No.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [1]  The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer.  Beginning on January 1, 2023, if a business collects sensitive personal

The CCPA’s core requirements can be grouped broadly into three categories: (1) rights owed by businesses to Californians concerning their personal data, (2) data security breach risks and obligations, and (3) vendor management.

The CPRA expanded the scope of the first category – i.e., the rights conferred upon Californians concerning their personal data. Under the

Likely no. While the CCPA provides for statutory damages if certain personal information is exposed in a data breach due to a business’s failure to have reasonable and appropriate security in place, the CPRA goes a step further. The CPRA requires the California government to issue regulations requiring businesses whose processing of consumers’ personal information

With 72% of the vote in, 56.1% of Californians have voted in favor of Proposition 24, making it likely that the California Privacy Rights Act of 2020 (CPRA) will pass. The CPRA – a ballot initiative – will usher in material amendments to the existing California Consumer Privacy Act (CCPA). Proponents have argued that the

No.

The regulations implementing the CCPA require that in-scope businesses must provide two or more designated methods of submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information,” on the business’s website or mobile application.[1]

In addition to the “DNSMPI” link noted

No.

A group of privacy advocates and privacy software companies has proposed an “unofficial” specification for how consumers might transmit, and how companies might receive, a global privacy opt-out signal that indicates an intention for information not to be sold.  As of 12 October 2020, the draft “Global Privacy Control specification” claims to have “no

No.

The regulations implementing the CCPA require that if a business sells personal information and collects personal information from consumers online it must honor “user-enabled global privacy controls” that communicate a desire of the consumer to opt-out of the sale of personal information.[1]  There is no single format or technical specification for creating, transmitting,

No.

The European GDPR permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[1]  As a result, if a company no longer needs information to accomplish a specific purpose, the company is, theoretically, required to delete that information.  The requirement that

No.

The European GDPR permits a company to collect only that information which is “adequate, relevant and limited to what is necessary in relation to the purposes” for which the information is to be processed.”[1]  As a result, a company arguably is not permitted to collect personal data that is not “necessary” for a