Skip to content
Photo of David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

The CCPA’s core requirements can be grouped broadly into three categories: (1) rights owed by businesses to Californians concerning their personal data, (2) data security breach risks and obligations, and (3) vendor management.

The CPRA expanded the scope of the first category – i.e., the rights conferred upon Californians concerning their personal data. Under the

No.

A group of privacy advocates and privacy software companies has proposed an “unofficial” specification for how consumers might transmit, and how companies might receive, a global privacy opt-out signal that indicates an intention for information not to be sold.  As of 12 October 2020, the draft “Global Privacy Control specification” claims to have “no

A group of privacy advocates, publishers, and privacy software companies have proposed an “unofficial” specification for how consumers might transmit, and how companies might receive, a global privacy opt-out signal that indicates an intention for information not to be sold.  They refer to their specification as the Global Privacy Control header, “GPC header,” or “GPC

No.

The regulations implementing the CCPA require that if a business sells personal information and collects personal information from consumers online it must honor “user-enabled global privacy controls” that communicate a desire of the consumer to opt-out of the sale of personal information.[1]  There is no single format or technical specification for creating, transmitting,

No.

The European GDPR permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[1]  As a result, if a company no longer needs information to accomplish a specific purpose, the company is, theoretically, required to delete that information.  The requirement that

No.

The European GDPR permits a company to collect only that information which is “adequate, relevant and limited to what is necessary in relation to the purposes” for which the information is to be processed.”[1]  As a result, a company arguably is not permitted to collect personal data that is not “necessary” for a

The term “personally identified information” is utilized by some industry groups, including the Network Advertising Initiative (“NAI”).  Personally identified information, or “PII,” is defined by such organizations to refer to a significantly narrower set of data than the term “personal information” used within the CCPA.  The following provides a side-by-side comparison of the two terms:

The California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) labels 20 data fields as constituting “sensitive personal information.” [1]  If Proposition 24 is enacted businesses would be permitted to use sensitive personal information for one of the following purposes:[2]

  1. Performing services reasonably expected by the consumer.[3]
  2. Providing goods reasonably expected

Yes and no.

The CCPA references directly, or by incorporating definitions from other code provisions, 55 data types that may fall under the broad definition of “personal information.”  While the CCPA does not label any data type as being more, or less, sensitive than another, the Act does confer special rights on a subset of