The California Consumer Privacy Act of 2018 - Increased Consumer Privacy Protections and Significant Business Compliance Burdens

by Dorsey & Whitney LLP
Contact

Dorsey & Whitney LLP

1. Introduction

On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California.1  Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”) goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation, including the ability of a consumer to require that personal information be deleted by a covered business.2

The numerous statutory provisions of the CCPA, which is effective on January 1, 2020, accomplish several stated goals, including: (a) the establishment of the rights of consumers in regard to their data; (b) providing a process whereby consumers can determine whether—and to what extent—a covered business is holding, selling and transferring their personal information; (c) requiring covered businesses to implement specific procedures to maintain consumer data and respond to consumer inquiries; (d) exempting (or partially exempting) certain business data collection and transfer practices from the coverage of the CCPA; (e) imposing liability for non-compliance by means of enforcement actions authorized to be brought by the California Attorney General and private parties; and (f) authorizing the California Attorney General to issue interpretations and regulations to implement the CCPA.3

This Alert summarizes many of the operative provisions of the CCPA, including important definitions, industry coverage considerations, and implementation concerns.

2. Discussion

A. Background

The genesis of the CCPA was the explosion of data breach incidents in the past few years, as well as a wave of continuing revelations that many social media sites (considered by many to be now functioning as utilities) were monetizing consumer information using methodologies not well understood by consumers despite privacy disclosures, or allegedly being gathered in violation of contractual agreements between parties.

In response to these concerns, privacy advocates introduced a ballot initiative to adopt consumer privacy protections that business interests believed would have created burdensome privacy requirements, while also making subsequent amendment of any privacy rules adopted via the ballot initiative process extremely difficult to achieve.4

Because a legislative alternative had to be adopted before the above-referenced privacy ballot initiative was certified, opponents of the ballot initiative hurriedly negotiated a legislative bill (i.e., AB 375) that ultimately was agreed to by privacy stakeholders. After the CCPA was adopted by the California Legislature and signed by the Governor, the ballot initiative was withdrawn.

The result of this accelerated legislative process adds a new section to the California Civil Code, the coverage provisions of which include not only internet-based companies such as social media sites but practically all businesses that operate in today’s electronic environment using websites and other electronic means to capture consumer data obtained from California consumers.5  Since its adoption a few weeks ago, U.S. and international businesses located outside of California—but regularly interacting with California residents—have begun to realize that the CCPA may likely impact their operations with California residents despite not maintaining a physical presence in California.

B. Consumer’s Privacy Rights Under the CCPA

The CCPA establishes several privacy rights for California consumers (i.e., California residents):

  • The right to know what personal information is being collected;
  • The right to know whether personal information is sold or disclosed and to whom;
  • The right to say “no” to the sale of personal information; 
  • The right to access personal information; and 
  • The right to equal service and price, even if any privacy rights created by the CCPA are exercised.

These privacy rights are implemented by the provisions of the CCPA, and are summarized as follows:

The Right to Know What Personal Information Is Being Collected—Section 1798.100 of the CCPA allows a “consumer” to require a covered “business” to disclose to the consumer the categories and specific pieces of “personal information” that the business collects, maintains, sells or transfers.  

The Right to Know Whether Personal Information Is Being Sold or Disclosed and to Whom—Section 1798.110 of the CCPA requires that, when responding to a “verifiable consumer request,”7  a covered business provide the following: (i) the categories of personal information it has collected; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; and (v) specific items of personal information the covered business has collected about that consumer.

The Right to Prohibit the Sale of Personal Information and to Delete Information—Sections 1798.105 and 1798.120 of the CCPA create rights similar in kind to the EU’s GDPR to direct a covered business to cease selling personal information (i.e., the ability to “opt out”) and to delete personal information in the possession of the business.9  (The specific mandate to order a covered business holding personal information to delete the personal information is a radical departure from current U.S. privacy norms, and has been described in the EU as the “right to be forgotten.”)10  Certain exceptions to this right are included in the CCPA.

