On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the November 2020 ballot after it gained the requisite number of signatures. Mactaggart’s organization Californians for Consumer Privacy, along with other prominent consumer privacy advocates, had repeatedly expressed frustration with the California legislature’s efforts to amend the CCPA in 2019 at the behest of the business community, and they responded with an even more robust comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). Pre-pandemic polling has shown the CPRA to be overwhelmingly popular (with support ranging as high as 90 percent), and it is heavily favored to be approved by the voters this fall.
A new federal COVID-19 data privacy bill with bipartisan
support, the Exposure Notification Privacy Act, would have a substantially narrower
scope of application than two previous partisan draft COVID-19 privacy laws. The bipartisan bill specifically regulates “automated
exposure notification services,” defined as any website or other online or
mobile system “specifically to be used for . . . the purpose of digitally
notifying, in an automated manner, an individual who may have become exposed to
an infectious disease[.]” This
definition of an “automated exposure notification service” is clearly meant to
encompass the rapidly proliferating universe of COVID-19 contact tracing and
notification systems which are increasingly being used to send alerts to
individuals who have come into close physical proximity with someone later
confirmed as COVID-19 positive (although it bears noting that the bill would
regulate any contact tracing system for any infectious disease, not just
COVID-19). Accordingly, this new
bipartisan bill markedly diverges from the approaches of two previous “dueling”
partisan COVID-19 data privacy bills, both of which would have protected
individuals’ COVID-19-related health information in a variety of circumstances,
not only in the context of automated contact tracing. For our comparison of the previously
introduced Democrat- and Republican-sponsored bills, please click
Responding to widespread calls for uniform rules and
restrictions regarding the collection and use of individuals’ COVID-19-related
health information, Congressional Republicans and Democrats have each recently introduced
their own versions of federal COVID-19 data privacy bills. Although both parties’ bills share the same
big-picture goal of protecting individuals’ COVID-19 information, the Democrats
and Republicans have each taken slightly different approaches, resulting in
some crucial distinctions between the dueling bills.
On May 4, 2020, the European Data Protection Board
adopted updated guidelines on what does and does not constitute consent under
the General Data Protection Regulation (GDPR) in certain situations. Consent is one of the lawful bases to process
personal information under GDPR. To be
valid, consent must be freely given, specific, informed, and unambiguous. Consent is freely given only where a data
subject has a genuine choice.
First, the Board made is clear that consent cannot be
freely given where the choice for the data subject is between using the
services of one controller and using the services of a different controller. Therefore, if a controller gives data
subjects the choice of “consent or don’t use my services,” it cannot point to
choice in the marketplace generally as a means to prove that data subjects
using its service have provided valid consent.
Such an argument, according to the Board, would require that controllers
monitor developments in the market to ensure such choice still existed among
its competitors. It would also
constantly raise the question of whether the competitors’ services were
genuinely equivalent to controller’s services.
With schools across the nation closing their physical locations and moving to an online learning environment, it is important for school officials to understand their obligations under the Children’s Online Privacy Protection Act (COPPA). COPPA regulates the collection of personal information from children, who are defined as individuals under the age of 13. Generally speaking, the law prohibits operators of commercial websites or online services from collecting personal information from children without first obtaining verifiable parental consent. A more detailed description of the law’s requirement is located here.
When it comes to online learning, there are a few things to keep in mind. First, COPPA applies to operators of commercial websites and online services. It does not apply to non-profit organizations or educational institutions directly. It, however, does apply to third-party technology companies through which many schools deliver on-line learning. Importantly, when an operator provides a website or online service solely for the educational purpose of the school, and not for a commercial purpose, the school can provide the verifiable consent that is normally required from parents. In this scenario, the school essentially stands in the shoes of parents for purposes of consent.
Despite the global pandemic, the California Attorney General will begin enforcing the California Consumer Privacy Act on July 1 as planned, so even in this new work-from-home environment, businesses must continue to work towards compliance and resolve any open issues. One question we’ve been asked is whether the CCPA provides a complete exemption for financial institutions. We address that question below.
