California Passes Landmark Consumer Privacy CCPA—What it Means for Businesses

Akin Gump Strauss Hauer & Feld LLP

Key Points

  • California recently passed the landmark California Consumer Privacy Act that goes into effect in 2020, which grants California residents new privacy rights.
  • The CCPA creates a private right of action for California residents and grants new enforcement power to the Attorney General with high damages recoverable.
  • Hastily passed by the Legislature after only a week of debate, the CCPA contains provisions that require further clarification and that may prompt additional revisions.

I. Background

On June 28, 2018, Governor Brown signed into law one of the strictest and farthest-reaching consumer privacy laws in the country, the California Consumer Privacy Act of 2018 (the “CCPA”). (See AB-375.) The CCPA is a response to a growing concern that consumers need stronger means to protect their personal information in light of, among other things, recent data breaches and related privacy incidents that have affected millions of Americans (e.g., Target, Equifax and Cambridge Analytica). The CCPA imposes a range of new requirements on businesses to further its goal of ensuring that consumers enjoy choice and transparency in the treatment of their personal information.

The hastily-passed CCPA is part of a deal brokered by the Legislature and Governor Brown to avert a costly fight over a proposed ballot initiative championed by privacy activists that would have put even more stringent measures before voters this November. Legislators and the proponents of the ballot initiative reached an agreement whereby the proponents would remove the initiative from the ballot if the CCPA was signed into law by the deadline for such removal.

The CCPA grants California residents the right: (1) to know what personal information is being collected about them; (2) to know whether their personal information is sold or otherwise disclosed and to whom; (3) to say no to the sale of their personal information; (4) to access their personal information and request deletion under certain circumstances; and (5) to receive equal service and price, even if they exercise their privacy rights.

It also creates a private right of action for California residents if their unencrypted or unredacted personal information is subject to certain security incidents as a result of a business’s failure to implement reasonable security. Plaintiffs may seek the greater of their actual damages or set damages of between $100 and $750 per consumer per incident. The CCPA also empowers the Attorney General to pursue cases against businesses for damages of up to $7,500 per violation for intentional violations.

There is already talk about amending the CCPA to revise and clarify certain provisions. Businesses should carefully monitor future amendments to the law and the adoption of corresponding regulations, which will likely affect the CCPA’s impact on day-to-day business.

II. Key Provisions

A. Whose Information is Regulated?

The CCPA places restrictions on certain businesses as a means of protecting consumers’ personal information. Importantly, “consumer” for the purposes of the CCPA means any natural person who is a resident of California as “resident” is defined in tax provisions. Thus, under this broad definition, “consumer” includes: (1) every individual who is in California for other than a temporary or transitory purpose, and (2) every individual who is domiciled in California who is outside of California for a temporary or transitory purpose. Given this definition, the CCPA may arguably apply to covered entities that process even a single California resident’s personal information no matter where that entity is located.

B. What Information is Regulated?

The CCPA expands the definition of “personal information” to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular consumer or household. This includes information like a consumer’s name, postal address, social security number, education information, inferences drawn to create a profile about the consumer, consumer preferences, etc. The definition both encompasses and is broader than the definition of “personal information” used in California’s data breach statute. For example, it includes biometric information (e.g., imagery of the fingerprint, face, palm, etc.) collected without a consumer’s knowledge.

Businesses may find that they collect information that may be considered sensitive under the CCPA even though other regulations or statutes may not classify it as such. The CCPA, moreover, contemplates that the Attorney General will adopt regulations to revise various subcomponents of the definition of personal information that, depending on the regulation adopted, could further expand the definition beyond its already broad terms. Because of the breadth of this definition, businesses in California and beyond that previously did not consider themselves to be maintaining regulated personal information may find that this is no longer the case once the CCPA takes effect, even if their data practices have not changed.

Notably, certain categories of information are apparently excluded from the reach of the Act, including: (1) publicly available information, which appears to generally mean information that is lawfully made available from government records; (2) deidentified information, which means information that cannot reasonably identify, relate to, describe, etc. a particular consumer provided the businesses takes certain safeguards (e.g., protect against reidentification); and (3) aggregate consumer information, which means information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to a particular consumer or household. Information is not considered to be publicly available if it is used for a purpose other than the purpose for which it is maintained and made available in government records, or for which it is publicly maintained. The sections of the CCPA discussing deidentified and aggregate consumer information are somewhat opaque and businesses relying upon information in these categories should further explore the applicability of the CCPA to some uses of these types of information.   

C. What Entities are Regulated?

The CCPA governs businesses (meaning for-profit entities) that (1) collect consumers’ personal information, or on whose behalf such information is collected, and that determine the purposes and means of processing that information, and that (2) meet one of three criteria: (a) have annual gross revenue above $25 million; (b) alone or in combination annually buy, receive for commercial purposes, sell, etc. the personal information of 50,000 or more consumers, households, or devices; or (c) derive 50 percent or more of its annual revenue from selling consumers’ personal information. Entities that either control or are controlled by such businesses are also covered by the Act. Commercial conduct that takes place wholly outside of California is not covered by the Act.

The CCPA also places restrictions on how a business should share consumers’ personal information with its service providers as well as with third parties. “Service provider” means a for-profit entity that processes information on behalf of a business and to which the business discloses consumers’ personal information for a business purpose pursuant to a written contract. Such contract must prohibit the service provider from, among other things, selling, retaining, using, or disclosing the personal information it receives for any commercial purpose other than the services specific in that contract. Any entity that is not a business or a service provider – as those terms are defined in the CCPA – is considered a third party.  The CCPA treats service providers and third parties differently in a number of ways, including that it: (1) limits a business’s liability for service provider misconduct if certain conditions are met (see infra Section L), but does not offer the same protection when a business sells, share, or discloses personal information to third parties; and (2) limits a business’s ability to sell, share, or disclose consumers’ personal information to third parties without providing consumers prior notice and the option to opt out of the sale (see infra Sections D and G(2)), but does not place the same requirements on sharing information with service providers.

The collection and use of consumers’ personal information by California state and local government entities is not covered by the Act. This omission has been soundly criticized by privacy advocates and marks a departure from other privacy-focused statutes. There is already discussion of passing additional legislation during the next session to apply similar controls to California government entities.

D. What Notices and Disclosures Must be Provided to Consumers?

Businesses are required to provide consumers certain notices and disclosures in materials posted on their websites and through other means. This includes notice of: (1) at or before the point of collection, the categories of personal information the business collects about consumers and the purposes for which they will be used; (2) consumers’ rights to request that the business delete their personal information; and (3) if the business intends to sell personal information to third parties, consumers’ right to opt out from that sale. In addition, businesses have to include in their online privacy policies, in California-specific descriptions of rights online, or in their websites generally information to help consumers understand and exercise their rights, including a description of consumers’ rights under the CCPA (e.g., to request information on what personal information has been collected, sold or disclosed about them, to have such information deleted, or to opt out of the sale of information, etc.), how to submit related requests, and lists of the categories of personal information the business has collected, sold and disclosed about consumers generally in the prior 12-month period.

E. What Information Must be Provided to Consumers Upon Request?

Consumers have a right to request and receive (if they provide a verifiable request) the following information from businesses: (1) the categories and specific pieces of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information is collected; (3) the business purposes for which the personal information is collected; (4) the categories of third parties with whom the business shares consumers’ personal information; and (5) the categories of personal information that the business sold or disclosed about the consumer for a business purpose. Subject to certain potential extensions, businesses have to respond to consumers’ requests within 45 days. The response must cover the 12-month period prior to the consumer’s request and include the required information in a transferrable format if provided electronically. In effect, businesses should be prepared operationally by December 31, 2019 (the day before the CCPA takes effect) to practically respond to consumer requests, which requires tracking the collection of personal information, as well as tracking the sources of information and any third parties that receive the information.    

