On August 14, 2020, the California Office of Administrative Law (“OAL”) approved the final implementing regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). This final and approved version of the CCPA regulations went into effect immediately and contains a last round of revisions to language that has been refined across several iterative drafts. While the majority of the changes are grammatical in nature and will have no effect on CCPA compliance requirements, there were a few substantive changes that could impact certain businesses. READ MORE
Victoria ("Tori") Downey is an Associate in Orrick's internationally recognized Cyber, Privacy & Data Innovation practice group. Her practice focuses on the intersection of privacy, security and data management.
Tori partners with clients to navigate through the patchwork of global laws impacting privacy and cybersecurity. She also helps clients reduce the risk of privacy and security incidents.
Prior to joining Orrick, Tori served as an in-house data privacy & security law clerk at a pharmaceutical company in Boston, at a large non-profit corporation in New York City, and at an international oil and gas company in Beijing. She also worked on data privacy matters in the Office of the General Counsel of Northeastern University. Having worked across and within a broad array of industries, she brings an in-house perspective to her client matters.
Posts by: Tori Downey
Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE
On March 11, 2020, the California Attorney General, Xavier Becerra, (“California AG”) released a second set of modifications to the proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). These recent modifications reflect some minor changes and clarifications from the first set of modifications to the proposed regulations (published on February 10, 2020).
On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.
The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage. The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.
The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE
On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE