Archive for October, 2019

California Passes New Data Broker Law In Anticipation of January 1, 2020 Effective Date of California Consumer Privacy Act (“CCPA”)

Wednesday, October 23rd, 2019

SaaS companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.

In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed  a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers:  AB-1202 establishes a new compliance framework for data brokers.

What is California’s New Data Broker Law?

Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online.  Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.

What is a Data Broker under the California Law?

What businesses are defined as “data brokers” under the law?   The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.  “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained

California’s New Data Broker Law Applies to Companies Selling Data

So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker.  Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”

image_pdfimage_print

California Passes New Data Brokering Law

Wednesday, October 23rd, 2019

News Update 10.22.19

image_pdfimage_print

California Finalizes California Consumer Privacy Act (“CCPA”)

Friday, October 18th, 2019

In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.

The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130.  The text of the published regulations are made available here.  The deadline to submit written comments is 5 p.m. on December 6, 2019.   California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.

So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, SaaS and tech companies are in a better position to start preparing for the law to take effect.

CCPA Compliance Requirements

So, what does your SaaS or tech company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?

First of all, your business will be subject to the law if at least one of the following are true:

  • Your company has gross annual revenues in excess of $25 million;
  • Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
  • Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

“Consumer” is currently defined as a natural person who is a California resident.  “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information.  However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition.  “Business” is currently defined to include for-profit businesses as well as other legal entities.

CCPA Consumer Rights

Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:

  • A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
  • A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.  If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
  • A Right to Opt Out of the Sale of personal information.  “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale.    In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale.  In the case of children under 13, a parent or guardian must opt-in on behalf of the child.  The proposed regulations further define the rules related to the protection of children.
  • A Right of Non-Discrimination.  Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA.  Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature.  The proposed regulations further define how the right of non-discrimination will be implemented.

CCPA Business Obligations

Third, businesses will now have other new business obligations to consumers, including the following:

  • Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
  • Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
  • Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days).  The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
  • Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
  • Verify the identity of any consumer making a request to know or delete.  Password protected account settings are not considered sufficient verification.  The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
  • Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
  • Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra  recordkeeping obligations.
  • Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices.  The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format;  that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
  • Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher  training obligations.

CCPA Conflicts with GDPR

Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws.  In particular, California’s Department of Justice has advised businesses to be wary of the following:

  • Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
  • Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
  • Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.

Regardless of whether  your SaaS or tech company is going to meet the threshold to be subject to the new California law when it goes into effect,  it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020.  It goes without saying that companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.

If you have questions regarding the CCPA and your company’s compliance obligations, schedule a consultation with today at this link.

image_pdfimage_print

California Prepares for Approaching Deadline of CCPA Effective Date

Thursday, October 17th, 2019

News Update 10.17.19

image_pdfimage_print

SaaS Lawyer Kristie Prinz Presents on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships”

Tuesday, October 8th, 2019

SaaS Lawyer Kristie Prinz presented a webinar on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships” on October 8, 2019.   A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-saas-contracts-1

image_pdfimage_print

The Prinz Law Office’s Kristie Prinz to Present on “Best Practices for Negotiating SaaS Contracts”

Tuesday, October 8th, 2019

The Prinz Law Office will be sponsoring a webinar on October 8, 2019 on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships.” Firm Founder and SaaS attorney, Kristie Prinz, will be presenting this webinar, which will be intended not only for in-house counsel and other attorneys, but also for founders, businesspeople and CFOs dealing with SaaS agreements.

To register to attend, please sign up at The Prinz Law Store website at https://prinzlawstore.com/2019/08/saas-contracts/.

image_pdfimage_print
image_pdfimage_print

| The Prinz Law Office | Silicon Valley Office Address •84 W. Santa Clara St., Suite 788, San Jose, CA 95113 • Firm Mailing Address: 117 Bernal Rd., Suite 70-110, San Jose, CA 95119 •408.884.2854 | Orange County 949.284.6884 | San Diego ▪619.881.0424 | Tel: 1.800.884.2124 | Sitemap

  • Web Development by Axis Media

    Portions of this website may include what may be considered ATTORNEY ADVERTISING in some states. Please note that any discussion on this website of prior results does not guarantee similar outcomes

  • Call Prinz Law Office Now

    Protected by Security by CleanTalk