Right to Non-Discrimination in Access, Equal Service and Price—Section 1798.125 of the CCPA contains antidiscrimination provisions that prevent a covered business from discriminating against a consumer who exercises his/her privacy rights under the CCPA. These provisions prohibit a covered business from: (a) refusing to conduct business with the consumer; (b) charging different prices or imposing penalties; or (c) providing a different level of products or services. However, a covered business may offer a different price, rate, level of service or quality of product of service if the differences are “related to the value provided to the consumer by the consumer’s data.”11

C. Coverage and Definitions

There are three principal defined terms that are used to establish possible coverage under the CCPA (subject to exceptions and clarifications contained throughout the CCPA): (a) the term “consumer”; (b) the term “business”; and (c) the term “personal information.” For purposes of an initial inquiry by a business whether the CCPA might apply, the following question must be asked: If a covered business collects personal information of a consumer, the business should determine whether it must comply with the CCPA or whether an exception or partial exception applies. 

A consumer is a natural person who is a California resident however the individual is identified, including a unique identifier.12  It includes household information pertaining to the consumer, and hence can relate to areas such as utility bills for a family.13  

A business is a sole proprietorship or corporate entity of any type (including affiliated entities based upon a 50% ownership or control factor)14  that: (i) collects consumers’ personal information, whether alone or jointly with others; (ii) does business in the State of California, and (iii) satisfies one or more of the following thresholds:

  • The business has annual gross revenues in excess of $25,000,000;15  
  • Alone or in combination with others, the business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;16 or 
  • The business derives 50% or more of its annual revenues from selling consumers’ personal information.17  

Finally, the concept of personal information is defined in an extraordinarily broad manner, and means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”18  For purposes of clarity, the CCPA includes a list of non-exclusive examples of what constitutes personal information.19 

D. Compliance Procedures Required by Covered Businesses

To implement the new consumer privacy rights, the CCPA imposes several complex compliance and implementation requirements on covered businesses—which have to be completed within the next 18 months, and include:

Modification of Disclosures and Websites—Sections 1798.120(b) and 1798.135(a) of the CCPA require that informational disclosures be provided to consumers, including the functionality of websites to allow for the exercise of a consumer’s privacy rights. Among other things, businesses will need to revise and regularly update online privacy policies and/or California-specific consumers’ privacy rights to include the CCPA’s consumer rights.20 

Delivery of Information Requested by a Consumer—Within 45 days of the receipt of a verified request from a consumer, a covered business will be required to disclose and deliver the requested information, free of charge to the consumer.21  Businesses will be obliged to deliver the requested personal information twice a year (and impliedly may charge a fee if a request is made more than twice within that time frame).22

Training and Creation of a Response Team—In order to accomplish the foregoing, a covered business will have to train staff to receive verified requests, including accessing compliance systems, retrieving information and complying with any directives made by a consumer. 

Systems Design—While beyond the scope of this Alert, an implementation program might include the following components, many of which are essential elements of robust information governance policies and procedures: (a) mapping current data collection processes, data repositories and transfer protocols; (b) updating privacy policies; (c) developing and adopting policies, procedures and technologies to comply with the CCPA’s covered business obligations; (d) testing and verification; and (e) training and monitoring.

E.  Exemptions for Certain Business Data Collection and Data Transfer Activities

The CCPA contains numerous exemptions of data use and functionality that will require close scrutiny by covered businesses. Each exemption is defined by the CCPA (and in many cases, is micro-managed), and may assist (or hinder) the business in retaining the data or limiting its use on a go-forward basis if a consumer directs the business to cease using the data or to delete the same. Several of these categories include: (i) data used for purposes of a transaction with a consumer; (ii) data sanitized in a manner not useable to identify a consumer; (iii) data used for public or peer-reviewed, historical or statistical research; (iv) publicly available personal information; (v) data used to comply with a consumer’s data inquiry and instructions; (vi) data used for security purposes; and (vii) data used for free speech purposes.23 

In addition, Section 1798.145 of the CCPA clarifies that the obligations imposed by the CCPA on a covered business do not restrict the business’s ability to: (1) comply with state or federal laws; (2) respond to civil, criminal and administrative actions, investigations and proceedings; (3) use “deidentified” consumer data (which can be collected, used and sold to third parties; and  (4) collect data “if every aspect of the commercial conduct takes place wholly outside of California.”24

For health care providers and banking institutions, the CCPA does not apply to health care information subject to HIPPA and personal information that is subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”).25  Further, the CCPA does not apply to the use of personal information obtained from or transferred to a credit reporting agency pursuant to the Fair Credit Reporting Act. 

F.  Enforcement by the California Attorney General and Private Parties

For actions commenced by the Attorney General, Section 1798.155 of the CCPA allows imposition of penalties for intentional violations of any provision of the CCPA of up to $7,500 per violation, or $2,500 for unintentional violations if a business fails to cure an unintentional violation within 30 days of notice pursuant to Section 17206 of the California Business and Professions Code.26  

For enforcement actions brought by private plaintiffs for data theft or data security breaches, Section 1798.150 of the CCPA allows statutory damages between $100 to $750 per incident (or actual damages, whichever is greater).27  In certain circumstances, the California Attorney General is authorized to intervene in a private party lawsuit and assume prosecution of the case.28  

G. Interpretative and Rule-Making Authority Given to the Attorney General

Perhaps in light of the complexity of the CCPA (and the haste in which it was drafted and adopted), Section 1798.155 of the CCPA specifically authorizes any business or third party to request guidance from the California Attorney General “on how to comply with” the CCPA. Further, Section 1789.185 directs the California Attorney General to issue regulations clarifying the requirements of the CCPA, as well as updating the nomenclature as technology advances beyond the scope of the technology in existence as of the date that the CCPA was adopted.

3. Observations and Recommendations

We note the following:

First, while the California Legislature will convene between now and the effective date of the legislation, and is expected to provide clarification on several confusing and sometimes internally contradictory provisions, few anticipate significant substantive changes.

Second, the scope of the CCPA potentially encompasses all retail and commercial activity that includes the collection of data relating to a resident of California and retained, sold or transferred by a covered business. At the earliest possible date, businesses must commence the process of evaluating coverage under the CCPA, as well as designing and implementing an effective compliance program.

Third, based upon several decades of experience in assisting companies to adopt compliance policies and procedures for newly adopted statutes and regulations, we are not optimistic that compliance with the CCPA is reasonably possible by January 1, 2020, without significant proactive diligence by covered businesses. As noted above, the CCPA was by necessity hastily drafted, contains patent ambiguities, and virtually every stakeholder agrees that it is in need of clarification and fine-tuning. While “clean-up” legislation and California Attorney General interpretations and regulations may be forthcoming, neither is expected to relieve businesses from a very, very significant undertaking to achieve compliance.29 

Specifically, it is probable that industry groups, including trade associations, will take a leadership role when determining coverage challenges presented by the CCPA for a particular industry, and will at some juncture provide training and suggested compliance approaches. Due to the probable delays that may occur before potential industry participants become fully informed of their CCPA obligations, delays in determining reasonable compliance processes are not likely to be commenced or implemented until late into the 18-month compliance period (i.e., between June 28, 2018 and January 1, 2020). 

Accordingly, we strongly recommend that businesses consider an effort to postpone the effective date of the CCPA by redress to the California Legislature. (It is unclear whether the California Attorney General’s regulation authority includes the ability to delay the effective date of the CCPA.)

Fourth, as both U.S. and international businesses begin to understand the scope of the CCPA, the reality of dealing with compliance dictates of the CCPA, the GDPR and the laws of other U.S state jurisdictions may bring new urgency to considering a federal privacy law that preempts laws such as the CCPA. Whether that resembles the new EU privacy protections of the GDPR, which are already experiencing significant growing pains, or some other improved but less proscriptive approach, remains to be seen. In any event, California is widely regarded as the bellwether of state innovation, and other states are sure to follow many if not most of the privacy protections now contained in the CCPA.


1 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.
2 See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
3 The CCPA is an extension (or elaboration) on a Californian’s constitutional right to privacy, as set forth at Article 1, Section 1 of the California Constitution.

