Updated Alert: Governor Brown Signs Amendments to the California Consumer Privacy Act of 2018

by Dorsey & Whitney LLP
Contact

Dorsey & Whitney LLP

1. Introduction

On June 28, 2018, the California Legislature unanimously passed, and the Governor immediately signed, a sweeping expansion of data privacy protections for residents of California.1 Assembly Bill No. 375, entitled the “California Consumer Privacy Act of 2018” (the “CCPA”), goes far beyond current U.S. privacy protections, and in many respects emulates elements contained in the European Union’s General Data Protection Regulation (the “GDPR”), including the ability of a consumer to require that personal information be deleted by a covered business.2

Because of an unavoidable deadline to adopt the CCPA, discussed below, numerous drafting errors and patent ambiguities were contained in the legislation as finally adopted. In anticipation of this issue, a clean-up bill to address many of these problems was adopted on the last day of the California legislative session for 2018. That clean-up bill—Senate Bill 1121—was signed by Governor Brown on September 23, 2018.3

This updated alert incorporates many of the significant changes made to the original version of the CCPA, and also contains a separate discussion of many of the changes made by S.B. 1121, as well as compliance concerns businesses should consider as the effective date for the CCPA approaches. 

2. Discussion

The numerous statutory provisions of the CCPA accomplish several stated goals, including: (a) the establishment of the rights of consumers in regard to their data; (b) providing a process whereby consumers can determine whether—and to what extent—a covered business is holding, selling and transferring their personal information; (c) requiring covered businesses to implement specific procedures to maintain consumer data and respond to consumer inquiries; (d) exempting (or partially exempting) certain business data collection and transfer practices  from the coverage of the CCPA; (e) imposing liability for non-compliance by means of enforcement actions authorized to be brought by the California Attorney General and private parties; and (f) authorizing the California Attorney General to issue interpretations and regulations to implement the CCPA.4

A. Background

The genesis of the CCPA was the explosion of data breach incidents in the past few years, as well as a wave of continuing revelations that many social media sites (considered by many to be now functioning as utilities) were monetizing consumer information using methodologies not well understood by consumers despite privacy disclosures, or allegedly being gathered in violation of contractual agreements between parties.

In response to these concerns, in late 2017, privacy advocates commenced qualifying a ballot initiative to adopt consumer privacy protections that business interests believed would have created burdensome privacy requirements, while also making subsequent amendment of any privacy rules adopted via the ballot initiative process extremely difficult to achieve.

Because a legislative alternative had to be adopted before the above-referenced privacy ballot initiative was certified, opponents of the ballot initiative hurriedly negotiated a legislative bill (i.e., A.B. 375) that ultimately was agreed to by privacy stakeholders. After the CCPA was adopted by the California Legislature and signed by the Governor, the ballot initiative was withdrawn.

As noted above, because of the deadline to avoid placing a privacy initiative on the ballot for the November 2018 elections, S.B. 1121 was employed as a legislative vehicle to correct many of the drafting flaws in A.B. 375. Further, several industry groups undertook an intensive lobbying effort to: (a) clarify the scope of certain exemptions from coverage; (b) extend the date from which the California Attorney General would be required to issue implementing regulations; and (c) delay the date from which the Attorney General could commence enforcement actions.

The result of these two legislative enactments adds a new Title 1.18.5 to the California Civil Code, whose coverage provisions include not only internet-based companies such as social media sites but practically all businesses that operate in today’s electronic environment using websites and other electronic means to capture consumer data obtained from California consumers.6 Since its adoption in late July, U.S. and international businesses located outside of California—but regularly interacting with California residents—have begun to realize that the CCPA may likely impact their operations with California residents despite not maintaining a physical presence in California.

B. Consumer’s Privacy Rights Under the CCPA

The CCPA establishes several privacy rights for California consumers (i.e., California residents):

  • The right to know what personal information is being collected;
  • The right to know whether personal information is sold or disclosed and to whom;
  • The right to say “no” to the sale of personal information; 
  • The right to access personal information; and 
  • The right to equal service and price, even if any privacy rights created by the CCPA are exercised.