The CCPA does not specify whether businesses will be expected to provide information for the 12 months preceding the date the Act takes effect (January 1, 2020), or if the requirement to track and provide the various categories of covered information begins as of that date. Until this point is clarified, businesses may need to be prepared operationally as of January 1, 2019 (12 months before the CCPA takes effect) to track the various categories of information that they may need to practically respond to consumer requests as of January 1, 2020. This is yet another issue that should be clarified before the CCPA goes into force.

There are certain qualifiers that suggest the actual information that need be provided to consumers under the CCPA is more limited than may appear upon first reading. Businesses are only required to provide the “categories” of sources from which personal information is collected or the categories of third parties with which personal information is shared. It appears business could respond to consumer requests for information on these points with a general list, rather than with information specific to the particular consumer making the request. An exception to this is the requirement that businesses inform consumers of both the categories and specific pieces of personal information it has collected about the requesting consumer. Even then, the CCPA is not clear what is meant by “specific pieces” of information. It may be sufficient for a businesses to inform the consumer which of its general list of categories of personal information it actually collected about the consumer, rather than provide the consumer all of the personal information collected about the consumer in the prior 12-month period.

F. Are There Limits on a Business’s Obligation to Respond to Requests?

The CCPA includes a few protections for businesses in the form of limitations on the number of responses that have to be provided to consumers within a single year (two responses per year only are required), potential extensions of the time to respond to consumer requests (can be extended by an additional 90 days), and the possibility of refusing to CCPA on requests or charging a reasonable fee where requests are unfounded or excessive. With regard to the last point, businesses bear the burden of demonstrating that the requests were unfounded or excessive should they refuse to respond or charge a fee for this reason.

G. What Rights Does a Consumer Have Beyond Requesting Information?

1. The Right to Delete Personal Information

A consumer has a right to request that a business delete his or her personal information from its records and direct any service providers to do the same. Businesses must comply with verifiable consumer requests. The CCPA does not specify how information is to be deleted or provide a specific means of testing the proper outcome.

There are nine exemptions to the deletion requirement that permit a business to avoid deleting a consumer’s personal information, including: (1) to complete the transaction or service for which the information was collected; (2) to detect security incidents, protect against malicious, deceptive/fraudulent, or illegal activity, or prosecute those responsible for that activity; (3) to debug or identify errors; (4) to exercise free speech; (5) to comply with certain sections of the California Electronic Communications Privacy Act; (6) to engage in certain types of research if the consumer has provided informed consent; (7) to enable solely internal uses that are reasonably aligned with the consumer’s expectations (based on his or her relationship with the business); (8) to comply with legal obligations; or (9) to use internally in a lawful manner consistent with the context in which the information was provided. The breadth of these exemptions suggests the right to delete may be fairly limited in certain circumstances, although even a limited deletion right could present material challenges for businesses.

Although akin to the GDPR’s “right to erasure,” California’s “right to delete” appears to be narrower in application. Under the GDPR, personal data must be erased immediately as long as the data are no longer needed for their original processing purpose, the impacted person has withdrawn his or her consent and there is no other reason for justification, the impacted person has objected and there is no preferential justified reason for the processing, or erasure is required to fulfill a statutory obligation under EU law or the right of the Member States. The GDPR, as with the Act, does not specify how data should be erased in individual cases. The key result is that it is no longer possible to see the data without disproportionate expense.

2. The Right to Opt Out of the Sale of Personal Information

Consumers must be provided the option to opt out of the sale of their personal information to third parties at any time. Once consumers have opted out, their information cannot be sold unless they later provide authorization. The CCPA restricts businesses from requesting reauthorization from a consumer for 12 months after the consumer opts out. The right to opt out only covers the sale of personal information to third parties.

