Probably not.

Some companies have objected to the CCPA’s definition of “business,” which purports to treat some affiliated companies that utilize common branding as a single business for the purpose of the Act. Specifically, they have pointed out that there are situations in which corporate affiliates that share common branding might be of disparate size

Greenberg Traurig invites you to join us for an informative discussion on the recently enacted Proposition 24, the California Privacy Rights Act (CPRA), and how it builds on the compliance issues created by the California Consumer Privacy Act (CCPA).

Thursday, Jan. 14, 2021
10:00 – 10:30 a.m. MST / 12:00 – 12:30 p.m. EST

During

Maybe.

“Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to replace the credit card number).[1] In some instances, tokens are created through the use of algorithms, such as hashing

It depends.

If a written contract between a law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client, the law firm may be a “service provider” under the CCPA.  The CPRA amended the CCPA’s definition of service

The regulations implementing the CCPA discuss the education of employees regarding CCPA related responsibilities in two sections:

Section 999.317(a) Section 999.317(g)(3)

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the

requirements in the CCPA and these regulations and

The CCPA does not explicitly reference the requirement to train employees, but it does require that:

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed [concerning the CCPA’s requirements] . . . and how to direct consumers to exercise their rights under those

No.

The CCPA defines “deidentified” data as information that “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”1  A number of individuals and entities requested that the Office of the California Attorney General provide guidance as to what steps should be

Marginally.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a

In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has “annual gross revenue in excess of twenty-five million dollars.”[1]

The CCPA does not specify whether the gross revenue threshold refers to

On December 10, 2020, the California Attorney General (AG) released the Fourth Set of Proposed Modifications to the California Consumer Protection Act (CCPA) Regulations, styled as “Modifications to Proposed Modifications.” The Fourth Set comes shortly after the comment period for the Third Set of Proposed Modifications closed on Oct. 28.  Per the AG’s Notice