Wait…CCPA 2.0? What Is the California Privacy Rights Act of 2020 and Will It Become Law?

May.21.2020

On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.
What Is the California Privacy Rights Act of 2020?

Californians for Consumer Privacy, the same group responsible for introducing legislation that led to the creation of the CCPA, submitted the CPRA as a new ballot initiative to “strengthen” California privacy law and address what it describes as efforts by companies to “actively and explicitly prioritize[] weakening the law” and the evolution of “technological tools . . . that exploit a consumer’s data with potentially dangerous consequences.” The CPRA proposes a number of revisions to the CCPA to address ambiguities and overly burdensome requirements, while simultaneously introducing new privacy and security obligations for covered businesses.

Below is a list of highlights from the CPRA:

Revises and expands the scope of covered “businesses” under Cal. Civ. Code § 1798.140(d). The CPRA:

- Narrows the second quantitative “business” threshold to only be met when the entity “[a]lone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households.” (emphasis added) This departure from the text of the CCPA (which applies to a business that buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices) may help to exclude some smaller companies from coverage;
- Clarifies the indirect “business” definition applies only to entities controlling or controlled by a “business” that share common branding with the business in a manner the average consumer would understand as signifying common ownership, and with whom the business shares consumers’ personal information, which further helps to exclude separately-operated entities;
- Adds “[a] joint venture or partnership composed of businesses in which each business has at least a 40 percent interest,” but specifies that the JV or partnership and each business are treated as a separate, single business so long as personal information shared by one business with the JV or partnership is not shared with the other business, which may allow a business to avoid “sales” to the JV or partnership; and
- Adds “[a] person that does business in California and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by,” the CPRA.

Adds a second category of personal information—“sensitive personal information.” The CPRA adds a new category of personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available:

- Personal information that reveals
  - A consumer’s social security, driver’s license, state identification card, or passport number;
  - A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  - A consumer’s precise geolocation;
  - A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  - The contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
  - A consumer’s genetic data;
- Biometric information processed for the purpose of uniquely identifying a consumer;
- Personal information collected and analyzed concerning a consumer’s health; or
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This new category of personal information will require businesses to provide transparent disclosures about sensitive data they process and will subject businesses to heightened restrictions on its use.

Broadens the notice at collection. The CPRA broadens the obligation of a business to provide notice to a consumer “at or before the point of collection” under Cal. Civ. Code § 1798.100 to include not only “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used” but also:

- Whether such information is sold or shared;
- Separate disclosures for “sensitive personal information” collected, its purpose for collection and use, and whether such information is sold or shared; and
- The length of time the business intends to retain each category of personal information or the criteria used to determine such period.

In addition, the CPRA clarifies that notice at collection must be provided in a “clear and conspicuous manner” at a physical location when the business collects personal information about a consumer on its premises. Businesses should still be able to provide the notice at collection through its privacy notice, but that notice will need to be updated to address the new obligations and will need to be reasonably made available in person.

Adopts an explicit, overarching purpose-limitation obligation. The CPRA imposes an overarching purpose limitation provision in Cal. Civ. Code § 1798.100, requiring a business to collect, use, retain and share a consumer’s personal information only as “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” This provision would codify a key concept found in the Fair Information Practice Principles and the General Data Protection Regulation (“GDPR”) that many companies already endeavor to implement regardless of legal obligation, meaning the new limitation is unlikely to have a significant impact on most businesses’ operations.

Adds new consumer rights and revises existing obligations.

