California Consumer Privacy Act (“CCPA”) and NY SHIELD Act

To protect both businesses and consumers, a growing number of states are enacting cybersecurity legislation to require entities to implement security measures to safeguard against a data breach. Designed to help prevent unauthorized access to or theft of sensitive consumer information, many of these measures have complex compliance requirements. To add to the challenge, the current cybersecurity regulatory backdrop consists of a patchwork of different regulations across all 50 states; making compliance inconsistent and tricky for companies operating in multiple states. And, considering privacy scandals such as the Cambridge Analytica affair, states are enacting sweeping privacy requirements, sometimes with a global effect. A recent article in Forbes, “Data Privacy Will Be The Most Important Issue In The Next Decade,” highlights the significance of this trend. California has led the way, with the California Consumer Privacy Act (CCPA). Other states and perhaps the federal government are sure to follow. The resources on this page can help educate you on potential applicability and the impact to your business. If you need additional guidance, our Privacy and Data Security team can assist with:
  • Performing risk assessments to review privacy policies/practices, assess data, pinpoint weaknesses and compliance gaps, and more.
  • Developing a comprehensive privacy management program that addresses changes in the privacy regulatory space including the CCPA, NY SHIELD Act, GDPR, and more, to make you “future ready.”
  • Providing access to technical experts that have the right experience you need and best-in-class knowledge.
  • Allowing for full and frank assessment of your privacy and data security maturity under the attorney-client privilege.
California Consumer Privacy Act (CCPA) This complicated piece of legislation, effective January 2020, changes the privacy landscape in California and beyond. This legislation, the first of its kind in the United States, is similar in purpose to the European Union’s General Data Protection Regulation (GDPR) but differs in many respects. Key elements:
  • Applies to for-profit entities, and any entities they control or are controlled by them, that “do business” in California, with certain thresholds.
  • Creates extensive new rights and obligations in relation to personal information, including a consumer’s right to know specific pieces of personal information held by a business, and a limited right to deletion.
  • Covers any information that can be linked, directly or indirectly, to a consumer or household like IP addresses, online identifiers, products or services purchased by a household, geolocation data from a cell phone, or even inferences drawn from such information.
Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) The NY SHIELD Act amends New York’s data breach notification statute (General Business Law § 899-aa) and adds new substantive data security requirements for any person or business that owns or licenses computerized data including the defined “private information” of a New York resident. Key elements –
  • Regulations cover any person or business, anywhere in the world, that owns or licenses “private information” about a resident of New York.
  • Expands existing definition of protected “private information,” adding an individual’s username and password for an online account, and various types of biometric information, including fingerprints and voiceprints.
  • Clarifies that compromise of an account number, or credit or debit card number, even without a compromise of an associated access code or password, is reportable, “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.”
  • Includes a notification exception for situations involving “inadvertent disclosure by persons authorized to access private information” if “such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”
LEGALcurrents® Articles