To facilitate the opt-out process, businesses are required to provide a “Do Not Sell My Personal Information” link on their websites’ homepages that link to a form enabling consumers to opt out of the sale of their personal information and providing related information. Consumers must be permitted to opt out of the sale of their data without creating an account with the business. The CCPA also contemplates the eventual development of a standard “Do Not Sell My Personal Information” link that will have a similar appearance and function across different entities. Development of that common icon will take place sometime in the future.

There are special authorization or “opt-in” rights provided to minors. Businesses may not sell the personal information of a consumer if they have “actual knowledge” that the consumer is younger than 16 and have not received specific authorization. Children age 13 to 16 can provide authorization for the sale of their own personal information, while only the guardians of children under 13 can provide such authorization. Businesses that “willfully disregard” a child’s age will be considered to have “actual knowledge” of the child’s age. The CCPA does not provide guidance on what constitutes “willful disregard” in this context.

The CCPA does not appear to regulate the access that companies provide to advertisers regarding targeted individuals where that access is granted without providing specific information from individual users. In this manner, some large companies that maintain they do not sell consumers’ data (e.g., Facebook) appear to fall outside the reach of those portions of the CCPA that govern sale-specific issues. It remains to be seen if or how the Attorney General may seek to apply the CCPA to such a context. Unless the CCPA were revised to clarify its applicable to this use of consumer information, or the Attorney General were to issue a regulation or guidance related to the same, it is not clear how consumers would opt out of having their information shared with third-party advertisers.

H. Are There Limits Placed on the Collection of Information?

The CCPA does not appear to place limits on businesses’ ability to collect personal information on consumers, although, as noted above, it does require that businesses provide consumers certain notices and disclosures related to the collection of that information. In this way the CCPA may be a continuation of the status quo with some additional disclosure protections layered on top of the existing data-collection framework. The GDPR, in contrast, requires that companies obtain a data subject’s permission before they collect data on that data subject.

I. Can a Business Treat Consumers Differently if They Exercise Their Rights?

Businesses are generally prohibited from discriminating against consumers who choose to exercise their rights under the Act, including by opting out of the sale or disclosure of their personal information to third parties. This includes through actions like increasing fees, slowing services, etc. Businesses are allowed to differentiate among consumers in terms of prices charged or level of services provided if the difference is reasonably related to the value provided to the consumer by the consumer’s data. In addition, businesses may offer financial incentives for the collection, sale, or deletion of consumers’ data, if the business provides notice of the incentive to consumers.

Some commentators have remarked that by permitting differentiation among consumers linked to the value provided by the consumer’s data, the CCPA effectively permits businesses to charge more or offer lesser services to consumers who elect to exercise their rights to greater privacy. A few lawmakers expressed concern with the CCPA for this reason suggesting it was setting California on a path toward a “pay-for-privacy” regime. (Sacramento Bee (07/05/18), quoting Sen. Hannah Beth-Jackson.) Other commentators have suggested that this permits businesses to effectively market services where consumers would prefer to provide information rather than pay for a service.

J. Are Businesses Required to Implement Certain Security Measures?

To help minimize the risk of a consumer action, businesses must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information that is to protected. What constitutes “reasonable security” is not discussed in the Act. Indeed, California has not codified what is meant by “reasonable security” although it requires businesses that own, license or maintain personal information about California residents to provide reasonable security for that information both in the CCPA and in other state privacy-related statutes. (See Cal. Civ. Code § 1798.81.5(a).)

In the absence of codified standards, industry best practices suggest ensuring security policies and practices are in line with one of the several internationally-recognized information security frameworks. These include, among others, the Center for Internet Security’s (“CIS”) 20 Critical Security Controls, the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and related NIST standards (e.g., NIST SP 800-171), or the International Standards Organization’s (ISO) various series governing information security management (e.g., ISO/IEC 27001).  Adoption of these or equivalent information security frameworks and incorporation of the same into internal policies and practices would likely assist a business in establishing its good-faith effort to implement and maintain reasonable security measures. Guidance from the California Attorney General’s Office in its 2016 Data Breach Report, suggests that businesses that abide by CIS’s Critical Security Controls would likely meet the reasonable security requirement. (See CA 2016 Data Breach Report, p. v.)  The guidance does not rule out the ability for businesses to follow equivalent, industry-recognized information security frameworks to achieve the same goal. 

K. Are there Limits on the Re-Sale of Personal Information?

A third party that purchases consumers’ personal information from a business cannot in turn sell that information to another without providing the consumers explicit notice and the opportunity to opt out. The CCPA does not specify how that notice or opt-out option should be provided to consumers. Once the CCPA goes into force, businesses may want to take precautionary measures like automatically providing options to opt out of the sale of personal information prior to any collection to easily enable the sale of such information down the line, segregating all personal information from California residents and not selling the same, or seeking guidance from the Attorney General as to how best to comply prior to re-sale.

L. Are there Protections Against Liability for Service Provider Misconduct?

Businesses that share consumers’ personal information are not liable under the CCPA for service provider misconduct, if, at the time the business discloses the personal information, the business did not have actual knowledge, or reason to believe, that the service provider intended to violate the Act. Businesses also must have complied with the requirements of the CCPA in terms of having a proper written contract in place that prohibits the service provider from retaining, using or disclosing the personal information for any purpose other than for performing the services specified in the contract for the business that provided the personal information, or as otherwise permitted by the Act. A service provider is similarly free of liability for the obligations of a business from which it receives personal information.

To help preserve this limit on liability, businesses should ensure that their contracts with service providers include specific provisions prohibiting the service providers from using any consumers’ personal information provided in connection with the contract aside from carrying out the purposes of the contract or related administrative tasks. Businesses should also require service providers to represent that they are aware of and abide by the terms of the Act, as well as related regulations. Representations of this kind could assist businesses in establishing that they did not have actual knowledge or a reasonable basis for believing the service provider was planning to violate the CCPA at the time personal information was transferred to the service provider. It may be wise to have businesses reaffirm their awareness of and compliance with the CCPA and related regulations until both are fully adopted and in force.

M. Can Consumers Waive Applicability of Act?

The CCPA explicitly empowers courts to deem unenforceable any provision of a contract  or agreement that purports to waive or limit in any way a consumer’s rights under its terms. This includes any right to a remedy or specific means of enforcement. A consumer can still opt not to request information from a business or decline to take other actions under the Act.

III. Enforcement and Penalties

The CCPA contemplates two main avenues for enforcement of and recovery under the CCPA–private consumer rights of action (whether through individual or class actions), and actions brought by the Attorney General in the public interest. Both pose risks to businesses. Businesses also have the ability to seek guidance from the Attorney General on how to comply with the Act.

A. Consumer’s Private Right of Action

Any consumer whosenonencrypted ornonredacted personal information is subject to an unauthorized access andexfiltration, theft or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices may institute a private right of action for any of the following: (1) the greater of either the consumer’s actual damages or damages in an amount not less than $100 and not greater than $750 per consumer per incident1; (2) injunctive or declaratory relief; or (3) any other relief a court deems proper. A consumer is apparently not required to establish actual harm to pursue a private right of action.

A consumer may only bring a private right of action where he or she meets two additional requirements. First, prior to initiating any action, the consumer must provide the business 30 days’ written notice identifying the specific provisions of the CCPA he or she alleges have been or are being violated. If the business cures the issue within 30 days, no consumer action is permitted. If not, the consumer may proceed with filing. If a business informs a consumer that an issue is cured and it is not, that consumer is entitled to initiate an action against the business that seeks damages for each breach of the written representation as well as any other violation of the CCPA that postdates receipt of the written representation. Consumers seeking to recover only their actual, monetary damages do not have to provide such notice and may proceed directly to filing and notifying the Attorney General.