- Right to Know Categories and Specific Pieces of Personal Information. The CPRA maintains the right to know categories and specific pieces of personal information in Cal Civ. Code §§ 1798.110–115. However, for personal information collected on or after January 1, 2022, the CPRA expands consumers’ right to know beyond the current 12-month look-back in Cal. Civ. Code § 1798.130, so long as providing information beyond the 12-month period does not prove impossible and would not involve disproportionate effort. In time, this obligation would significantly increase the amount of data subject to a consumer’s right to know and bring California access rights closer in line to those provided in the European Union.
- New Right to Correction. The CPRA adds a new right in Cal. Civ. Code § 1798.106 (Right to Correction), which grants consumers a right to request a business correct inaccurate personal information maintained about the consumer, taking into account the nature of the personal information and the purposes of the processing of the personal information. Many businesses provide consumers this functionality regardless of legal obligation, but the stakes for properly implementing a correction mechanism increase when required by law.
- New Right to Limit Use and Disclosure of Sensitive Personal Information. The CPRA adds a new right in Cal. Civ. Code § 1798.121, which grants consumers a right to direct a business to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services, to perform certain enumerated services set forth in Cal. Civ. Code § 1798.140(e), and as authorized by future CPRA regulations. The business is required to create a “Limit the Use of My Sensitive Personal Information” link on its online services pursuant to Cal. Civ. Code § 1798.135, or a combined sensitive personal information, sale and sharing opt-out link. Alternatively, the business can respect automated opt-out preference signals. Notably, the CPRA requires businesses to pass these limitations down to service providers and contractors. However, there is an exception for sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer. These heightened restrictions and opt-out options for sensitive personal information increase the complexity and burden of compliance for businesses, particularly when considering how to present both a “Do Not Sell/Share” option and “Limit My Sensitive Personal Information” option.
- Right to Opt Out of “Sales” or Sharing for Cross-Context Behavioral Advertising. The CPRA expands the right to opt out in Cal. Civ. Code § 1798.120 to include not only “sales” of personal information but also the “sharing” of personal information, which is defined in Cal. Civ. Code § 1798.140(ah) as the transfer or making available of “a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” By expanding the right to opt out to include the sharing of personal information for behavioral advertising purposes, the CPRA seeks to settle the debate of whether businesses need to provide consumers a right to opt out of third-party adtech cookie collection on the businesses’ online services.
  - The CPRA revises the required link in Cal. Civ. Code § 1798.135 to “Do Not Sell or Share My Personal Information.” As an alternative to the “Do Not Sell” link, the business can respect automated opt-out preference signals.
  - The CPRA also expands the anti-avoidance provision in Cal. Civ. Code § 1798.190 to include the disregard of steps or transactions taken “to purposely avoid the definition of sell or share by eliminating any monetary or other valuable consideration, . . . but where a party is obtaining something of value or use.”
- Right to Deletion. In response to a verifiable consumer deletion request in Cal. Civ. Code § 1798.105, the CPRA requires businesses to notify service providers and contractors, and all third parties to whom the business sold or shared personal information, to delete the consumer’s personal information from their records. In addition, the CPRA obligates service providers and contractors to cooperate with the business, delete the personal information and pass the deletion request downstream to parties who accessed the consumer’s personal information. However, the CPRA expands the exceptions to the right to deletion by indicating they apply any time it is reasonably necessary to maintain the consumer’s personal information to accomplish one of the pre-enumerated deletion exceptions. Businesses are likely to face significant challenges with this broad deletion flow-down requirement, particularly as it pertains to third parties to whom personal information was sold or shared. Not only is the requirement likely unworkable in non-service provider or contractor relationships, it could severely undermine the value of data in a license agreement. Depending on how this provision is interpreted, we would expect substantial pushback from the market.
- Right to Nondiscrimination. The CPRA maintains the right to nondiscrimination in Cal. Civ. Code § 1798.125 but clarifies that the right “does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with” the CPRA. However, it does prohibit a business from requesting a consumer provide opt-in consent for a financial incentive program for at least 12 months after the consumer last refused to provide opt-in consent. The explicit exception for loyalty, rewards, premium features, discounts, or club card programs consistent with the CPRA is a welcome addition after businesses’ efforts to get an amendment to the CCPA passed last year to address this issue failed.
  - The CPRA defines “consent” in Cal. Civ. Code § 1798.140(h) as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes . . . [signifying] agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.” This definition is closely aligned with the definition of consent found in the GDPR.
- New Regulatory Automated Decision-Making Technology Right. The CPRA adds an obligation to Cal. Civ. Code § 1798.185(a)(16) for the California Attorney General to adopt regulations “governing access and opt-out rights with respect to businesses’ use of automated decision-making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved . . . [and] a description of the likely outcome of the process with respect to the consumer.” Outside of the Washington Facial Recognition Law’s obligations for government agencies using facial recognition (a summary of which is available here), the proposed CPRA automated decision-making regulations would be a significant step toward governing the use of artificial intelligence and other automated decision-making platforms. The obligation to provide meaningful information about the logic involved in automated decision-making and the likely outcome of the process would potentially be difficult for most businesses today and would present new risks to businesses’ proprietary technologies.

