Amendments to the CCPA Ready for Governor’s Signature

By:  Michelle Hon Donovan, Brandi Taylor and Angelica Zabanal

Last Friday, September 13, 2019, marked the final day for the California Legislature to vote to pass amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and the Governor will have until October 13, 2019, to sign or veto them.

Of the CCPA amendment bills that were in consideration, the following were passed:

  • AB 25, regarding employee exemption
  • AB 874, regarding the definition of PI (personal information)
  • AB 1146, regarding warranty and vehicle repairs
  • AB 1355, regarding the B2B exemption and other clarifying amendments
  • AB 1564, regarding toll-free telephone number exception

Also of note, AB 1130 – a bill that does not specifically amend CCPA – also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is anticipated to impact liability under the CCPA’s private right of action

While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to be passed by the legislature:

  • AB 873, regarding the definition of de-identified
  • AB 846, regarding customer loyalty programs
  • AB 981, regarding exemption for certain insurance transactions

While the approved amendments did not significantly overhaul the CCPA, several notable changes were made. Please see our Alert for a detailed discussion of these changes.

California Consumer Privacy Act (“CCPA”) Amendments One Step Closer to Passage

By Angelica A. Zabanal

When the California Consumer Privacy Act (“CCPA”) was passed last year, it was generally acknowledged that the CCPA would need to be clarified prior to its January 1, 2020, implementation. A variety of CCPA amendments are now one step closer to full passage.

Last month, the California Senate Judiciary Committee passed seven amendment bills to the California Consumer Privacy Act (“CCPA”).  The bills are now headed to the Committee on Appropriations for a vote. Any bills amended by the Senate will need to return to the Assembly for a vote and a possible reconciliation.  Lawmakers have until September 13, 2019 to vote on these CCPA amendments, which are summarized in their current form below:

  • B. 25 (regarding Employee Exception):  Amends the CCPA so that it excludes the collection of personal information (“PI”) from job applicants, employees, business owners, directors, officers, medical staff, or contractors, who would not be considered as “consumers” under the CCPA.  Now amended to weaken the employee exception with a sunset exemption on January 1, 2021 and negating the exemption as it pertains to the CCPA’s notice and data breach liability provisions;
  • B. 846 (regarding Customer Loyalty Programs):  Excludes application of certain prohibitions in the CCPA to loyalty or rewards programs.  Now amended to prohibit a business from selling consumer PI that was collected as part of a loyalty, reward, discount, premium features, or club card program;
  • B. 1202 (regarding Data Brokers):  Requires data brokers to register with the California Attorney General.  Now amended to exclude language that would have provided consumers the right to opt-out of the sale of their personal information by data brokers;
  • B. 1564 (regarding Disclosure Methods):  Requires businesses to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number at a minimum.  Excludes smaller online companies from the toll-free number and allows these companies to provide an email address for submitting privacy requests;
  • B. 1146 (regarding Warranty and Vehicle Repairs):  Exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.  Now amended to provide a clearer description of vehicle recalls;
  • B. 874 (regarding “Publicly Available” Information):  Expands definition of “publicly available” to include information that is lawfully made available from federal, state, or local government records.  Amends definition of “personal information” to exclude de-identified or aggregate consumer information.  (Approved by the Judiciary Committee without amendments);
  • B. 1355 (regarding Opt-In Clarification):  Exempts de-identified or aggregate consumer information from the definition of PI.  Also clarifies that consumers over 13 years of age but younger than 16 years of age are required to opt in. Furthermore, parents need to authorize consent only for consumers under 13 years of age. (Approved by the Judiciary Committee without amendments.)

Stay tuned for more updates from Duane Morris LLP regarding the advancement of these CCPA amendments and join us for our CCPA webinar series.

What Trends Are Shaping Blockchain In The Legal Industry? 7 Experts Share Their Insights

Photo of attorney Daniel Tarr
Daniel Tarr

Nobody should feel smarter than their lawyer. Whether you’re on death row or in a corporate boardroom, legal counsel should provide you with peace of mind. This becomes impossible with one sniff of incompetence or uselessness.

The need for relevancy will drive blockchain adoption in the legal industry. As customers learn how blockchain (and smart contracts in particular) improve security, they may seek out lawyers who understand it too.

[…]

“The biggest trend that will shape blockchain use and adoption in the legal industry is the increased use of artificial intelligence in the legal industry.  The rise of AI solutions and products to assist in contract drafting, litigation, and other legal services will require the use of secure tracking and storage systems that can be directly integrated with the AI solutions. Blockchain is well positioned to fulfill that requirement.”