The CCPA imposes new requirements on businesses that collect and maintain the personal information of California consumers. It is meant to apply broadly to nearly every type of business that meets certain thresholds, even those, such as financial institutions, that are already regulated by federal privacy law. The Gramm-Leach-Bliley Act regulates the collection and disclosure of much of the same type of personal information that is regulated by the CCPA, and imposes strict requirements on financial institutions to protect customer data and provide notice to customers about the information they collect and maintain. Under the GLBA, financial institutions are required to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including employee training and management, information systems, and preventing and responding to attacks and system failures.
In the wake of the COVID-19 crisis, much of the workforce has shifted to working remotely, with many workers operating out of makeshift “offices” they created in their homes with little or no warning. Along with this remote work comes an increased cybersecurity threat. We recently issued a client alert to raise awareness about and help companies overcome these evolving challenges. The full alert can be found here. For the sake of brevity, however, we offer some quick tips below:
As data breaches are on the rise, the old adage rings true: it’s not a question of if, but when. More companies are experiencing crippling breaches and the statistics are alarming: According to IBM Security’s Cost of a Data Breach Report 2019, the average cost of a data breach is$3.9 million and the average cost per record lost is $150. There was a time when organizations argued (perhaps correctly) that they could not have anticipated being breached or, even if they were, the size and scope of the compromised data. Such arguments no longer hold water and, increasingly, regulators are examining the reasonableness of the data security practices that were in place at the time of the breach, which can lead to fines and penalties tacked on to an already costly situation.
Ann-Marie Luciano and Jawaria Gilani of our firm’s State Attorneys General Practice analyzed recent state Attorney General and FTC enforcement actions to identify eight data security best practices that companies can adopt to mitigate the likelihood of a breach. Their findings are summarized on the infographic that can be accessed here:
John and Jennifer Politi, purchasers of several Ring
products, have filed a putative class action lawsuit against Ring, LLC arising
out of Ring’s alleged failure to implement industry standard security features
into its products. The case has been
consolidated with a similar case that was filed in the U.S. District Court for
the Central District of California in December 2019.
The allegations in the class action complaint are
certainly disturbing. The Plaintiffs allege
that they purchased various Ring products, including a video doorbell and
outdoor and indoor video surveillance cameras.
They allege that Ring’s advertisements include statements that these
products bring the purchaser “peace of mind.”
They also allege that Ring represents to its customers that privacy and
security is “at the top of [Ring’s] priority list” and that Ring takes measures
“to help secure Ring devices from unauthorized access.”
On February 7, 2020, California
Attorney General Xavier Becerra published modified
regulations for the California Consumer Privacy Act after reviewing the
public comments received on the initial draft regulations. While the modified regulations provide some
much-needed clarity, they also leave some notable gaps. One of those gaps is the lack of clear
guidance on what it means for a piece of data to meet the definition of
“personal information” because it can be “reasonably linked” to a particular consumer
The question is an important
one. The Act applies only to those entities
that do business in California, collect consumers’ personal information,
determine the purposes and means of processing that information, and meet one
of three thresholds. One of those
thresholds is that the business “annually buys, receives for the business’s
commercial purposes, sells, or shares for commercial purposes, alone or in
combination, the personal information of 50,000 or more consumers, households,
Given the magnitude of internet
activity, that threshold may not be as high as it initially appears. Businesses routinely collect the IP addresses
of visitors to their websites and can tell when those IP addresses are
associated with a California user. If
those IP addresses meet the definition of “personal information” and the
business uses them for a commercial purpose, then, on average, only 140
Californians per day need to access the website for the business to meet the 50,000-consumer
threshold. Yet the business may collect further
personal information, such as a name and shipping address, from a much more limited
subset of those visitors. For example,
an e-commerce business may log hundreds of thousands of visits to its website
from unique California IP addresses, but complete very few sales to California
consumers. Consequently, whether the Act
applies to that business may turn on whether the IP address information meets
the definition of “personal information” under the Act.
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates
Thank you for registering. Please check your email to confirm your subscription.
This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.