California Consumer Privacy Act (“CCPA”) and NY SHIELD Act
To protect both businesses and consumers, a growing number of states are enacting cybersecurity legislation to require entities to implement security measures to safeguard against a data breach. Designed to help prevent unauthorized access to or theft of sensitive consumer information, many of these measures have complex compliance requirements.
To add to the challenge, the current cybersecurity regulatory backdrop consists of a patchwork of different regulations across all 50 states; making compliance inconsistent and tricky for companies operating in multiple states. And, considering privacy scandals such as the Cambridge Analytica affair, states are enacting sweeping privacy requirements, sometimes with a global effect. A recent article in Forbes, “Data Privacy Will Be The Most Important Issue In The Next Decade,” highlights the significance of this trend. California has led the way, with the California Consumer Privacy Act (CCPA). Other states and perhaps the federal government are sure to follow.
The resources on this page can help educate you on potential applicability and the impact to your business. If you need additional guidance, our Privacy and Data Security team can assist with:
- Performing risk assessments to review privacy policies/practices, assess data, pinpoint weaknesses and compliance gaps, and more.
- Developing a comprehensive privacy management program that addresses changes in the privacy regulatory space including the CCPA, NY SHIELD Act, GDPR, and more, to make you “future ready.”
- Providing access to technical experts that have the right experience you need and best-in-class knowledge.
- Allowing for full and frank assessment of your privacy and data security maturity under the attorney-client privilege.
- Applies to for-profit entities, and any entities they control or are controlled by them, that “do business” in California, with certain thresholds.
- Creates extensive new rights and obligations in relation to personal information, including a consumer’s right to know specific pieces of personal information held by a business, and a limited right to deletion.
- Covers any information that can be linked, directly or indirectly, to a consumer or household like IP addresses, online identifiers, products or services purchased by a household, geolocation data from a cell phone, or even inferences drawn from such information.
- Regulations cover any person or business, anywhere in the world, that owns or licenses “private information” about a resident of New York.
- Expands existing definition of protected “private information,” adding an individual’s username and password for an online account, and various types of biometric information, including fingerprints and voiceprints.
- Clarifies that compromise of an account number, or credit or debit card number, even without a compromise of an associated access code or password, is reportable, “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.”
- Includes a notification exception for situations involving “inadvertent disclosure by persons authorized to access private information” if “such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”
RESOURCES
LEGALcurrents®- California Legislation Changes the Data Privacy Game – August 2, 2019
- Governor Cuomo Signs New York SHIELD Act Into Law: A Host of Breach Notification and Data Security Changes are Coming – July 30, 2019
- Experimentation in Privacy Law Leads to Increased Complexity, New York Law Journal – November 26, 2019
- NY SHIELD Act Promises More Data Breach Enforcement, and International Reach, New York Law Journal – July 29, 2019