See https://oag.ca.gov/system/files/initiatives/pdfs/17-0027%20%28Consumer%20Privacy%29_1.pdf.
5 The CCPA is set forth at Sections 1798.100 through 1798.198 of the California Civil Code.
6 Section 2 of A.B 375. 
7 Section 1798.149(y) of the CCPA.
8 Section 1798.110 of the CCPA. It appears that a business collecting personal information that is sold or transferred to a third party, in the absence of a contractual right, cannot order that receiving party to restrict the use of any data transferred.
9 While adult consumers must opt-out of the sale of their personal information, a covered business must obtain the affirmative authorization for the sale of personal information for minors under the age of sixteen. Section 1798.120(d) of the CCPA.
10 Section 1798.120 of the CCPA, which references the definition set forth at Section 17014 of Title 18 of the California Code of Regulations.
11 We note that the language of these provisions is internally inconsistent (or at least, ambiguous) and will likely require interpretation by the California Attorney General, discussed below.
12 Section 1798.140(g) of the CCPA.
13 Importantly, unlike virtually all “consumer” protection statutes, the use of the term “consumer” should be viewed as data information pertaining to a resident of California that may also include non-consumer purposes such as a resident’s business operations that can be associated to an individual. (Whether this definitional approach includes individuals operating as a sole proprietorship or in a broader context as an employee of a corporate entity is unclear.)
14 Section 1798.140(c)(2) of the CPPA.
15 Section 1798.140(c)(1)(A) of the CCPA. It is unclear whether this threshold is to be computed on a global basis or solely in regard to business associated with California residents.
16 Section 1798.140(c)(1)(B) of the CCPA. It should be noted that even modestly successful websites may exceed this threshold. (Further, if a business is hosted on another website through connectivity or a hosting arrangement the transmission of data through a sharing arrangement may implicate coverage under the CCPA.)
17 Section 1798.140(c)(1)(C) of the CCPA.
18 Section 1798.140(o)(1) of the CCPA.
19 Sections 1798.140(o)(1)(A) through (o)(1)(K) of the CCPA. The non-exclusive list includes data items such as: (a) name, address, unique personal identifiers, social security number, driver’s license, passport number, biometric information, etc.; (b) categories of personal information specifically identified under California law, including protected classifications; (c) commercial or consumer consuming histories or tendencies; (d) internet usage and browsing history; (e) employment and educational history; and (f) inferences drawn from any of the personal information collected to create a profile about a consumer.
20 The CCPA imposes heightened obligations on businesses that sell consumers’ personal information.  For example, covered businesses will be required to provide a conspicuous link, titled “Do Not Sell My Personal Information,” on their Internet homepage and in their online privacy policy, which consumers can use to opt-out of the sale of their information.   Many companies that specialize in big data, however, do not actually sell consumers’ personal information, meaning they would not be subject to these heightened requirements.  Google, for example, has advertisers describe their target market to Google, at which point Google uses its data to “place” advertisements accordingly.  (The same is true of Facebook.)
21 Section 1798.130(a)(2) of the CCPA.
22 Businesses may extend the deadline to comply with a consumer’s request by 90 days for complex or voluminous requests.
23 Sections 1798.105(d) and 1798.140(o)(2) of the CCPA.
24 Section 1798.145(a) of the CCPA.
25 It should be noted that industry groups such as health care companies and banking institutions may be required to separate data bases that are subject to HIPPA or Title V of GLBA from data bases that are subject to the CPPA. For example, in instances in which a company has affiliates not subject to a specific privacy law other than the CCPA—or are otherwise providing products or services that are not subject to other privacy laws such as HIPPA or GLBA—a bifurcation of data might be required.
26 The CCPA creates a new “Consumer Privacy Fund” to fund enforcement, with a percentage of proceeds the collection of penalties being allocated for that purpose.
27 While beyond the scope of this Alert, it should be noted that it is unclear whether the measurement of damages would be based upon a single data breach or the number of data breaches measured (and multiplied by) each affected consumer. (If the latter interpretation is correct, this multiplier effect significantly increases the liability for the failure to maintain adequate security for a consumer’s personal information.)
28 It should be noted that, for purposes of liability for a data security breach brought by a private party, Section 1798.150(a)(1) adopts a narrower definition of “personal information,” which is set forth at Section 1798.81.5 of the California Civil Code.
29 Because the CCPA did not address the current morass of separate privacy laws in effect in California, it will be necessary to comply with the California law that provides the greatest protection for a consumer’s personal information. Section 1798.176 of the CCPA. (A useful summary of California privacy laws may be found at https://oag.ca.gov/privacy/privacy-laws.)

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP
Contact
more
less

Dorsey & Whitney LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.