A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller

The California Consumer Privacy Act provided plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of

What are the differences between the CCPA and the CPRA, and how do these two California privacy acts resemble the European GDPR? Is now the time to adopt a data privacy framework instead of trying to comply with state statutes like the CPRA? David Zetoony and Victor Monga, Governor of ISACA Orange County, recently discussed

On Feb. 10, 2021, Acting Federal Trade Commission (FTC) Chairwoman Rebecca Kelly Slaughter offered a glimpse of where the FTC may be headed under the Biden administration and confirmed that privacy remains among the Commission’s top priorities.

In her keynote address to the Future of Privacy Forum, Slaughter shared her views on the FTC’s role

  1. EEA Cross-Border Transfers. The U.S. and the EU will work towards, and hopefully reach, a cross-border data transfer solution.
  2. Ransomware. More ransomware attacks and increased regulatory scrutiny of companies that pay ransom demands.
  3. Digital Advertising. Development of alternate marketing strategies, and perhaps more reliance on consumer opt-in, as privacy laws further erode traditional tracking

The regulations implementing the CCPA make clear that the notice at collection (or the privacy notice if it is being used to satisfy the notice at collection) does not have to be physically provided to a consumer; instead a business must make it “readily available” in a location where consumers are likely to encounter it.

It depends.

If a written contract between a law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client, the law firm may be a “service provider” under the CCPA.  The CPRA amended the CCPA’s definition of service

The regulations implementing the CCPA discuss the education of employees regarding CCPA related responsibilities in two sections:

Section 999.317(a) Section 999.317(g)(3)

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the

requirements in the CCPA and these regulations and