By Angelica A. Zabanal
When the California Consumer Privacy Act (“CCPA”) was passed last year, it was generally acknowledged that the CCPA would need to be clarified prior to its January 1, 2020, implementation. A variety of CCPA amendments are now one step closer to full passage.
Last month, the California Senate Judiciary Committee passed seven amendment bills to the California Consumer Privacy Act (“CCPA”). The bills are now headed to the Committee on Appropriations for a vote. Any bills amended by the Senate will need to return to the Assembly for a vote and a possible reconciliation. Lawmakers have until September 13, 2019 to vote on these CCPA amendments, which are summarized in their current form below:
- B. 25 (regarding Employee Exception): Amends the CCPA so that it excludes the collection of personal information (“PI”) from job applicants, employees, business owners, directors, officers, medical staff, or contractors, who would not be considered as “consumers” under the CCPA. Now amended to weaken the employee exception with a sunset exemption on January 1, 2021 and negating the exemption as it pertains to the CCPA’s notice and data breach liability provisions;
- B. 846 (regarding Customer Loyalty Programs): Excludes application of certain prohibitions in the CCPA to loyalty or rewards programs. Now amended to prohibit a business from selling consumer PI that was collected as part of a loyalty, reward, discount, premium features, or club card program;
- B. 1202 (regarding Data Brokers): Requires data brokers to register with the California Attorney General. Now amended to exclude language that would have provided consumers the right to opt-out of the sale of their personal information by data brokers;
- B. 1564 (regarding Disclosure Methods): Requires businesses to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number at a minimum. Excludes smaller online companies from the toll-free number and allows these companies to provide an email address for submitting privacy requests;
- B. 1146 (regarding Warranty and Vehicle Repairs): Exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. Now amended to provide a clearer description of vehicle recalls;
- B. 874 (regarding “Publicly Available” Information): Expands definition of “publicly available” to include information that is lawfully made available from federal, state, or local government records. Amends definition of “personal information” to exclude de-identified or aggregate consumer information. (Approved by the Judiciary Committee without amendments);
- B. 1355 (regarding Opt-In Clarification): Exempts de-identified or aggregate consumer information from the definition of PI. Also clarifies that consumers over 13 years of age but younger than 16 years of age are required to opt in. Furthermore, parents need to authorize consent only for consumers under 13 years of age. (Approved by the Judiciary Committee without amendments.)
Stay tuned for more updates from Duane Morris LLP regarding the advancement of these CCPA amendments and join us for our CCPA webinar series.
Duane Morris partner Sandra Jeskie was quoted in Legaltech News in an article titled “Amazon Risks Legal Gray Area by Indefinitely Holding Alexa Recordings.” Sandra discussed privacy policies and data retention with the Alexa device.
Please visit Legaltech News to read the full text (subscription required).
Are the robots going to take over the world?! There is no question that artificial intelligence is finding its way into our everyday lives. Some people love interacting with Alexa as part of their daily activities. Others worry about the loss of autonomy and privacy that accompanies the burgeoning AI world, and some dread that someday humans may become secondary to the artificial intelligence we have created. The AI train already is leaving the station, and before it gets too far down the tracks, what is the federal government doing in terms of potential regulation?
In a time of deep partisan divide in which Republicans and Democrats in Congress disagree on practically everything, a bipartisan group of legislators has reintroduced a bill to accelerate the adoption of artificial intelligence in the federal government. Continue reading The Federal Government Seeks to Get Hip to Artificial Intelligence
Privacy is like oxygen. It generally is not noticed by a consumer until it is gone. California lawmakers, however, are quite aware of privacy and have recently passed perhaps the most strict privacy law in the United States.
Only days ago, the California Consumer Privacy Act of 2018 (“the Act”) was signed into law by Governor Jerry Brown after it had been approved on a unanimous basis by the California State Assembly and the California Senate. The Act does not become operative until 2020, but when it goes it to effect, it will pack a punch. Indeed, the Act will provide great control to consumers with respect to their own personal data. Continue reading New California Law Seeks to Lead the U.S. in Online Privacy Protection
A scholarly law review article talks about the right to privacy in the face of new technology encroachments and speaks of “the right to be let alone.” When was this article written? This year? Last year? No, in 1890, and think of all the technological advancements that jeopardize the right to privacy since then!
The article by Samuel Warren and Louis Brandeis (who later became a renowned U.S. Supreme Court Justice) was titled “The Right to Privacy,” 4 Harvard Law Rev. 193 (1890). It was published in the wake of the development of the portable camera. Obviously, with movable cameras, people could be captured on film doing all sorts of things as never before. This raised a panoply of privacy concerns and heightened the need for the development of laws to address those issues. Continue reading Vanishing Privacy and the Right to Be Let Alone
You might like to think that you can move about in the world without being noticed. Perhaps you relish the idea of being able to disappear into a crowd while not being recognized. But such notions of anonymity are disappearing.
Of course, you probably have heard about GPS tracking that can be used to determine the specific geographic whereabouts of a person. And now facial recognition can be used to pinpoint the identity of a person in a crowd or frankly at any location where the technology is implemented. Continue reading Facial Recognition – You Can Run, but You Cannot Hide
Since the Supreme Court’s decision in Spokeo v. Robins, courts have begun to ratchet back prior decisions on the minimum standard to plead an injury sufficient to establish Article III standing. The recent Eighth Circuit opinion in Braitberg v. Charter Communications adds to the growing number of cases defendants will rely upon to get data breach cases dismissed at the pleadings stage. Braitberg addressed standing in the context of the retention, use, and protection of personally identifiable information. Although the case did not involve a data breach, its holding is however instructive when defending against such cases.
