News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses California Privacy Law’s Impact on Corporate Compliance Programs

LegalTech News
July 13, 2018

Kirk J. Nahra, chair of Wiley Rein’s Privacy & Cybersecurity Practice, was quoted extensively in a July 11 LegalTech News article, addressing the impact of the California Data Privacy Protection Act on corporate compliance programs. The new law applies to companies based in California with more than $25 million in annual revenue that buy, sell, or process personal information of the state’s residents or that make more than half their annual revenue from such activities, according to the article.

Mr. Nahra noted that while the law is “analogous to the EU’s General Data Protection Regulation [GDPR],” its requirements are more reactive than directive. “GDPR has more upfront rules on what you can or cannot do. The California law is very much along the lines of, you have to tell people what you are doing, and they have to tell you in certain situations not to do it.”

LegalTech News reported that the law impacts only California residents, so companies will have to decide whether to overhaul all of their data-collection operations, or just make operational adjustments for their California clients.

“In the same way that most U.S. companies, though not all, have chosen not to implement GDPR all over the world, we’re going to have the same issue with California and the broader U.S.,” Mr. Nahra said.

He also pointed to uncertainty among stakeholders as to whether the law applies only to consumers’ personal data, or covers company employee data as well. “There is an ongoing debate among my peers right now about if data on employees is covered or not,” he said. Under the broader interpretation, many more enterprises would be impacted by the regulation.

Mr. Nahra also discussed the law’s caveat that while businesses may offer financial incentives to consumers for the collection, sale, or deletion of personal data, those incentives may not be unjust or unreasonable.

In-house legal departments will have to determine what constitutes “unjust, unreasonable, coercive, or usurious in nature,” because barring any specific regulatory guidance, such restrictions can be fluid, Mr. Nahra said.

To read the full article, please click here (subscription required).