Privacy & Cybersecurity Newsletter

June 2023

Locke Lord's Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection and cyber risk management. For further information on any of the subjects covered in the newsletter, please contact one of the members of our privacy and cybersecurity team.

In This Issue

Waiting on Guidance From the CPPA. What to Do in the Meantime?‎
Last fall, we provided an update on the state of the regulations promulgated under the California Consumer Privacy Act (CCPA). At the time, we identified key gaps in the current regulations, specifically the lack of guidance on requirements for cybersecurity audits, data processing risk assessments, and automated decision-making. On March 27, 2023, the California Privacy Protection Agency (CPPA) closed its comment period for rulemaking activities on cybersecurity audits, risk assessments, and automated decision-making, which have not been addressed in the regulations to date. read more

The CCPA’s 12-Month Look Back Period May Extend Beyond That
The California Consumer Privacy Act (“CCPA”) provides consumers various rights regarding their personal information including the right to know what personal information a business has collected about the consumer and the right to request that a business delete personal information that has been collected, subject to certain exceptions. (Cal. Code Regs. tit. 11, § 7011 (e)(2)(A)-(B)) The current CCPA regulations, which were finalized on March 29, 2023, modify what has commonly been referred to as “the look back period.” read more

Lessons From the GDPR on the Sunset of the CCPA’s Personnel and B2B ‎Exemptions
As of January 1, 2023, the personal information of personnel (including job applicants, employees, officers, directors and contractors), and of business to business contacts, is subject to the California Consumer Privacy Act (“CCPA”). This is because of the January 1 sunset of the prior exemption for personnel and B2B data. read more

California Privacy Enforcement Will Heat up This Summer as the Agency Takes Control
The California Privacy Rights Act (the “CPRA”), which substantially amended the California Consumer Privacy Act (the “CCPA”), took effect January 1, 2023. Beginning July 1, 2023, the newly formed California Privacy Protection Agency (the “Agency”) will be responsible for handling the enforcement actions already authorized by the CCPA and enforcing violations of the new provisions implemented by the CPRA. Since the passage of the CPRA, the Agency has been busy finalizing the rulemaking package, which was approved by the California Office of Administrative Law on March 30, 2023. It is apparent that the Agency will not waste any time enforcing the CPRA, and businesses operating in California should be on high alert. read more