Archive May 2020

Is California ready for CCPA 2.0?

The organization known as Californians for Consumer Privacy announced yesterday that it successfully secured enough signatures to qualify adding the California Privacy Rights Act (“CPRA”) to the state’s November 2020 ballot. The CPRA seeks to do the following:

  1. Sensitive Personal Information.  The law will add a new category of information known as “sensitive personal information” and provide new rights for California consumers, allowing them to stop businesses from using their sensitive personal information.
  2. Definitions.  The CPRA may further aim to clarify that sensitive personal information includes the person’s health, financial information, and geolocation data for collection of which there was no consent.
  3. Right of Correction.  The law will give Californians the right to ask businesses to make corrections of any personal information that is inaccurate.
  4. Data Breach Liability.  The law seeks to revise and clarify the CCPA as it relates to data breach liability.  Specifically, it states that any breaches in which a consumer’s email is compromised along with (1) their password or (2) a security question and answer—which would essentially provide hackers with unfettered access to the consumer’s account—can result in liability for the company.
  5. Children’s privacy.  The law seeks to enhance children’s’ privacy rights and to triple CCPA’s fines for collecting and selling private information of minors under 16 years of age.
  6. New Enforcement Arm.  The CPRA seeks to establish a new enforcement authority to help protect consumers’ rights, called “the California Privacy Protection Agency.”
  7. Increased Transparency.  With the help of this new agency and redefined legal requirements, the goal is to increase transparency and to give consumers greater control over their data.


The Swedish Data Protection Authority issues fine against the National Government Service Centre

The Swedish Data Protection Authority imposes an administrative fine of 200,000 Swedish kronor (approximately 18,700 euro) on the National Government Service Centre for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.

It is not so common that a public organization have to pay a fine. It is more symbolic than anything else as it is little money and will go from one pocket to another for the Swedish administration.