These privacy rights are implemented by the provisions of the CCPA, and are summarized as follows:

The Right to Know What Personal Information Is Being Collected—Section 1798.100 of the CCPA allows a “consumer” to require a covered “business” to disclose to the consumer the categories and specific pieces of “personal information” that the business collects, maintains, sells or transfers.  

The Right to Know Whether Personal Information Is Being Sold or Disclosed and to Whom—Section 1798.110 of the CCPA requires that, when responding to a “verifiable consumer request,”8 a covered business provide the following: (i) the categories of personal information it has collected; (ii) the categories of sources from which the personal information is collected; (iii) the business or commercial purpose for collecting or selling personal information; (iv) the categories of third parties with whom the business shares personal information; and (v) specific items of personal information the covered business has collected about that consumer.

The Right to Prohibit the Sale of Personal Information and to Delete Information—Sections 1798.105 and 1798.120 of the CCPA create rights similar in kind to the EU’s GDPR to direct a covered business to cease selling personal information (i.e., the ability to “opt-out”) and to delete personal information in the possession of the business and its service providers.10 (The specific mandate to order a covered business holding personal information to delete the personal information is a radical departure from current U.S. privacy norms, and has been described in the EU as the “right to be forgotten.”)11  Certain exceptions to this right are included in the CCPA.

The Right to Non-Discrimination in Access, Equal Service and Price—Section 1798.125 of the CCPA contains antidiscrimination provisions that prevent a covered business from discriminating against a consumer who exercises his/her privacy rights under the CCPA. These provisions prohibit a covered business from: (a) refusing to conduct business with the consumer; (b) charging different prices or imposing penalties; or (c) providing a different level of products or services. However, a covered business may offer a different price, rate, level of service or quality of product of service if the differences are “related to the value provided to the consumer by the consumer’s data.”12 

C. Coverage and Definitions

There are three principal defined terms that are used to establish possible coverage under the CCPA (subject to exceptions and clarifications contained throughout the CCPA): (a) the term “consumer”; (b) the term “business”; and (c) the term “personal information.” For purposes of an inquiry by a business whether the CCPA might apply, the following analysis must be undertaken: If a covered business collects personal information of a consumer, the business should determine whether it must comply with the CCPA or whether an exception or partial exception applies. 

A consumer is a natural person who is a California resident however the individual is identified, including a unique identifier.13 It includes household information pertaining to the consumer, and hence can relate to areas such as utility bills for a family.14  

A business is a sole proprietorship or corporate entity of any type operating for a profit for its owners (including affiliated entities based upon a 50% ownership or control factor)15 that: (i) collects consumers’ personal information, whether alone or jointly with others; (ii) does business in the State of California,16 and (iii) satisfies one or more of the following thresholds:

  • The business has annual gross revenues in excess of $25,000,000;17  
  • Alone or in combination with others, the business annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;18 or 
  • The business derives 50 percent or more of its annual revenues from selling consumers’ personal information.19  

Finally, the concept of personal information is defined in an extraordinarily broad manner, and means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”20 For purposes of clarity, the CCPA includes a list of non-inclusive examples of what constitutes personal information.21

D. Compliance Procedures Required by Covered Businesses

To implement the new consumer privacy rights, the CCPA imposes several complex compliance and implementation requirements on covered businesses, and include:

Modification of Disclosures and Websites—Sections 1798.120(b) and 1798.135(a) of the CCPA require that informational disclosures be provided to consumers, including the functionality of websites to allow for the exercise of a consumer’s privacy rights. Among other things, businesses will need to revise and regularly update online privacy policies and/or California-specific consumers’ privacy rights to include the CCPA’s consumer rights.22 

Delivery of Information Requested by a Consumer—Within 45 days of the receipt of a verifiable consumer request from a consumer, a covered  business will be required to disclose and deliver the requested information, free of charge to the consumer.23 Businesses will be obliged to deliver the requested personal information twice a year (and impliedly may charge a fee if a request is made more than twice within that time frame).24 

Training and Creation of a Response Team—In order to accomplish the foregoing, a covered business will have to train staff to receive verifiable consumer  requests, including accessing compliance systems, retrieving information and complying with any directives made by a consumer. 