Second, the consumer must notify the Attorney General within 30 days that the action has been filed. The Attorney General then has 30 days to take one of the following three actions: (1) notify the consumer of its intention to prosecute the action; (2) refrain from acting for 30 days, thus permitting the consumer to proceed; or (3) notify the consumer that he or she shall not proceed with the action. With regard to the first option, the Attorney General has six months in which to initiate its prosecution. If the Attorney General fails to CCPA within that period, the consumer may proceed with his or her action.

B. Attorney General Enforcement

The Attorney General has the sole right to pursue civil penalties against businesses in violation of the CCPA through a civil action in the public’s name. Businesses are in violation of the CCPA if they do not cure any alleged violation within 30 days of notification of the same. Penalties of up to $2,500 for general violations could be imposed, while penalties for intentional violations could be up to $7,500 for each violation. The term “violation” is not defined in the CCPA and it is not clear how penalties might be imposed. The private right of action, in contrast, limits the collection of its set damages to a per consumer per incident basis.

The CCPA created a new Consumer Privacy Fund (the “Fund”) within California’s General Fund into which 20 percent of the funds recovered will be deposited, while the remaining 80 percent will go to the jurisdiction that brought the action. The Fund is intended to offset any costs incurred by state courts or the Attorney General in bringing cases connected with the Act.

C. Ability to Seek Attorney General Guidance

Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the Act. This provision may be of particular importance with regard to gaining clarity on some of the more opaque sections of the CCPA before it goes into force in 2020. This may be a particularly useful tool in some cases for groups of businesses facing the same issue that may wish to submit a joint request for an opinion on as both a means of gaining guidance and as an advocacy tool to highlight a particularly unclear section of the CCPA, although the CCPA remains silent concerning how long the Attorney General has to respond to opinion requests.

IV. Conclusion and Proactive Steps to Take Now

Passage of the CCPA marks a watershed moment for privacy law in the United States. California’s size, population and the predominance of the state’s technology sector ensure that the Act’s requirements will have consequences far beyond the state’s borders. The best way to respond to these developing requirements is to implement strong security and privacy measures and to periodically review the same. We recommend that businesses take the following steps now to begin to protect themselves from the likely effects of the Act.

  • Determine if you collect, maintain or hold California residents’ personal information or if an entity you control or that controls you does so. Understanding if the CCPA actually applies to you is the first step in defense.
  • If you do not already have someone in your organization responsible for following and addressing requirements relating to personal information, consider establishing a role that makes sense for your organization.
  • Engage in a data mapping activity that provides information on who in your organization collects, uses and shares what personal information for what purposes, and that tells you where and how that data is stored and accessed. This effort will assist in compliance with a range of regulatory regimes (e.g., California, GDPR, etc.).
  • Incorporate an internationally-recognized framework like the CIS’s 20 Critical Security Controls, NIST’s Cybersecurity Framework, the ISO/IEC series 27001, or an equivalent in your information security policies and practices to help ensure your company is employing reasonable security measures. Consider implementing other industry-specific best practices that may meet special needs of your business.
  • Take steps now to encrypt or redact consumers’ personal information when collected, stored, and transmitted as a means of helping to mitigate some of the potential litigation burden that could arise if unencrypted or unredacted personal information is the affected by a security incident.
  • Draft strong written contracts with service providers and vendors with which you share consumers’ personal information to ensure those contracts meet the requirements of the CCPA and will afford you the strongest protection from liability.
  • Consider requesting guidance from the Attorney General before the CCPA goes into effect regarding its applicability if unclear. Official guidance could protect against consumer litigation, particularly on ambiguous sections of the Act.
  • Begin considering whether it is feasible to segregate personal information you collect, maintain or hold on California consumers to enable eventual easy compliance with the Act. Consider taking similar steps to those your organization may already have taken to comply with other regulatory regimes like the GDPR or Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

1 In assessing what statutory damages may be imposed, the CCPA directs courts to consider factors including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.