Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them; the right to know what businesses do with that information; and, the right opt out of the sale of certain personal information if a business sells that personal information. In turn, qualifying businesses that do business in California must institute certain policies, practices, and methods that allow consumers to effectuate those rights.

On October 10, 2019, the California Attorney General, Xavier Becerra, announced at a press conference that his office has released proposed implementing regulations for the California Consumer Privacy Act (“CCPA”). The text of the proposed regulations is available here.

As background, the CCPA is a California privacy law that seeks to give California consumers the rights to know about and control the personal information that businesses collect about them. For a detailed discussion of the CCPA, please see our previous posts (available here and here).  

Proskauer litigation associate Courtney Bowman and Jonathan Reardon, head of the Al Khobar, Saudi Arabia office of the Middle East-based firm Al Tamini & Co., recently co-authored an article published by Bloomberg about Saudi Arabia’s draft cloud computing regulations.  The article analyzes the draft regulations and their potential impact on

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies –

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.)

The revised regulations emphasize their “risk-based” approach, enabling persons covered by the regulations to tailor their information security programs to their size, scope, type of business, resources, amount of personal information, and need.  These changes were primarily intended to ease the burden of the regulations on small businesses that may not handle a significant amount of personal information, or may not have the resources to develop a sophisticated security program.  That said, the changes apply to all business, not just small businesses.