Systems Design—While beyond the scope of this Alert, an implementation program might include the following components, many of which are essential elements of robust information governance policies and procedures: (a) mapping current data collection processes, data repositories and transfer protocols; (b) updating privacy policies; (c) developing and adopting policies, procedures and technologies to comply with the CCPA’s covered business obligations; (d) testing and verification;  (e) training and monitoring; and (f) modifying contractual arrangements with affiliates, vendors and third parties.

E.    Effective Date of the CCPA and Delayed Enforcement

As a result of a strong objection from the California Attorney General to a provision in A.B. 375 that would have required the Attorney General to issue implementing and interpretive regulations by January 1, 2020—which the Attorney deemed to be practically impossible—a somewhat complicated set of compliance and effective dates were adopted by S.B. 1121. 

Although the technical effective date of the CCPA remains January 1, 2020, because the Attorney General was given until July 1, 2020, to adopt regulations implementing the CCPA, no enforcement actions may be taken by the Attorney General until the earlier of six months after final regulations are adopted or July 1, 2020.25  

F.  Exemptions for Certain Business Data Collection and Data Transfer Activities

The CCPA contains numerous exemptions and partial exemptions of data use and functionality that will require close scrutiny by covered businesses. Each exemption is defined by the CCPA (and in many cases, was micro-managed in the legislative drafting process), and may assist (or hinder) a business in retaining the data or limiting its use on a go-forward basis if a consumer directs the business to cease using the data or to delete the same. Several of these categories include: (i) data used for purposes of a transaction with a consumer; (ii) sanitized data in a form not useable to identify a consumer; (iii) data used for public or peer-reviewed, historical or statistical research; (iv) publicly available personal information; (v) data used to comply with a consumer’s data inquiry and instructions; (vi) data used for security purposes; and (vii) data used for free speech purposes.26

In addition, Section 1798.145 of the CCPA clarifies that the obligations imposed by the CCPA on a covered business do not restrict the ability of the business to: (1) comply with state or federal laws; (2) respond to civil, criminal and administrative actions, investigations and proceedings; (3) use “deidentified” consumer data (which can be collected, used and sold to third parties); and  (4) collect data “if every aspect of the commercial conduct takes place wholly outside of California.”27

For health care providers and banking institutions, S.B. 1121 clarified that the CCPA does not apply to health care information subject to HIPPA and personal information that is subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”), as well as corresponding California statutes.28 Further, the CCPA does not apply to the use of personal information obtained from or transferred to a credit reporting agency pursuant to the Fair Credit Reporting Act.29

G.  Enforcement by the California Attorney General and Private Parties

For actions commenced by the Attorney General, Section 1798.155 of the CCPA allows imposition of penalties for intentional violations of any provision of the CCPA of up to $7,500 per violation, or $2,500 for unintentional violations if a business fails to cure unintentional violations within 30 days of notice of alleged non-compliance.30  

For enforcement actions brought by private plaintiffs for data theft or data security breaches, Section 1798.150 of the CCPA allows statutory damages from $100 to $750 per incident (or actual damages, whichever is greater).31 While a notice must be provided to a covered business providing a covered business the opportunity to cure the alleged violation, S.B. 1121 removed the authority of the Attorney General to intervene in a case brought by a private party. 

H. Interpretative and Rule-Making Authority Given to the Attorney General

Perhaps in light of the complexity of the CCPA (and the haste in which it was drafted and adopted), Section 1798.155 of the CCPA specifically authorizes any business or third party to request guidance from the California Attorney General “on how to comply with” the CCPA. Further, Section 1789.185 directs the California Attorney General to issue regulations clarifying the requirements of the CCPA, as well as updating the nomenclature as technology advances beyond the scope of the technology in existence as of the date that the CCPA was adopted. As noted above, the Attorney General now has until July 1, 2020 to issue implementing regulations.32

I. Impact of S.B. 1121 on the CCPA 

Although the adoption of S.B. 1121 was helpful in correcting obvious drafting errors, S.B. 1121 did not alter the expanded scope of privacy rights as originally envisioned by A.B. 375. Compliance will be burdensome and complicated—it is a virtual certainty that in the coming year industry groups will lobby the California Legislature for expanded flexibility and exemptions from coverage.

