eBook - ePub
The California Privacy Rights Act (CPRA) â An implementation and compliance guide
Preston Bukaty
This is a test
Partager le livre
- 129 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
The California Privacy Rights Act (CPRA) â An implementation and compliance guide
Preston Bukaty
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
On May 4, 2020, Californians for Consumer Privacy (an advocacy group founded by Alistair MacTaggart) announced that it had collected more than 900, 000 signatures to qualify the CPRA (California Privacy Rights Act) for the November 2020 ballot. Also known as 'CCPA 2.0', the CPRA enhances privacy protections established by the CCPA and builds on consumer rights.
The CPRA effectively replaces the CCPA and will bolster privacy protections for California consumers when it takes effect in 2023. While many elements of the two laws are similar, there are some striking differences that could impact CPRA implementation plans, including:
- Limiting deletion rights that apply to unstructured data
- A new right to data minimization with retention requirements related to personal data
- New definitions and obligations related to cross-context behavioral advertising
- Amending breach liability to include an email address in combination with a password or security question
- Establishing a new regulatory enforcement body: the California Privacy Protection Agency
Organizations that fail to comply with the CPRA's requirements will be subject to civil penalties of up to $7, 500 and a civil suit that gives every affected consumer the right to seek between $100 and $750 in damages per incident, or actual damages if higher.
The law is complex and requires careful reading to understand the actual requirements for organizations â The California Privacy Rights Act (CPRA) â An implementation and compliance guide is here to help.
Ensure your business is CPRA compliant with essential guidance
This book is your ideal resource for understanding the CPRA and how you can implement a strategy to ensure your organization complies with the legislation.
The California Privacy Rights Act (CPRA) â An implementation and compliance guide is essential reading for anyone with business interests in the state of California. Not only does it serve as an introduction to the legislation, it also discusses the challenges a business may face when trying to achieve CPRA compliance. It gives you the confidence to begin your CPRA compliance journey, while highlighting the potential ongoing developments of the CPRA.
Buy this book and start implementing your CPRA compliance strategy today!
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que The California Privacy Rights Act (CPRA) â An implementation and compliance guide est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă The California Privacy Rights Act (CPRA) â An implementation and compliance guide par Preston Bukaty en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Derecho et Derecho cientĂfico y tecnolĂłgico. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
Sujet
DerechoSous-sujet
Derecho cientĂfico y tecnolĂłgicoCHAPTER 1: CPRA JURISDICTION â TERRITORIAL
Relevant provisions of the California Civil Code that collectively make up the California Privacy Rights Act (CPRA) consistently refer to the rights of consumers as they apply to a âbusiness.â For example, âA consumer shall have the right to request that a business that collects a consumerâs personal information discloseâ certain things to that consumer.20 Or, âA consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.â21 As a result, the lawâs applicability hinges on key definitions of a âbusiness,â and, like all laws, organizations will need to carefully review definitions and terms to determine which portions of the statute apply.
Although many legal instruments include key terms as part of introductory text, the definitions for terms found in the CPRA are less obviously located. Many key terms can be found in section 1798.140. For example, âbusinessâ is defined in section 1798.140(d) as:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumersâ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumersâ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
(C) Derives 50 percent or more of its annual revenues from selling, or sharing consumersâ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumersâ personal information. âControlâ or âcontrolledâ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. âCommon brandingâ means a shared name, servicemark, or trademark.
This lengthy definition is not easy to understand. In order to know if the CPRA applies, an organization must first determine whether it does business in the State of California, such that the average consumer would understand that two or more entities are commonly owned.
Although the CPRA does not elaborate on what it specifically means to âdo business in the State of California,â there is relevant case law that can provide guidance. First, courts will look for general personal jurisdiction, which relates to a courtâs authority to hear cases within its established geographic area.
Typically, an incorporated business entity will be subject to the general personal jurisdiction of its home state. This is generally considered the state of incorporation, and/or the place of principal business (i.e. its headquarters).22 For many organizations, this will mean that they can be subject to the general jurisdiction of two states. For example, if a company is incorporated in Delaware and its headquarters is in California, both Delaware and California will have general jurisdiction over the company. Thus, any organization actually established in California â perhaps by virtue of registering with the Secretary of State, among other things â should consider itself subject to the general jurisdiction of Californiaâs courts. Also, if the organization maintains a physical presence in California, the law will most likely apply.
