The Office of the Attorney General has released the long-anticipated proposed CCPA regulations. The proposed regulations outline procedures intended to facilitate consumers’ new rights under the CCPA and provide compliance guidance to businesses regarding:
- Notices businesses must provide to consumers under the CCPA;
- Handling consumer requests made pursuant to the CCPA;
- Verifying the identity of the consumer making those requests;
- Personal information of minors; and
- Nondiscrimination and offering of financial incentives.
Please see our Alert for a detailed discussion of the proposed regulations.
Governor Gavin Newsom signed five CCPA amendment bills into law on Friday, October 11, 2019. He also signed an amendment broadening the California breach notification law and a new law which creates a data broker registry for the sale of certain personal information. The event marked the culmination of the California Legislature’s efforts this year to clarify the terms and scope of the CCPA, which takes effect on January 1, 2020.
A summary of these laws and their impact may be found in our previous Alert.
Stay tuned to the Duane Morris TechLaw Blog for developments regarding the CCPA and its implementation.
The newest Nevada privacy law, SB 220, is about to become operative on October 1, 2019, and will require website operators to provide consumers with the right to opt out of the sale of their personal information. The definition of what constitutes a “sale” is fairly narrow and includes several broad exclusions. Therefore, this opt-out provision is likely to apply only in narrow circumstances. However, businesses that may be covered by this new law will need to complete the following items prior to October 1:
- Determine whether the law applies to your business.
- Confirm compliance with existing consumer notice requirements.
- Establish a designated request address where consumers may submit a verified request to opt out of the sale of their covered information.
- Develop policies, procedures and processes for verifying and responding to requests within 60 days.
Please see our Alert for a detailed discussion of this law and when it applies.
In early March, cybersecurity professionals around the world filled the San Francisco Moscone Convention Center’s sprawling exhibition halls to discuss and learn about everything infosec, from public key encryption to incident response, and from machine learning to domestic abuse.
Companies should not overthink [data privacy and personal information]. Instead, data privacy lawyers said businesses should pay attention to what information they collect and where they operate to best understand personal data protection and compliance.
As Duane Morris LLP intellectual property and cyber law partner Michelle Donovan said:
“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”
To read the full text of this article, please visit the MalwareBytes website.
On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.
Visit the Duane Morris LLP website to read the full Alert.
Last week the Future of Privacy Forum (FRF) issued “Best Practices for Consumer Wearables & Wellness Apps & Devices. The Best Practices are built on the five core principles of privacy protection, which form the foundation for privacy laws in the U.S.: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. They also seek to add protections for data that may not be covered by specific sector legislation and to add guidance in areas where general privacy statues are applicable.
While the Best Practices may appear easy to apply, in practice, they require businesses to develop a comprehensive approach to privacy and data security practices with the guidance of experienced counsel to avoid significant risks in this emerging area.
The Best Practices can be viewed at https://fpf.org/wp-content/uploads/2016/08/FPF-Best-Practices-for-Wearables-and-Wellness-Apps-and-Devices-Final.pdf