With only hours left to the 2018 legislative session, the California Legislature has amended the California Consumer Privacy Act of 2018 (CCPA) by passing SB-1121. The legislature was expected to amend the CCPA, which passed in just about one week after it was proposed, in a rush to avoid a different version of the act being finalized as a ballot initiative that would have been on the November ballot. We wrote about that process here and here. A summary of the CCPA as originally passed is here, and recommendations on how to start to prepare are here. Continue Reading
California’s new privacy law, the California Consumer Privacy Act of 2018 (CCPA or act), which goes into effect Jan. 1, 2020, grants California residents (referred to as consumers in the act but not limited to consumers) a wide range of rights in regard to their personal information, broadly defined. To enable compliance with the act, covered businesses will be required to implement data management practices that increase consumers’ transparency and choice. For example, the CCPA requires that a business that falls under the act track personal information collected about consumers and inform consumers of the categories of personal information collected as well as the business and commercial purposes for collection of each category of personal information. In addition, to comply with the CCPA, a business must provide access to and portability of consumer information and delete consumer personal information upon request. For more details on what the CCPA will require, what businesses and data will be covered, and how to prepare for the CCPA, see our prior posts here and here.
Biometric Information Privacy Act
AGCO Corp., Ceridian HMC Inc. and Hegewisch Development Corp. Latest Employers to Face Allegations of BIPA Violations
• Lawsuits against employers for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) show no signs of slowing, with three more employers, AGCO Corp., Ceridian HCM Inc. and Hegewisch Development Corp., all facing suits in recent weeks.
• The complaints all are very similar, with each alleging that the defendants collected fingerprint information without informing their employees in writing of the purpose for which or length of time the fingerprints would be stored.
• Each suit seeks class certification and statutory damages of $5,000 per violation.
In response to controversies concerning consumers’ personal information, such as the Facebook/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (“CCPA Initiative”), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the “CCPA”). We have written about the CCPA here and here. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (“Old SB-1121”). SB-1121 was amended on August 6, 2018, to refine the CCPA (“New SB-1121”). However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act, New SB-1121 “represents less than 1% of the obviously needed changes to the bill.” Professor Goldman’s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill’s authors by leading industry groups led by the Association of National Advertisers (“ANA”)(“ANA Coalition Proposal”), as well as from public interest groups, including the Electronic Frontier Foundation (“EFF”). On August 24 New SB-1121 was further amended (“8/24 Amendment”), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020. A copy of the current bill as of August 24 is here. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.
Comcast’s Xfinity Service Potentially Exposes Addresses and Partial SSNs of More Than 26.5 Million Customers
• According to security researcher Ryan Stevenson, alleged vulnerabilities in the system Comcast Xfinity uses to verify users’ identities could have allowed an attacker to learn those users’ home addresses and partial Social Security numbers.
• After being informed of the issues, Comcast patched the alleged vulnerabilities.
• According to a Comcast spokesperson, Comcast “quickly investigated these issues and within hours … blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. [Comcast has] no reason to believe these vulnerabilities were ever used against Comcast customers.”
The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the Attorney General’s Cyber-Digital Task Force by the Department in February 2018. Attorney General Jeff Sessions directed the Task Force to answer two questions:
- How is the Department responding to cyber threats?
- How can federal law enforcement more effectively accomplish its mission in this important and rapidly evolving area?
In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of European-like rights when it comes to their personal information (PI), effective Jan. 1, 2020. To be able to comply on the effective date, businesses will need to start record-keeping no later than Jan. 1, 2019, and likely will need to complete data mapping prior to that. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant – $50,000 to $100,000 a year. Given that processing an average of 138 credit cards a day, or having an average of 138 unique website visits a day, or a combination thereof and other data collection, is enough to draw a business under the scope of the law, all but the smallest businesses will need to comply. There are also certain obligations and liabilities for certain types of service providers processing the data of a regulated business, and other third parties.
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this law offers. Below is a summary of the key provisions, followed by comments on why the safe harbor is likely the equivalent of a really small umbrella in a downpour.
The legal safe harbor comes from amendments to Ohio law from Senate Bill 220, which was signed into law by Ohio Governor John Kasich on August 3, 2018, and will take effect 90 days after it is provided to the Ohio Secretary of State.
Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard to execute and absolutely necessary.
Federal Trade Commission
Federal Trade Commission Asks for Ability to Fine Companies for Privacy Violations
• Speaking before the U.S. House of Representatives’ Subcommittee on Digital Commerce and Consumer Protection, the commissioners of the Federal Trade Commission (FTC or Commission) said Congress needs to pass new laws to allow the FTC to fine companies that violate consumer’s privacy rights, as well as allow the Commission greater flexibility to amend its own rules to address potential violations.
• At the same time, Chairman Joseph Simons recognized a “trade off between privacy and data security and competition,” noting that the Commission is “nervous that if [the FTC does] privacy in one way and go[es] too far [in] one direction, [it will] reduce competition.”