CJEU Declares Privacy Shield Invalid but Upholds Validity of Model Clauses (Sort Of)

A sense of déjà vu descended over the international data transfer landscape on July 16, 2020. In a landmark ruling, the Court of Justice of the European Union (CJEU) announced that Privacy Shield, one of the main mechanisms used by companies to transfer personal data from the EU to the United States, is invalid.

To read the full text of this Duane Morris Alert, please visit the firm website.

The First Amendment Protects Radio Hosts Covering Online Attacks Against A Sports Referee

The University of North Carolina (UNC) NCAA men’s basketball team ended the 2017 season for the University of Kentucky (UK) in a controversial game. Indeed, many UK fans blamed their team’s loss on supposed bad calls by a referee, John Higgins.

The wrath of the UK fans was so intense that Higgins received criticisms at his private job. On top of that, two Kentucky Sports Radio (KSR) hosts, Drew Franklin and Matt Jones (the hosts), vented negative comments about Higgins’ officiating. In so doing, the hosts conveyed online attacks that had been posted about Higgins. While reporting about the online attacks, the hosts at times repeated the attacks word for word, while minimally suggesting that fans not promulgate further attacks.

Higgins believed that the attacks and the reporting harmed him personally and his business. He filed suit against KSR and the hosts, alleging various causes of action. The federal district court dismissed the lawsuit based on the First Amendment, and Higgins appealed to the Sixth Circuit. In a recent decision in Higgins v. Kentucky Sports Radio, the Sixth Circuit agreed that the district court correctly dismissed the case on First Amendment grounds. Continue reading The First Amendment Protects Radio Hosts Covering Online Attacks Against A Sports Referee

Attorney General Submits Final CCPA Regulations for Approval

On June 1, 2020 the California Attorney General (AG) submitted the final text of the CCPA regulations to the California Office of Administrative Law (OAL) for approval.  The final regulations appear to be unchanged from the latest draft published on March 11, 2020.

Generally, the OAL has 30 days to review and determine whether to approve the regulations.  But currently, an executive order has granted an additional 60 days to finalize proposed regulations in light of the challenges agencies are facing due to COVID-19.  Additionally, any regulation that is filed June 1 or later would not typically be effective until October 1.  However, an agency can request an earlier effective date if it can demonstrate good cause, which is what the AG has done here.  The AG has requested the OAL approve the regulations within 30 days and that an exception be made such that the regulations will be effective upon filing with the Secretary of State. Continue reading Attorney General Submits Final CCPA Regulations for Approval

FTC Clamps Down On Unreliable Coronavirus Marketing Claims

The coronavirus pandemic has caused illnesses, deaths, isolation and tremendous economic disruptions. Not surprisingly, many people are feeling desperate for solutions, and unfortunately, they can fall prey to misleading coronavirus marketing claims.

The Federal Trade Commission (FTC) is seeking to prevent these marketing practices. Indeed, the FTC recently sent ten warning letters to multi-level marketing companies (MLMs) telling them to remove and address claims that the MLMs or their participants are making regarding the supposed ability of products to prevent or treat the coronavirus or about the alleged ability of people to recoup lost income. Continue reading FTC Clamps Down On Unreliable Coronavirus Marketing Claims

COVID-19 Responses in the Telecommunications Industry

In response to the COVID-19 pandemic, legislators and telecommunications regulators have focused primarily on promoting telemedicine, remote learning and better availability of broadband service in general, as well as ensuring that low-income customers will be able to keep their telephone and broadband service during the crisis.

To read the full text of this Duane Morris Alert, please visit the firm website.

Top Tips: Keeping Data Safe When Working Remotely

By John M. Benjamin and Edward Pickard

The coronavirus pandemic has had a severe impact on businesses right across the globe and with a third of the world now in lockdown, thousands of businesses have moved most of their workforce to remote working. Although working from home allows a business to continue operating, it brings significant security risks, placing a greater need to maintain compliance with relevant data security requirements.

Maintaining the security of company data is the responsibility of both the employer and employee and continuing to maintain appropriate security measures is critical at this time. Below are some key points for employees and businesses to keep data secure when working remotely. Continue reading Top Tips: Keeping Data Safe When Working Remotely

How to Heed Privacy Law in the Midst of a Pandemic

As countries grapple with the global threat of COVID-19, some are leveraging user location data and tracking apps to model potential contamination paths. China has tapped into its facial recognition tools to track the virus and has deployed drones that tell people to wear masks. Singapore has launched an app called TraceTogether which uses Bluetooth to determine who could be at risk of infection. And the United Kingdom is reportedly in talks with telecom providers on how to best use location data to stem the crisis.

But the coronavirus turning the world upside down does not mean companies can throw out the General Data Protection Regulation and the California Consumer Privacy Act, as well as other privacy protections.

To read an excerpt from this article, which quotes Duane Morris partner Sandra Jeskie, please visit the firm website.

The Internet Can Help When It Comes To The Coronavirus

Modern life of planes, trains and automobiles brings people together in close physical proximity like never before. Once upon a time, and actually not that long ago in human history, most people never saw anyone else outside of their own village or tribe. Those days are gone, and now we frequently are exposed to people from other cities, states, and countries. That is all well and good for the most part in terms of business and pleasure, except, of course, when it comes to the transmission of communicable diseases.

Just a couple months ago, most Americans had not even heard of the coronavirus which began in China and then started to spread. Now we are bombarded 24/7 with news, facts and fiction about the virus on television, radio, news sites, social media, podcasts and in everyday conversation. We are told that the coronavirus is highly contagious, is spreading exponentially, is a pandemic, could be with us for quite some time, and poses grave health dangers for at risk segments of populations. Continue reading The Internet Can Help When It Comes To The Coronavirus

Proposed Modifications to CCPA Regulations – Service Providers, Authorized Agents, Minors, Nondiscrimination and Calculating the Value of Consumer Data

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

  • Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
    • Performing the services specified in the written contract;
    • Retaining and employing another servicer provider as a subcontractor;
    • For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
    • Detecting security incidents or protecting against fraudulent or illegal activities; or
    • Any other purpose enumerated in the CCPA.
  • Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
  • Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

  • Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

  • When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
  • Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

  • Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

  • Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
  • Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
  • Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

  • Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
  • For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.