The CCPA includes a non-exhaustive list of data types that may fall under the definition of personal information. One of those data types is “biometric information.”1

While the CCPA provides a definition of “biometric information,” it is worth noting that the CCPA’s definition differs from the definition of the term in other statutes and

Maybe.

“Hashing” refers to the process of using an algorithm to transform data of any size into a unique fixed-sized output (e.g., combination of numbers and letters). To put it in layman’s terms, some piece of information (e.g., a name) is run through an equation that creates a unique string of characters. Anytime the exact

On March 10, 2021, Rep. Suzan DelBene (D-Wash.) introduced the first comprehensive consumer privacy bill of the 117th Congress. The Information Transparency and Personal Data Control Act is designed to “establish a uniform set of rights for consumers and create one set of rules for businesses to operate in,” according to a press release from

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty

Consumers are permitted to bring suit under the CCPA if they can prove the following five elements:

  1. A business incurred a data breach;
  2. The data breach involved a sensitive category of information identified in California Civil Code Section 1798.81.5;
  3. The business had a legal duty to protect the personal information from breach;
  4. The business failed

The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”1 That prohibition, however, may not apply to information once

The CPRA amended the CCPA’s definition of a service provider such that, beginning Jan. 1, 2023, a service provider could include any person (not just a legal entity), and a service provider could be a business that receives personal information “on behalf of” another business. The CPRA also added the requirement that written contracts contain

In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or

A data broker is defined under California law as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”1 Based upon that definition, to be a data broker, the following five elements must be present:

Elements Description
1.

Possibly. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries). The guidance addresses the common scenario of