can a consumer object to a company sharing sensitive personal information with AdTech companies for their use in constructing a consumer profile?

By David A. Zetoony on November 18, 2020

Posted in California, CPRA

Yes.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [1] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to…

Under the CPRA can a consumer object to a company using sensitive personal information for behavioral or targeted advertising?

By David A. Zetoony on November 17, 2020

Posted in California, CPRA

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.”[1] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct,…

Under the CPRA can a consumer object to a company using sensitive personal information for data analytics?

By David A. Zetoony on November 16, 2020

Posted in California, CCPA, CPRA, Privacy Legislation

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.”[1] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct…

Is the CPRA’s right to object to the continued use of sensitive personal information an absolute right?

By David A. Zetoony on November 12, 2020

Posted in California, CCPA, CPRA

No.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [1] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to…

Does the CPRA give consumers a right to object to a business’s continuing use of sensitive personal information?

By David A. Zetoony on November 11, 2020

Posted in California, CCPA, CPRA

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [1] The sub-category is comprised of twenty specific data…

Does the CPRA require that companies get opt-in consent from consumers before collecting their sensitive personal information?

By David A. Zetoony on November 10, 2020

Posted in California, CCPA, CPRA

No.

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types (e.g., Social Security numbers, driver’s license numbers, medical information, etc.).

The CPRA created a new sub-category of personal information that it labels “sensitive…

Does the CPRA require companies to publish the data retention period that applies to the personal information it collects from consumers?

By David A. Zetoony on November 9, 2020

Posted in California, CCPA, CPRA

Yes.

Most privacy laws in the United States do not require that a company publicly disclose the length of time that personal information will be kept. While the CCPA did not contain such a requirement, the CPRA will require, beginning on January 1, 2023, that businesses inform consumers at the point at which information is…

Data Privacy Dish

David A. Zetoony

If a service provider agreed to a data processing addendum that complied with the CCPA will a new addendum be needed for the CPRA that includes additional use restrictions?

If a service provider agreed to a data processing addendum that complied with the CCPA will a new addendum be needed for the CPRA that specifically prohibits selling or sharing of data?

Does the CPRA require data minimization with regard to the storage of information?

Under the CPRA can a consumer object to a company sharing sensitive personal information with AdTech companies for their use in constructing a consumer profile?

Under the CPRA can a consumer object to a company using sensitive personal information for behavioral or targeted advertising?

Under the CPRA can a consumer object to a company using sensitive personal information for data analytics?

Is the CPRA’s right to object to the continued use of sensitive personal information an absolute right?

Does the CPRA give consumers a right to object to a business’s continuing use of sensitive personal information?

Does the CPRA require that companies get opt-in consent from consumers before collecting their sensitive personal information?

Does the CPRA require companies to publish the data retention period that applies to the personal information it collects from consumers?

About Greenberg Traurig