Posted on

California CPRA – CCPA 2.0

On Election Day in California, voters will not only be determining choices among candidates standing for election, but they will also be deciding the fate of Proposition 24, referred to as the California Privacy Rights Act (CPRA).  Proposition 24 is intended to build upon the California Consumer Privacy Act (CCPA) that came into force at the beginning of 2020. Among other things, the CPRA would create a California Privacy Protection Agency, a new regulatory agency that would ultimately take over privacy enforcement responsibility from the Office of the California Attorney General.

Among the areas that would be affected by the CPRA would be a clear ban on discrimination against anyone choosing to ask a company to delete their information and opt-out of marketing communications, stronger rights to prevent data sharing by companies (e.g., cross-context behavioral advertising), clearer mechanisms to enable consumers to correct information that is not accurate and a requirement that companies tell consumers how long they plan to retain the information.

Proposition 24 would also legitimize marketing and promotional schemes that offer consumers a discount or access to benefits in exchange for voluntarily disclosing personally identifiable information (e.g., in the context of rewards or loyalty programs).  Privacy and data protection proponents and opponents have long debated whether consumers should have an option to pay for privacy – viewed as a logical consequence of offering benefits in exchange for information that can be used for marketing and promotional purposes.

Since the CCPA came into force, companies have already been scrambling to comply.  If Proposition 24 passes and CCPA 2.0 comes into force, companies will again have to review and likely revamp their policies and practices to deal with the added new compliance obligations. Just as significantly, a separate California Consumer Privacy Agency would likely end up brining many more enforcement actions since protecting the privacy rights of California consumers will be its only mission.  Proponents of Proposition 24 say that may well be a good thing for California consumers, but they also argue that an agency solely focused on data protection will also mean more clarity, consistency and guidance surrounding some of the nuances of the California requirements.

Stay tuned. Election day is only a week away.

Posted on

Brazil Adopts Comprehensive Data Protection Law

Katie Hyman, Partner

Brazil’s Lei General de Proteção de Dados (“LGPD”) officially came into effect on Friday, September 18 2020. This Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018, was published on August 15, 2018, is heavily influenced by the EU GDPR and is Brazil’s first comprehensive framework regulating the use and processing of personal data. Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation.

The LGPD applies to businesses of all sizes, with only a few listed exceptions, such as where data are collected for artistic or academic purposes, or for national security and public safety. It will apply when data is collected or stored in Brazil or where data is processed for the purposes of offering goods or services to individuals in Brazil.

The LGPD defines “personal data” broadly: it means any information regarding any identified or identifiable natural person, including data that could be aggregated to identify a person. The general principles underlying the LGPD are set out in Article 6, and these will be used by the Brazilian data protection authority to determine a company’s compliance with the law. The principles are purpose, suitability, necessity, free access, quality of the data, transparency, security, prevention, non-discrimination and accountability.

In line with these principles, the rights of the data subject are set out in Article 18, and these are very similar to those in the GDPR, including access to data, correction of inaccurate data, portability, deletion of data processed with consent, information about entities with which the controller has shared data, information about the possibility of denying consent and revocation of consent.

Companies are required to report data protection breaches to the local data protection authority, but no deadline for reporting is included in the LGPD. Guidance on this is to come from the data protection agency, which is yet to be established. Companies that violate the LGPD can be fined up to 2% of the revenue of their organization, up to a total of R$50 million (approximately US$9 million) per violation. However, penalties for infractions will only start to be applied from August 1, 2021.

An official English translation is not yet available, but the IAPP has provided a translation and you can read it here: Brazilian General Data Protection Law.

If you want more information about this article feel free to contact Katie Hyman or me, Joe Rosenbaum or any of the Rimon lawyers with whom you regularly work.