Besides extending the effective date of the CCPA, S.B. 1121 modified the health care exemption as set forth in Section 1798.145(c), as well as the exemption for financial institutions as set forth in Section 1798.145(e). 

However, it is important to note that the exemptions do not technically exempt health care in regard to companies or financial institutions, but rather, personal information that is subject to existing federal and California laws and regulations. This means, for example, that a financial intermediary would be subject to the obligations under Title V of the Gramm-Leach-Bliley Act and the California Financial Information Privacy Act in regards to the capture, sale or transfer of consumer data. However, if data is transferred, it is not clear whether the business receiving the personal information is entitled to rely upon these partial exemptions.

Importantly, the exemption for financial institutions does not exempt a financial institution from a private party lawsuit or class action for a data breach that is authorized by Section 1798.150.33  

3. Observations and Recommendations

We note the following:

First, while the California Legislature will convene between now and the effective date of the legislation—and is expected to provide additional clarification on several confusing and sometimes internally contradictory provisions—few industry participants anticipate significant substantive changes to the increased privacy protections contained in the CCPA, due to the fact that there may remain an overhanging threat by privacy adherents to restart the ballot referendum that was abandoned as a result the compromise that has become the CCPA.

Second, the scope of the CCPA potentially encompasses all retail and commercial activity that includes the collection of data relating to a resident of California and retained, sold or transferred by a covered business. At the earliest possible date, businesses, including non-California businesses, must immediately commence the process of evaluating coverage under the CCPA, as well as designing and implementing an effective compliance program. 

Third, because of the compromise nature of the provisions of the CCPA, data breaches may immediately result in the filing of private party litigation demanding statutory damages from the business whose data was the subject of the breach. Because the only defense to statutory damages is a showing that the business maintained adequate security measures, security policies and procedures will have to be constantly updated and verified. 

Finally, the adoption of the CCPA has created a call for a national policy on privacy that would preempt state laws such as the CCPA. Considering that the GDPR required several years to negotiate (and several additional years to implement), adopting a national privacy standard may at best be a long term strategy. (Whether a national privacy policy ultimately resembles the new EU privacy protections of the GDPR, which are already experiencing significant growing pains, remains to be seen.) In any event, while a national privacy law is now under active consideration, preemption of state laws favored by businesses msay be difficult due to the extremely narrow GOP majority. This might mean, for example, the adoption of a national privacy standard that reflects some or all of the provisions of the CCPA or the EU’s GDPR. 

*       *       *

This Alert is intended to be a high-level summary of several significant provisions of the CCPA, and is not intended to be a comprehensive recitation of all of the CCPA’s requirements applicable to individual industries and businesses.


1 https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.
2 See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
3 https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121