In Braitberg, plaintiff alleged that he was required to provide personally identifiable information to purchase cable services and that the cable provider improperly retained his information long after he cancelled the services in violation of the Cable Communications Policy Act (“CCPA”).
Prior to Spokeo, such claims would have been sufficient to establish Article III standing because the Eighth Circuit permitted the actual injury requirement to be satisfied solely by pleading that there was an invasion of a legal right that Congress created. The Supreme Court in Spokeo held that Article III standing requires a “concrete injury” even in the context of a statutory violation.
With the benefit of Spokeo’s guidance, the Eighth Circuit acknowledged that Spokeo superseded its prior precedent. Accordingly, the panel affirmed the district court’s dismissal of the complaint for lack of Article III standing and failure to state a claim. In doing so, the panel rejected arguments that CCPA created standing to sue where the defendant merely retained the data in violation of the statute with no other injury. It further rejected an economic argument that retention of the data deprived plaintiff of the full value of the services received from the company.
This decision is important for two reasons. First, the Eighth Circuit further narrowed the scope of allegations that will give rise to Article III standing in a post-Spokeo world. Second, in denying the economic argument, the court cut off an alternative avenue by which plaintiffs have successfully alleged harm.
Ransomware attacks are on the rise and expected to reach epidemic proportions. The most publicized attack took place this year at the Hollywood Presbyterian Medical Center when it was forced to declare an “internal emergency” after a ransomware attack locked down its systems. Businesses that are viewed as offering a combination of valuable data and weak security may be seen as attractive to attackers. Some attackers have strictly financial motivations while others may simply be in it for “the data.”
According to Cisco’s Midyear Cybersecurity Report, email and malicious advertising are the primary ways ransomware infiltrates a system. Businesses often pay the ransom but even when paid, files may be lost or altered in ways that could be devastating to the business.
Cisco reports that companies entering into M&A deals often do not conduct enough due diligence on the risk posture of the acquired business and realize their shortcomings after the deal is done, when it is too late to remediate problems or when it’s harder to do so because the networks are intertwined.
What can you do? Robust security is clearly the first step to prevent attacks and that begins with the creation of a comprehensive privacy and security roadmap that addresses high risk areas, compliance gaps and specific tactics for incident preparedness. It is important to involve experienced counsel at the outset to not only advise on the array of federal and state privacy and cybersecurity laws and help develop the policy but also to direct any security investigation so that consultants can report potential vulnerabilities to outside counsel to protect potentially negative findings from discovery in future litigation.
On September 7th, the Federal Trade Commission will begin its series of seminars on new and emerging technologies with a workshop on ransomware.
Last week the Future of Privacy Forum (FRF) issued “Best Practices for Consumer Wearables & Wellness Apps & Devices. The Best Practices are built on the five core principles of privacy protection, which form the foundation for privacy laws in the U.S.: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress. They also seek to add protections for data that may not be covered by specific sector legislation and to add guidance in areas where general privacy statues are applicable.
While the Best Practices may appear easy to apply, in practice, they require businesses to develop a comprehensive approach to privacy and data security practices with the guidance of experienced counsel to avoid significant risks in this emerging area.
The Best Practices can be viewed at https://fpf.org/wp-content/uploads/2016/08/FPF-Best-Practices-for-Wearables-and-Wellness-Apps-and-Devices-Final.pdf
Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the “Privacy Shield”), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield. It replaces the prior Safe Harbor Program, which was invalidated by the European Court of Justice on October 6, 2015, when it ruled that the data of European citizens was not safe when stored on U.S. computer servers given the U.S. government’s ability to access information through its intelligence services.
The new Privacy Shield provides transparency in how companies use personal data, robust U.S. government oversight and increased cooperation with EU data protection authorities (the “DPA”). It includes more rigorous monitoring and enforcement by the U.S. Department of Commerce (the “Department”) and the Federal Trade Commission (“FTC”). Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.
Key provisions of the Privacy Shield include:
- Informing Individuals About Data Processing: The Privacy Shield requires more heightened notice standards than under the Safe Harbor, including additional requirements for participants’ privacy policies.
- Providing Free and Accessible Dispute Resolution: The Privacy Shield outlines several dispute resolution mechanisms and specific timelines for handling disputes.
- Cooperating with the Department of Commerce: Participants should promptly respond to Department inquiries and requests for information relating to the Privacy Shield.
- Ensuring Accountability for Data Transferred to Third Parties: Participants must enter into written agreements with third parties to ensure that data is processed for limited and specified purposes consistent with the consent provided by the individual, that the third party will provide the same level of protection and that the third party will provide notification if it can no longer meet its obligation.
- Transparency Related to Enforcement Actions: The Privacy Shield seeks to create greater transparency for enforcement actions by making public any Privacy Shield-related sections of any compliance or assessment reports submitted to the FTC as a result of an FTC or court order based on non-compliance.
- Potential Additions in the Future: The Privacy Shield is designed to be updated with time to address evolving issues and accommodate the General Data Protection Regulation (effective in 2018).
The requirements of the Privacy Shield are different than its predecessor Safe Harbor. It may be prudent for companies engaging in the cross-border transfer of data to consult legal counsel experienced with the Privacy Shield to ensure compliance.