Expands contracting requirements.

- Overarching Contract Requirements. The CPRA creates an overarching contract requirement in Cal. Civ. Code § 1798.100(d) for businesses that sell, share or disclose for a business purpose the personal information of a consumer to a third party, service provider or “contractor” to enter into an agreement that:
  - Specifies the information is sold or disclosed only for limited and specified purposes;
  - Obligates the contracting party to comply with the CPRA and provide the same level of privacy protection as required by the CPRA;
  - Requires the contracting party to notify the business if it can no longer meet its obligations under the CPRA; and
  - Grants the business rights to take “reasonable and appropriate steps” to help ensure the contracting party uses the personal information in a manner consistent with the CPRA or to stop and remediate unauthorized use of personal information.

Although the CCPA already imposes contract obligations on service providers and the newly relabeled “contractors,” imposing contracting obligations with third parties would significantly increase the scope and flow-down impact of the CPRA on business transactions.

- New “Contractor” Label and Contract Specifications. In Cal. Civ. Code § 1798.140(j), the CPRA relabels the former non-third-party designation found in Cal. Civ. Code § 1798.140(w)(2) as a “contractor” designation, distinct from a “service provider” designation, and adds contractual limitations on the ability to combine the personal information received from or on behalf of multiple businesses, a contractual obligation to allow the business to monitor the contractor’s compliance with the contract, and to pass down “contractor” restrictions to any other person engaged to assist in the processing of personal information on behalf of the business. This revision likely seeks to resolve the debate of whether the formerly non-third-party designation is a distinct designation from the “service provider” designation, but, due to broad revisions to both definitions, there remains substantial overlap between the two designations that is likely to continue to add to the confusion.
- New “Service Provider” Contract Specifications. In Cal. Civ. Code § 1798.140(ag), the CPRA revises the definition of a “service provider” adding a contractual obligation not to sell or share personal information, a contractual restriction not to retain, use or disclose personal information outside the direct business relationship between the service provider and business, and a contractual limitation on the ability to combine the personal information received from or on behalf of multiple businesses. The new definition also expressly provides that the contract may permit the business to monitor the service provider’s compliance with the contract, and the service provider is obligated to pass down “service provider” restrictions to any other person engaged to assist in the processing of personal information on behalf of the business. Overall, these revisions are likely to have limited impact on the business and service provider relationship but may require updates to contractual language to ensure compliance with the law.

Modifies statutory exceptions.

- Personnel/Employee Exception. The CPRA extends the sunset provision for the personnel/employee exception in Cal. Civ. Code § 1798.140(m) from January 1, 2021 to January 1, 2023.
- B2B Exception. The CPRA extends the sunset provision for the B2B exception in Cal. Civ. Code § 1798.140(n) from January 1, 2021 to January 1, 2023.
- Financial Information Exception. In Cal. Civ. Code § 1798.145(e), the CPRA revised the financial information exception to apply to “personal information collected, processed, sold, or disclosed pursuant subject to the federal Gramm-Leach-Bliley Act . . . , or the California Financial Information Privacy Act, . . . or the Federal Farm Credit Act of 1971.” (emphasis added) By changing one word in the exception (from “pursuant to” to “subject to”), the CPRA may be seeking to narrow the interpretation of the financial information exception. Without further regulator guidance, it is difficult to predict the true impact this revision may have.
- New Household Data Exception. In Cal. Civ. Code § 1798.145(p), the CPRA creates an exception for household data from Cal. Civ. Code § 1798.105 (Right to Deletion), 1798.106 (Right to Correction), and 1798.110–115 (Right to Know). This revision helps businesses avoid difficult verification process decisions that often arise when multiple people are connected to the same personal information.
- Trade Secret Exception. The CPRA clarifies in Cal. Civ. Code §§ 1798.100(f) and 1798.185(a)(3) that a business is not required to disclose trade secrets as part of its obligation to provide notice at collection or in response to a verifiable consumer request. Although the CCPA maintained a similar requirement for trade secrets and intellectual property rights to be addressed in the regulations, the California Attorney General has to date ignored this direction and failed to provide any guidance on this matter.
- Deidentified Information Exception. The CPRA revises the definition of “deidentified” information in Cal. Civ. Code § 1798.140(m) to mean “information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer,” (emphasis added) provided the business that possesses the information:
  - takes reasonable measures to ensure the information cannot be associated with a consumer or household;
  - publicly commits to maintain and use the information in deidentified form and not attempt to reidentify the information absent an exception; and
  - contractually obligates any recipients of information to do the same.