To read the full text of this article quoting Duane Morris attorney Daniel Tarr, please visit the Disruptor Daily website.

 

Executive Order Addresses Foreign Threats to U.S. Information and Communications Technology and Services Systems

On May 15, 2019, President Donald Trump signed Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain” (Federal Register Vol. 84. No. 96, page 22689-92).

Supported by various laws and regulations, the president determined that the United States’ information communication technology systems are increasingly under threat from “foreign adversaries,” defined as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.” These systems and services are targets for “malicious cyber-enabled actions, including economic and industrial espionage” as they “store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services.”

To read the full text of this Duane Morris Alert, please visit the firm website.

The California Consumer Privacy Act of 2018 Webinar Series

Duane Morris will present The California Consumer Privacy Act of 2018 Webinar Series: Strategies for the New Era of Strict Consumer Privacy Protections. The first program, “Understanding the New California Consumer Privacy Act: Why The CCPA Applies to You and Practical Steps You Can Take Now to Comply,” will be held on Thursday, May 23, 2019, from 1:00 p.m. to 2:00 p.m. (Pacific).

For more information or to register, please visit the event website.

What Is Personal Information? In Legal Terms, It Depends

In early March, cybersecurity professionals around the world filled the San Francisco Moscone Convention Center’s sprawling exhibition halls to discuss and learn about everything infosec, from public key encryption to incident response, and from machine learning to domestic abuse.

[…]

Companies should not overthink [data privacy and personal information]. Instead, data privacy lawyers said businesses should pay attention to what information they collect and where they operate to best understand personal data protection and compliance.

As Duane Morris LLP intellectual property and cyber law partner Michelle Donovan said:

“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”

To read the full text of this article, please visit the MalwareBytes website.

Emerging Product Liability Concerns for Medical 3D Printing

Duane Morris partner Sean Burke authored the Medical Device and Diagnostic Industry article, “Emerging Product Liability Concerns for Medical 3D Printing.”

Mr. Burke writes:

Additive manufacturing, commonly known as 3-dimensional (3D) printing, has been billed as the new industrial revolution. It is a lofty prediction; but we are seeing this prognostication materialize. Everyday consumer products ranging from children’s toys to running shoes are being 3D printed, sometimes right in consumer stores or at home. More and more manufacturers have begun or are exploring additive manufacturing options for their products. 3D-printed products even won an Oscar, when Ruth Carter won Best Costume Design for her work in the movie Black Panther, where portions of Carter’s costumes were 3D printed. From everyday consumer products, to its appearance on the red carpet, 3D printing has arrived.

Recognizing the potential advantages, endless possibilities, and unique manufacturing capabilities offered by 3D printing, more and more medical device manufacturers are entering this new field of technology. However, industry standards and regulations lag behind the pace of innovation. The unique aspects and potential availability of additive manufacturing raise novel products liability issues that may impact traditional product liability litigation doctrines. This article examines the current status of additive manufacturing as well as potential issues and uncertainties it raises for the future of product-liability litigation.

To read the full article, visit the Medical Device and Diagnostic Industry website.

Pa. Supreme Court Rules Employers Have Legal Duty to Protect Employees’ Personal Information from Data Breaches

On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.

Visit the Duane Morris LLP website to read the full Alert.

Ransomware: A Growing Threat

Ransomware, a method of electronically attacking corporations and individuals by holding their data hostage, has gained massive popularity amongst hackers in the last several years. Ransomware is the first form of malware to present the threats of both the destruction of important data and the economic harm the loss of that data can create. Ransomware attacks will continue to increase in scope and severity in years to come, necessitating continuous vigilance.

In essence, ransomware acts by taking data that is of value to an entity but not deleting it. The ransomware acts as a figurative glass wall, allowing the owner of the data to physically possess that data but not access it. This is accomplished by implanting a virus on the owner’s hard drive, usually by means of an infected link in an email or other innocuous-looking document. Once the link is clicked, the ransomware works by encrypting the entire storage system. The hackers then threaten to destroy the data unless a ransom is paid.

2017 saw some of the worst ransomware attacks to date, escalating exponentially in size and gravity over previous years. According to a study by the Kaspersky Lab, over 479 million attacks occurred from online sources during the first quarter of 2017, up by over 250 percent from years past. These attacks ranged across countries and industries, and plagued corporations of all sizes.

To read the full text of this article by Duane Morris attorneys Anjali Kulkarni and Joseph M. Burton, please visit The Bar Association of San Francisco website.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress