The Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss Privacy Shield programs enable companies to self-certify that they have adopted a number of data protection practices to bring their businesses in line with European data protection law. Because the U.S. lacks a generally-applicable federal data protection law, and because the standards for data protection in the U.S. are less stringent than those in the EU, the U.S. is considered to be an “inadequate” jurisdiction under European law, and data transfers to the U.S. are generally barred. However, if a company adopts data protection practices consistent with the requirements of European law, it may self-certify compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield with the U.S. Department of Commerce. Adherents to the Privacy Shield frameworks can then represent their data protection practices as “adequate” under EU law, enabling free and legal transfer of personal data regarding EU data subjects to the U.S. under the European Union’s General Data Protection Regulation and Swiss Data Protection Act. Continue Reading
Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted. Continue Reading
Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have died. Two of the CCPA amendment bills moving forward have the potential to greatly benefit businesses by providing exemptions for employee data and loyalty programs. These bills will become law if passed by the California Senate and ultimately signed by the governor.
As we have previously reported, California legislators have introduced numerous bills to amend the CCPA since it first passed. The “house of origin” deadline – the last day for each house to pass bills introduced in that house – was May 31, 2019. Most significantly, AB 25 proceeded forward, clarifying that the definition of a consumer does not include employees, and SB 561 died, ending (for now) the notion of an expanded private right of action. We will continue to monitor the bills that are proceeding. A summary of what has happened with CCPA amendment bills follows below. In addition, we note the status of several bills that are not CCPA amendments but address privacy issues. Continue Reading
Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1, 2019, the new law will come into effect prior to the more comprehensive California Consumer Privacy Act (CCPA). Accordingly, the Nevada law will be the first law in the United States granting consumers the right to opt out of data sales. Continue Reading
The California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, will require more privacy transparency and choice for consumers than they have ever had under U.S. law, but its approach to providing consumers with the right to opt out of a sale of their personal information threatens to disrupt the third-party digital advertising ecosystem. Most consumers are aware that adtech has evolved to enable tracking technologies to monitor online usage across time and sites in order to build interest profiles tied to pseudonymous identifiers and thereby permit advertisers to send ads tailored to likely interests. Consumers benefit from getting more relevant ads, which advertisers will pay more to place, which in turn generates more revenue for publishers, thereby fostering free, ad-supported content that also benefits consumers. Win-win, right? Not so fast, some say; tracking and targeting is intrusive, or at least creepy, and consumers should have a choice about who can learn what about them and use that information to advertise to them. In response to that consumer concern, the U.S. advertising industry developed a transparency and choice paradigm that relies on notices and opt-outs. (Learn more about that here and here.) In addition, users of online services can employ techniques such as using ad blockers and limiting cookies. Google recently announced that it will ban device fingerprinting for ad personalization, citing lack of user transparency and control, and will enable users to block third-party cookies, a typical adtech tool, while permitting first-party cookies, a typical publisher tool. However, the CCPA is poised to upset this approach to consumer choice through its “do-not-sell” right, which provides an opt-out choice for consumers age 16 and older, but requires opt-in for youth between 13 and 16, and parental consent for children under 13. Continue Reading
Financial institutions that are subject to the Gramm-Leach Bliley Act (GLBA) can find practical tips that address their unique data security challenges in the 2019 Data Security Incident Report (DSIR). It appears that money remains a strong motivating force for many threat actors. According to the 2019 report, finance and insurance remain among the sectors most heavily impacted by data security incidents, with 19% of data at risk involving a financial account. Phishing (responsible for 37% of all incidents, according to our DSIR) and credential stuffing are among the primary ways that hackers can obtain the keys to a consumer’s financial kingdom – the username and password to an individual’s financial accounts. Armed with these credentials, threat actors can purchase goods or wire, transfer or otherwise move funds out of those accounts with remarkable speed and efficiency. Although multifactor authentication has become increasingly standard for money movement and other higher-risk financial account activity at major financial institutions, as reflected in GBLA regulatory guidance relating to authentication in an internet banking environment, threat actors have proven increasingly cunning, often taking over email accounts and spoofing mobile device IDs where financial institutions send one-time-PIN codes, in order to render these multifactor safeguards ineffective. Continue Reading
There is always significant negotiation around caps on liability when negotiating a contract with a technology vendor. If the vendor will have access to the personal information of its customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance. In fact, limitations of liability are a key indicator of the allocation of risk between the parties. Both parties are seeking to insulate themselves from liability and minimize the financial harm in the event of a data security incident. Vendors have become increasingly reluctant to provide unlimited liability to protect customers against harms caused by security incidents, going to great lengths to narrowly tailor the situations under which the vendors will bear risk. Customers have been increasingly reluctant to have a data security incident classified as a regular contract breach and subject to regular contract damages. The resulting compromise, in many instances, is the “super cap.” The super cap is a number greater than the general cap on liability, but less than unlimited liability. It can exist in many forms; for example, as a multiple of fees paid, a multiple against 12 months’ fees paid, a number tied to insurance coverage or a flat dollar amount. Continue Reading
After passing the Senate nearly unanimously, the Washington Privacy Act (SB 5376) has stalled in the House of Representatives. The bill failed to achieve passage out of committee by the April 17 deadline for consideration of bills originating in the opposite house, and was returned to the Senate on April 28. As a result, SB 5376 is unlikely to pass this year.
SB 5376 gained early support from Washington’s technology industry, which helped it achieve easy passage in the Senate. Upon reaching the House, however, the bill met with strong resistance from individual rights groups. The Washington ACLU announced that it would make privacy legislation a focus of the group’s 2019 legislative agenda, sponsoring legislation to place limitations on the use of automated decision-making systems employed by public agencies (see HB 1655 and SB 5527). The group opposed SB 5376 after the ACLU’s legislation failed to gain traction, arguing that exemptions in the bill would create loopholes that would render the legislation’s privacy protections toothless. Opponents also took issue with the fact that the bill lacked a private right of action, leaving enforcement authority exclusively with the Attorney General’s Office. Additionally, detractors worried that the bill’s protections for facial recognition technology were insufficient, noting that the use of facial recognition could lead to law enforcement inequities due to the fact that such technologies can have disparate results when applied to different racial and ethnic groups. Just a day before SB 5376 died in committee, the ACLU, the Electronic Frontier Foundation and four other civil liberty groups issued a joint statement opposing the legislation. Continue Reading
On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical Health Act’s (HITECH) penalty scheme. Continue Reading
Last Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology, held a committee hearing in which it voted in favor of advancing eight industry-backed bills that would amend the California Consumer Privacy Act (CCPA), set to take effect on Jan 1, 2020. To the benefit of businesses, the bills, which now move on to the Assembly’s Appropriations Committee, would clarify the text and limit the scope of the unprecedented, sweeping privacy law that grants consumers a great degree of transparency and choice with respect to their personal information, defined broadly under the act. If the bills survive the Assembly’s Appropriations Committee, they will come before the full Assembly before advancing to the California Senate, and would ultimately become law if signed by the governor. Also of note, two CCPA amendment bills, discussed further below, have been withdrawn from advancement to committee consideration. Continue Reading