On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide important relief for businesses from some of the more onerous provisions of the legislation. As we reported in our blog post discussing the recently introduced legislation, the Washington Privacy Act anticipates that businesses will accord consumers certain GDPR-style rights and conduct risk assessments to weigh the potential privacy and security implications of data-processing activities. The revised legislation places important limitations and clarifications on the envisioned requirements of both consumer rights and risk assessments. In short, data processed for “business purposes” will be exempt from deletion, and such processing activities are presumptively permissible. Importantly, the legislation as amended still does not permit a private right of action, and still requires the attorney general to provide notice of alleged noncompliance and give businesses an opportunity to cure before bringing an enforcement action. Continue Reading
In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), and the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (“BayLDA”) sends a clear signal that companies should be taking a new approach with respect to cookies in 2019. In a previous post here, we discussed the UK Information Commissioner Office’s warning to the Washington Post for its practice of allowing free access to certain articles only if users consented to tracking cookies. Continue Reading
The Federal Trade Commission announced the creation of a new task force that is dedicated to monitoring competition in the U.S. technology industry. This Technology Task Force will coordinate and consult with 17 staff attorneys throughout the FTC who have experience in complex product and service markets, including the markets for online advertising, social networking, mobile operating systems and apps, and platform businesses. In addition to examining industry practices and conducting law enforcement investigations, these staff attorneys will be charged with investigating “technology-related sectors of the economy.” This mandate is intentionally overbroad and designed to grant wide-ranging authority to examine industry behavior, including the review of both prospective mergers and consummated technology mergers. Continue Reading
CrowdStrike, FireEye and IBM Security recently released their annual threat reports. These reports contain a wealth of information on recent trends in cybersecurity attacks and recommendations on the preventive measures companies can take to protect themselves. As attackers’ tactics, techniques and procedures continue to evolve, and as the attack surface of organizations continues to grow, it is increasingly important that companies stay up to date on these matters. Continue Reading
Over the past few weeks, California Republican lawmakers have introduced a new package of legislation called “Your Data, Your Way,” which would expand and strengthen consumer privacy rights beyond what is required by the new California Consumer Privacy Act (CCPA). The “Your Data, Your Way” package is comprised of bills that would impose new obligations on businesses, including providing consumers greater control over the use of their data, limiting companies’ storage and use of certain types of data, and notifying consumers within three days of discovering a data breach. The package consists of the following five bills:
AB 288 – Social Media Privacy:
Coined the “Own Your Own Data Act,” this bill proposes to require a social media company (defined as a company that provides electronic services or accounts, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or internet website profiles or locations) to:
- Provide users that close their accounts the option to have the users’ personally identifiable information permanently removed from the company’s database and records and excluded from sale.
- Honor such a request within a reasonable time.
The bill would provide for actual damages, and in the case of willful violations, punitive damages, as well as reasonable attorney’s fees for the prevailing party. Injunctive relief is also available to aggrieved consumers. Continue Reading
The California attorney general (AG) has kicked of it process of promulgating regulations to interpret and implement California’s sweeping new privacy law. After a series of public hearings across the state, which we covered here and here, the AG closed the initial public comment period on March 8. Our clients have mostly sought to convey their comments through their respective trade organizations. About a dozen of our clients asked us to supplement those efforts with a set of aggregate comments, which we filed and are available here. Our U.S. Consumer Privacy and the CCPA attorneys follow CCPA and other state and federal privacy legislative and regulatory developments. Learn more, here. Legislation is pending in approximately 15 states and at the federal level. For more information contact the author.
March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (Covered Entities) were required to address substantial data security compliance requirements over the past two years (detailed in our February 2017 and July 2017 posts). The March 1 deadline marked the end of the last transitional period for the regulation, and perhaps a new period marked by its enforcement. Continue Reading
Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018. Specifically, trojans Emotet and Trickbot, originally used in banking incidents, were labeled the most common malware strains, while hijackers, rootkits and riskware rounded out the top threats to the sector.
It is the 25th anniversary of the federal Children’s Online Privacy Protection Act (COPPA), which has served us well, but states are looking to expand privacy protection for minors. Several years ago California expanded its Online Privacy Protection Act to give minors the right to remove content they have posted on social media and certain other websites and to limit advertising of age-restricted products to them. Now Connecticut proposes to do the same with GA 6601. Last year California’s new consumer privacy law restricted the sale of personal information of California residents under 16 years of age except with express opt-in consent (which must be exercised by the parent of children under 13). Now a California bill, AB 1665 purposes to limit websites and mobile apps from publishing a minor’s name, picture, or any reasonably identifiable information about the minor on a social media service (not defined), where the publisher is paid by a third party to do so, absent parental consent, which consent cannot be a condition of using the service. It is not clear what uses cases the bill intends to address, but presumably paid publication of “likes” of brands would be covered. For more information on these laws and bills join the author at the CARU conference on March 6 in Los Angeles.