However, there remains a question of extraterritorial reach. The issue is whether California, as a sovereign state, can apply its laws and regulations to organizations based outside the state but operating within it. These situations are often complex, and critical distinctions in a case can rely on individual factual circumstances. What if a business is not operating within the physical confines of the state but maintains a limited amount of business connections with California consumers? Does this subject the actions of an organization based in one state to the sovereignty of another stateâs courts? If one organization can therefore be held accountable by multiple (possibly many) states all at once, how many business connections with a state are necessary for that state to establish jurisdiction? In particular, how many connections with California consumers are necessary for a California law to apply to an organization based in another state?
When US courts fail to establish general jurisdiction, they then look to specific jurisdiction. Specific jurisdiction relates to the amount of contacts that a defendant has with a state. The idea is that a court operating in one state may not have sufficient authority over an out-of-state defendant to claim general jurisdiction by virtue of geography, but, based on the actions of the defendant â either by working within the state or dealing with local residents â a sufficient level of contact is established to grant the local court jurisdiction over the out-of-state defendant.
Typically, the defendant must have âpurposefully avail[ed] itself of the privilege of conducting activities within the forum State,â or have purposefully directed its conduct into the courtâs state.23 For example, if a defendant commits a crime in one particular state, that state court will have specific jurisdiction as it relates to the crime, regardless of where the defendant organization is based. Keep in mind that the organization will also be subject to the jurisdiction of the state where it is based, so in theory there is always at least one court to enforce rulings. The question, as mentioned earlier, ultimately relates to extraterritorial reach and the sovereignty of state laws under the US Constitution. It also relates to fairness. Defendants should not have the burden of having to appear in multiple state courts if the matter really does not relate to that state. Moreover, plaintiffs should not be able to sue defendants in multiple states if there is no basis (or need) for that court to enforce additional judgment.
Again, these situations are sometimes complex, and increasingly so in the modern business environment. Large organizations may operate across the country, and thus maintain contact with every state all at once. Because they operate at a national level, it may be difficult to determine which states may exercise jurisdiction over an action that was purposely directed at all states, but not any one in particular.
Consider a company that markets and sells products nationally, such as a customer relationship management (CRM) software vendor. Should that company be subject to the jurisdiction of all state courts (and thus possibly have to appear in all state courts) simply because a few people in each state bought the allegedly liable product? Probably not, as it would place an unfair burden on the defendant, in addition to constitutional questions of state power. This issue also becomes especially important in the context of class-action lawsuits, where huge groups of plaintiffs can be built up across the country. Therefore, in order to establish specific jurisdiction, a court must consider whether the actions of the defendant establish a sufficient level of contact with that state.
So, what is a sufficient level of contact? The California Supreme Court attempted to answer this question in 2016. In Bristol-Myers Squibb Co. v. Superior Court (Anderson), a group of plaintiffs, comprising mainly non-California residents, sued the pharmaceutical company Bristol-Myers Squibb Company (BMS) over alleged health defects caused by its product Plavix.24 The issue was that these plaintiffs sued BMS in California for liabilities under California law, despite there being no real connection to California. âThe nonresident plaintiffs did not allege that they obtained Plavix through California physicians or from any other California source; nor did they claim that they were injured by Plavix or were treated for their injuries in California.â25 So, was a California court capable of enforcing judgment on an organization (in addition to the court where the organization was based) over actions that did not take place in California? And perhaps more importantly, could a group of plaintiffs â most with no real connection to California â sue a company in California courts for actions that did not take place in California?
In answering these questions, the California Supreme Court applied a âsliding scale approach to specific jurisdiction.â26 With this approach, the defendantâs range of contacts can be used to show the connection between the defendant and the state.27 As a result, the majority determined that it could exercise specific jurisdiction over the plaintiffsâ claims âbased on a less direct connection between BMSâs [activities in California] and plaintiffsâ claims than might otherwise be required [due to] BMSâs extensive contacts with California.â28 Similarities between claims of the groupâs California and non-California residents effectively allowed California to hear the claims of the whole group.29
As mentioned earlier, the implications of these sorts of interpretations become immensely important when considering class-action lawsuits. The Courtâs ruling in Bristol-Myers Squibb would potentially allow class-action plaintiffs to sue defendants in California courts for violations of California law, even though the violations did not occur in California.
Such an important and far-reaching decision di...