privacy – Page 2 – Duane Morris TechLaw

April 20, 2023 by Duane Morris

Vietnam: New Decree on Personal Data Protection

On 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (PDPD) was officially issued by the Vietnamese Government. The long-awaited and controversial decree is set to be the first ever legal document with comprehensive regulations on both personal data and its protection in Vietnam. With an exception being the grace period of 2 years for SMEs, after 1 July 2023, the PDPD will be applicable to all entities located in Vietnam and/or outside Vietnam but directly con-ducting activities in relation to the processing of personal data in Vietnam.

To read the full text of this blog post by Duane Morris Vietnam partner Dr. Oliver Massmann, please visit the Duane Morris Vietnam Blog.

March 14, 2023 by Sheila Raftery Wiggins

Preservation of Ephemeral Messaging for Business Purposes

Ephemeral messaging is short-lived, yet the data preservation and regulatory obligations remain.

Ephemeral messaging apps – like WhatsApp and SnapChat – are a form of digital communication available for a limited time and then deleted. The two key characteristics of ephemeral messaging are: (1) automated deletion of message content for both the sender and the receiver and (2) end-to-end encryption which enhances privacy by making it more difficult for hackers and others to read the encrypted data while it is in transition between devices.

The three degrees of ephemerality in messaging apps are:

Pure which involves the permanent and automated deletion of messages;
Quasi which permits preservation of messages in certain circumstances; and
Non-ephemeral in which messages usually remain on a source (such as a server) and may not include end-to-end encryption.

The benefits of ephemeral messaging include:

Information governance: Data storage and records preservation/management are reduced by ephemeral messaging.
Legal compliance: Encryption and automatic deletion of personal data help reduce exposure if a data breach occurs.
Data security: Even if a mobile device is lost, the automatic deletion of data will likely protect against hackers.

The legal risks of ephemeral messaging include: (1) complying with subpoenas and (2) preservation of data when litigation is “reasonably anticipated”.

Subpoenas often define documents and communications broadly to capture all communications, including ephemeral messaging. Thus, the failure to preserve documents may result in an inability to fully comply with a subpoena and/or a criminal exposure, particularly if the subpoena was issued by the government.

Regarding the preservation of data, legal hold policies may need to be amended to address ephemeral messaging, including when a company is dealing with government regulators. See e.g., Federal Trade Commission v. Noland, et al., Case No. CV-20-00047-PHX-DWL (D. Ariz. 2021) (sanctioning defendants for installing and using ephemeral messaging after learning they were investigation targets).

Some regulators caution against the use of ephemeral messaging. For example:

The U.S. Securities and Exchange Commission (“SEC”) issued a guidance in 2018 that prohibits business use of apps which permit automatic destruction of messages.
The U.S. Department of Justice (“DOJ”) updated its Evaluation of Corporate Compliance Programs in March 2023 which discusses the factors that prosecutors should consider in conducting an investigation of a corporation including the adequacy and effectiveness of the corporation’s compliance program at the time of the offence as well as at the time of the charging decision.

Accordingly, establishing adequate and effective corporate compliance programs are important, including:

establishing a corporate compliance program which is monitored, updated, and works in practice, and
reviewing the company’s document-retention policies and procedures, including whether they address ephemeral messaging and mobile device data.

In sum, although ephemeral messaging is short-lived, the consequences – of failing to comply with data preservation and regulatory obligations – may be long lasting.

February 13, 2023March 3, 2023 by Duane Morris

Will Website Chat Feature Wiretapping Lawsuits Rise?

Entering the conversation, the United States District Court for the Central District of California recently denied a motion to dismiss claims alleging that a website’s chat features and use of session replay software violate the California Invasion of Privacy Act (CIPA). Notably, this court rejected a forum selection clause in the website’s terms of use and went on to hold that allegations that the plaintiff shared “personal information” in the chat were sufficient to maintain a claim.

Read the full Alert on the Duane Morris LLP website.

January 20, 2023March 3, 2023 by Duane Morris

30-Year-Old Video Tape Statute Fueling New Class Action Lawsuits

Perhaps you are old enough to recall when consumers used to have to go to video stores like Blockbuster Video to rent a movie. And perhaps you recall the excitement of scoring a copy of the always limited “new release.” It was during these “archaic” times that Congress passed the federal Video Privacy Protection Act in response to a newspaper publishing Robert Bork’s video rental history during his U.S. Supreme Court nomination.

Read the full Alert on the Duane Morris LLP website.

October 10, 2022March 3, 2023 by Duane Morris

Does Tracking User Activity on Websites Violate Electronic Interception Laws?

A new wave of class action lawsuits filed in California, Pennsylvania and Florida target companies that use technologies to track user activity on their websites, alleging such practices, when done without obtaining a user’s consent, violate electronic interception provisions of various state laws. The two technologies at issue are: 1) session replay software and 2) coding tools embedded in chat features. Session replay software tracks a user’s interactions with the website—their clicking, scrolling, swiping, hovering and typing—and creates a stylized recording of those interactions and inputs. Coding tools create and store transcripts of the conversations users have in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.

Read the full Alert on the Duane Morris LLP website.

July 17, 2020 by Duane Morris

CJEU Declares Privacy Shield Invalid but Upholds Validity of Model Clauses (Sort Of)

A sense of déjà vu descended over the international data transfer landscape on July 16, 2020. In a landmark ruling, the Court of Justice of the European Union (CJEU) announced that Privacy Shield, one of the main mechanisms used by companies to transfer personal data from the EU to the United States, is invalid.

To read the full text of this Duane Morris Alert, please visit the firm website.

October 23, 2019October 23, 2019 by Eric J. Sinrod

Oregon Senator Proposes Robust Federal Privacy Legislation

Frustrated by privacy lapses by US companies, Democrat Senator Ron Wyden of Oregon has introduced proposed federal legislation referred to as the Mind Your Own Business Act (the Act). If enacted, this law could put serious teeth into efforts to protect consumer data.

Serious Penalties for Noncompliance

Indeed, the Act could cause certain executives to find themselves in prison for as many as twenty years if their companies are found to have lied to legal authorities about improper use of consumers’ personal information. On top of that, the Act could lead to such companies incurring special tax penalties corresponding to executives’ salaries.

If this were not enough, the Act would empower the Federal Trade Commission with the ability to fine companies for violating this law up to four percent of corporate annual revenues. For some companies, this could amount to fines in the billions of dollars. Continue reading “Oregon Senator Proposes Robust Federal Privacy Legislation”

July 23, 2019July 23, 2019 by Duane Morris

California Consumer Privacy Act (“CCPA”) Amendments One Step Closer to Passage

By Angelica A. Zabanal

When the California Consumer Privacy Act (“CCPA”) was passed last year, it was generally acknowledged that the CCPA would need to be clarified prior to its January 1, 2020, implementation. A variety of CCPA amendments are now one step closer to full passage.

Last month, the California Senate Judiciary Committee passed seven amendment bills to the California Consumer Privacy Act (“CCPA”). The bills are now headed to the Committee on Appropriations for a vote. Any bills amended by the Senate will need to return to the Assembly for a vote and a possible reconciliation. Lawmakers have until September 13, 2019 to vote on these CCPA amendments, which are summarized in their current form below:

B. 25 (regarding Employee Exception): Amends the CCPA so that it excludes the collection of personal information (“PI”) from job applicants, employees, business owners, directors, officers, medical staff, or contractors, who would not be considered as “consumers” under the CCPA. Now amended to weaken the employee exception with a sunset exemption on January 1, 2021 and negating the exemption as it pertains to the CCPA’s notice and data breach liability provisions;
B. 846 (regarding Customer Loyalty Programs): Excludes application of certain prohibitions in the CCPA to loyalty or rewards programs. Now amended to prohibit a business from selling consumer PI that was collected as part of a loyalty, reward, discount, premium features, or club card program;
B. 1202 (regarding Data Brokers): Requires data brokers to register with the California Attorney General. Now amended to exclude language that would have provided consumers the right to opt-out of the sale of their personal information by data brokers;
B. 1564 (regarding Disclosure Methods): Requires businesses to provide consumers with two methods for the submission of privacy requests, including a toll-free telephone number at a minimum. Excludes smaller online companies from the toll-free number and allows these companies to provide an email address for submitting privacy requests;
B. 1146 (regarding Warranty and Vehicle Repairs): Exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. Now amended to provide a clearer description of vehicle recalls;
B. 874 (regarding “Publicly Available” Information): Expands definition of “publicly available” to include information that is lawfully made available from federal, state, or local government records. Amends definition of “personal information” to exclude de-identified or aggregate consumer information. (Approved by the Judiciary Committee without amendments);
B. 1355 (regarding Opt-In Clarification): Exempts de-identified or aggregate consumer information from the definition of PI. Also clarifies that consumers over 13 years of age but younger than 16 years of age are required to opt in. Furthermore, parents need to authorize consent only for consumers under 13 years of age. (Approved by the Judiciary Committee without amendments.)

Stay tuned for more updates from Duane Morris LLP regarding the advancement of these CCPA amendments and join us for our CCPA webinar series.

July 18, 2019July 23, 2019 by Duane Morris

Sandra Jeskie Discusses Alexa in Legaltech News

Duane Morris partner Sandra Jeskie was quoted in Legaltech News in an article titled “Amazon Risks Legal Gray Area by Indefinitely Holding Alexa Recordings.” Sandra discussed privacy policies and data retention with the Alexa device.

Please visit Legaltech News to read the full text (subscription required).