By requiring businesses to publicly commit to deidentification practices, the CPRA creates heightened risks for claims of deceptive or unfair trade practices by businesses relying on the deidentified information exception.

- Public Information Exception. The CPRA expands the exception for publicly available information in Cal Civ. Code § 1798.140(v)(2) to also include:
  - lawfully obtained, truthful information that is a matter of public concern;
  - information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or
  - information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

This revision brings true “public” information within the exception and would likely have a significant impact on the compliance posture of online consumer platforms, such as social media networks.

Imposes a “reasonable security” obligation. In Cal. Civ. Code § 1798.100(e), the CPRA requires a business to “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.” This revision may cause existing California reasonable security obligations to extend to all personal information, as defined in the CPRA, rather than the narrower subset defined in the security laws. Moreover, this addition fills the gap left by the CCPA’s failure to impose a duty to implement reasonable security, causing potential confusion as to when the consumer private right of action applies in the wake of a data breach.

Expands the breach private right of action, increases fines for children’s privacy violations, and creates new enforcement agency.

- Private Right of Action. The CPRA expands the private right of action in Cal. Civ. Code § 1798.150 to apply to “[a]ny consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security questions and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” (emphasis added) In addition, the CPRA clarifies the “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach,” such that the business could avoid a private suit. These revisions significantly increase litigation risk for businesses subject to a data breach, particularly given how frequently email addresses and passwords are exposed in security incidents.
- Fines for Children’s Privacy. The CPRA increases the fines in Cal. Civ. Code § 1798.155 to $7,500 for “violations involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age.” As a result, ordinary CPRA violations relating to children’s personal information would be subject to three times the monetary fines currently available under the CCPA.
- New Administrative Enforcement Agency. In Cal. Civ. Code § 1798.199.10 et seq., the CPRA establishes the California Privacy Protection Agency, which is vested with full administrative power, authority and jurisdiction to implement and enforce the CPRA. In addition to administering, implementing and enforcing the CPRA, the California Privacy Protection Agency will also assume rulemaking responsibilities under the CCPA and CPRA, when ready. The creation of this new agency focused solely on consumer privacy would create a regulatory landscape in California similar to the data protection authority regime currently in place in the European Union and increase the resources available to undertake significant and numerous privacy-related investigations.
- New Call for Regulatory Requirements for Annual Risk Assessments and Cybersecurity Audits. The CPRA directs the California Attorney General to promulgate regulations to further clarity a number of compliance obligations under the law. Cal. Civ. Code § 178.185(a)(15) calls for regulations requiring businesses “whose processing of consumers’ personal information presents a significant risk to consumers’ privacy or security” to perform an annual cybersecurity audit and submit a risk assessment to the California Privacy Protection Agency on a regular basis. The risk assessment requirement evokes the GDPR concept of the data privacy impact assessment, but goes further by requiring such assessments to be submitted to a regulatory body.

Provides multiyear ramp-up period. If passed into law, the extensions of the personnel/employee exception and B2B exception, the creation of a “Consumer Privacy Fund,” the direction for the Attorney General to adopt regulations, and the establishment of the California Privacy Protection Agency becomes operative on the CPRA’s effective date. The remainder of the CPRA will become operative January 1, 2023, and with the exception of the right of access, shall only apply to personal information collected by a business on or after January 1, 2022. Until then, the provisions of the CCPA remain in full force and effect. As a result, the full impact of the CPRA is unlikely to be felt for a number of years.

Will the California Consumer Privacy Rights Act Become Law?