4 The CCPA is an extension (or elaboration) on a Californian’s constitutional right to privacy, as set forth at Article 1, Section 1 of the California Constitution.
See https://oag.ca.gov/system/files/initiatives/pdfs/17-0027%20%28Consumer%20Privacy%29_1.pdf
6 The CCPA is set forth at Sections 1798.100 through 1798.198 of the California Civil Code.
7 Section 2 of A.B 375. 
8 Section 1798.140(y) of the CCPA.
9 Section 1798.110 of the CCPA. It appears that a business collecting personal information that is sold or transferred to a third party, in the absence of a contractual right, may not be able to restrict the use of any data transferred to the receiving party.
10 While adult consumers must opt-out of the sale of their personal information, a covered business must obtain the affirmative authorization for the sale of personal information for minors under the age of sixteen. Section 1798.120(d) of the CCPA.
11 Section 1798.120 of the CCPA, which references the definition set forth at Section 17014 of Title 18 of the California Code of Regulations.
12 Section 1798.125(b)(1) of the CCPA also authorizes a covered business to provide financial incentives, including payments to a consumer, for the collection, sale or deletion of personal information. 
13 Section 1798.140(g) of the CCPA.
14 Importantly, unlike virtually all “consumer” protection statutes, the use of the term “consumer” should be viewed as data information pertaining to a resident of California that may also include non-consumer purposes such as a resident’s business operations that can be associated to an individual. (Whether this definitional approach includes individuals operating as a sole proprietorship or in a broader context as an employee of a corporate entity is unclear.)
15 Section 1798.140(c)(2) of the CPPA.
16 California takes a very expansive view of the concept of what constitutes “doing business” in California, and merely engaging in an internet transaction with a California resident is clearly intended to include non-California businesses within coverage of the CCPA.
17 Section 1798.140(c)(1)(A) of the CCPA. It is unclear whether this threshold is to be computed on a global basis or solely in regard to business associated with California residents.
18 Section 1798.140(c)(1)(B) of the CCPA. It should be noted that even modestly successful websites may exceed this threshold. (Further, if a business is hosted on another website through connectivity or a hosting arrangement the transmission of data through a sharing arrangement may implicate coverage under the CCPA.)
19 Section 1798.140(c)(1)(C) of the CCPA.
20 Section 1798.140(o)(1) of the CCPA.
21 Sections 1798.140(o)(1)(A) through (o)(1)(K) of the CCPA. The non-inclusive list includes data items as: (a) name, address, unique personal identifiers, social security number, driver’s license, passport number, biometric information, etc.; (b) categories of personal information specifically identified under California law, including protected classifications; (c) commercial or consumer consuming histories or tendencies; (d) internet usage and browsing history; (e) employment and educational history; and (f) inferences drawn from any of the personal information collected to create a profile about a consumer. Importantly, S.B. 1121 amended the definition of “personal information” to make clear that identifiers such as IP addresses, geolocation data, or purchasing history are “personal information” only if they can be “reasonably linked, directly or indirectly, with a particular consumer or household.”
22 The CCPA imposes heightened obligations on businesses that sell consumers’ personal information.  For example, covered businesses will be required to provide a conspicuous link, titled “Do Not Sell My Personal Information,” on their Internet homepages and in their online privacy policy, which consumers can use to opt-out of the sale of their information.   Many companies that specialize in big data, however, do not actually sell consumers’ personal information, meaning they arguably would not be subject to these heightened requirements.  (Google, for example, has advertisers describe their target market to Google, at which point Google uses its data to “place” advertisements accordingly. The same is true of Facebook.)
23 Section 1798.130(a)(2) of the CCPA.
24 Businesses may extend the deadline to comply with a consumer’s request by 90 days for complex or voluminous requests.
25 Because regulations issued by the Attorney General will likely impact violations of the CCPA that would give rise to a private cause of action, private party civil damage actions would appear to be subject to this enforcement delay as well.
26 Sections 1798.105(d) and 1798.140(o)(2) of the CCPA.
27 Section 1798.145(a) of the CCPA.
28 These two significant exemptions apply to personal information that is subject to these alternative privacy requirements, but not the entities themselves. This may mean, for example, that industry groups such as health care companies and financial intermediaries  may be required to separate data bases that are subject to HIPPA or Title V of GLBA from data bases that are subject to the CCPA.
29 These exemptions were clarified by S.B. 1121 and are discussed below.
30 The CCPA creates a new “Consumer Privacy Fund” to fund enforcement, with the proceeds from settlement and the collection of penalties being required to be deposited into that fund.
31 While beyond the scope of this Alert, it should be noted that it is unclear whether measurement of damages would be based upon a single data breach or the number of data breaches measured (and multiplied by) each affected consumer. (If the latter interpretation is correct, this multiplier effect significantly increases the liability for the failure to maintain adequate security for a consumer’s personal information.)
32 Due to the highly technical nature of data capture, use and transfer, the California Attorney General may face a rule-making process that will strain governmental expertise.
33 For purposes of liability for a data security breach brought by a private party, Section 1798.150(a)(1) adopts a narrower definition of “personal information,” which is set forth at Section 1798.81.5 of the California Civil Code.

 

Written by:

Dorsey & Whitney LLP
Contact
more
less

Dorsey & Whitney LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.