The State of California grants its citizens the right to propose laws and constitutional amendments (“initiatives”) without the support of the Governor or Legislature. As outlined by the California Attorney General and California Secretary of State, the steps for an initiative to become law can be summarized as follows:

Write the text of the initiative. This step can be completed solely by the initiative’s proponents, or the proponents may seek advice and assistance from private counsel or designated California government resources.
Submit the initiative to the Attorney General for title, summary and public review. This step requires the proponents to submit the initiative draft to the Attorney General for official title and summary, during which time the Attorney General’s Office posts the initiative on its website and facilitates a 30-day public review and amendment process.
Obtain sufficient signatures from registered California voters. This step provides proponents a maximum of 180 days to circulate initiative petitions and obtain signatures of registered California voters for initiative statutes equaling at least 5% of the total votes cast for the office of Governor at the last gubernatorial election (currently 623,212 votes). More votes are needed for constitutional amendments.
Verify the signature totals with county election officials. Once the requisite number of signatures has been collected, the initiative petitions are filed with the appropriate county elections official(s), who are responsible for verifying the submitted signatures by:
- Conducting a raw count of the signatures within eight working days; and
- If the raw count equals 100 percent or more of the total number of signatures needed, verifying a random sample of the signatures in each county within 30 working days, the results of which are submitted to the Secretary of State to determine the projected statewide total of valid signatures.
Qualify the initiative for the next California ballot. If the projected statewide total of valid signatures is greater than 110 percent of the required number of signatures, the Secretary of State will be able to certify that the initiative is eligible for the next statewide general election held at least 131 days later and will issue a certificate of qualification for the ballot. If the projected statewide total of valid signatures is between 95 percent and 110 percent of the required number of signatures, the Secretary of State will direct the county elections officials to verify every signature on the petition and only qualify the initiative if 100 percent of the required number of signatures are verified.
Obtain sufficient approval from California voters for the ballot initiative to become law. A ballot initiative that is approved by a majority vote at the statewide general election takes effect the fifth day after the Secretary of State certifies the election results, unless the initiative provides otherwise.

On May 4, 2020, the Californians for Consumer Privacy announced that it submitted well over 900,000 signatures to qualify the CPRA for the November 2020 ballot. Based on these self-reported numbers, it is likely the CPRA will have sufficient verified signatures to qualify for the next statewide California general election at least 131 days after verification. It is, however, difficult to predict the pace at which signatures may be verified, particularly as the United States faces an unprecedented health crisis due to the COVID- 19 pandemic, so it remains too early to make a determination as to whether the CPRA is likely to meet its deadline.

If a sufficient number of the CPRA petition signatures are verified and the CPRA is qualified for a ballot vote, the Californians for Consumer Privacy currently predict 88 percent of California voters would vote YES to support a ballot measure expanding privacy protections for personal information, like the CPRA. As a result, there appears to be sufficient support for the CPRA to become law whether on this year’s or next year’s ballot. However, it is possible the California legislature will try to negotiate the withdrawal of the CPRA from the ballot, if qualified, in exchange for substantially similar amendments to the CCPA in order to avoid amendments being passed into law without substantive legislative input. It is important to note this is exactly what occurred when the CCPA qualified for the California ballot in 2018.

Conclusion

In summary, the CPRA appears to have garnered sufficient statewide support to either become law on its own or to put sufficient pressure on California lawmakers to make substantially similar amendments to the CCPA through the legislative process. Although a number of the amendments proposed by the CPRA would increase burden on businesses, there are also several amendments that would be beneficial to businesses by reducing ambiguity in the law and introducing more balanced compliance obligations. However, the CPRA still leaves significant gaps in compliance details to be addressed through the rulemaking authority of the California Attorney General and the proposed California Privacy Protection Agency. As a result, it is likely the CPRA will impact businesses’ compliance with California privacy law, but the full extent of the impact will continue to evolve as this proposed ballot measure makes its way through the lawmaking process.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Behördliche Untersuchungen und Vollstreckungsmaßnahmen
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Behördliche Untersuchungen und Vollstreckungsmaßnahmen
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence & Machine Learning

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence & Machine Learning
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the U.S., including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. In addition, Nick devotes a portion of his practice to innovative client solutions and community engagement. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs. To make the CCPA more accessible, Nick was a member of the team that developed Orrick’s CCPA Readiness Assessment Tool, which provides companies an opportunity to test their preparedness for compliance with the CCPA as a first step to constructing their strategic compliance roadmap.

Nick has obtained the Certified Information Privacy Professional - United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals.