If Signed by Governor, California Bill AB-602 Will Provide Private Right of Action for Victims of Sexually Explicit ‘Deepfakes’

AB-602, passed by the California State Senate on September 12, 2019, will, if approved by the governor, create a private right of action against persons who create or disclose another’s sexually explicit content through use of “deepfake” technology. Specifically, the cause of action may be brought against a person who creates and intentionally discloses sexually explicit material where the person knows, or reasonably should know, that such creation or disclosure was not consented to by the depicted individual, or where such person did not create but intentionally discloses such material knowing that the depicted individual did not consent to its creation.

Sponsors of the bill envision it applying in two distinct scenarios: (1) where a person’s face is superimposed on another’s body in such a way as to suggest that person is engaging in a sexually explicit way, and (2) where a mainstream filmmaker digitally alters a scene to make it look as though the actor engaged in sexually explicit activity when, in fact, he or she did not.

Issues AB-602 Seeks to Resolve

Deepfake (a portmanteau of deep learning and fake)[1] is used for many purposes, including political commentary and parody.[2] However, it is often used nefariously to depict individuals engaging in sexual acts in which they did not actually engage.[3] It is these sexually explicit depictions that AB-602 seeks to prevent.[4]

Once sexually explicit deepfakes are proliferated online, a person’s reputation becomes irreparably damaged and the person may suffer deep shame, humiliation and emotional damage. Additionally, such proliferation can result in long-lasting economic harm by tainting the depicted person’s professional image to such a degree that he or she becomes unemployable.[5] Thus, AB-602 was introduced to provide victims of such deepfakes with a cause of action that provides sufficient redress. Continue Reading

AB-1790 Seeks to Add Transparency to the Marketplace/Marketplace Seller Relationship

Seeking to increase transparency and, consequently, fairness in the marketplace/marketplace seller commercial relationship, the California State Senate approved AB-1790 Marketplaces: marketplace seller on Sept. 12, 2019. AB-1790 aims to achieve this transparency by imposing certain obligations on a marketplace. These obligations will in turn provide a marketplace seller with more insight into the terms and conditions of its commercial relationship with that marketplace. AB-1790 defines “marketplace” as a physical or electronic place that sells or offers for sale services or personal property for delivery in California and has an agreement with the marketplace seller to make such sales through the marketplace. Commonly known marketplaces include Amazon, eBay, and online destinations of brick-and-mortar stores like Walmart and Target. A “marketplace seller” under AB-1790 is a person residing in California who has an agreement with a marketplace and makes sales through the marketplace. The governor has until Oct. 13, 2019, to sign or veto AB-1790.

Marketplace Requirements

AB-1790 requires a marketplace to ensure that its terms and conditions regarding its commercial relationships with marketplace sellers (1) are plainly and intelligibly drafted; (2) are easily available online for marketplace sellers at all stages of their commercial relationship, including at the relationship’s outset; and (3) identify the dispute resolution process and grounds for terminating the marketplace/marketplace seller commercial relationship.

AB-1790 also requires the marketplace to describe the possibilities and effects of a marketplace seller paying the marketplace to influence search results or otherwise obtain preferential placements within the marketplace. While AB-1790 does not require the marketplace to disclose the price of that ranking or preferential treatment, it must describe how a marketplace seller may obtain a written price. Continue Reading

AB-1130 Expands the Definition of Personal Information for Data Breaches

In what appears to be yearly tradition, the California State Senate has again amended its Data Breach Notification Law. [Civ. Code § 1798.29.] On Sept. 11, 2019, the California State Senate voted in favor of AB-1130 Personal information: data breaches, which expands the existing definition of “personal information” under California’s Data Breach Notification Law. Assuming the governor signs AB-1130 before the Oct. 13, 2019 deadline, personal information under California’s Data Breach Notification Law will now include (1) unique biometric data, and (2) government-issued identification numbers, such as passport numbers.

Closing a Gap

AB-1130 seeks to close openings within California’s Data Breach Notification Law. The current law requires any agency, person, or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system to any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. [Civ. Code. §§ 1798.29(a), (c); 1798.82(a), (c).] The current definition of “personal information” does not extend to passport numbers or unique biometric data, a gap that was highlighted in the wake of several high-profile data breaches. Continue Reading

IAB Previews Solution for Interest-Based Advertising and CCPA ‘Do Not Sell’ Right

On September 17, 2019, numerous stakeholders in the digital advertising industry, including publishers, advertisers/brands, AdTech companies, and law firms (including numerous representatives from BakerHostetler) convened at the Interactive Advertising Bureau’s (IAB) headquarters in New York for a preview of its CCPA Industry Compliance Framework.

Throughout the course of 2019, IAB has solicited input from a broad swath of digital advertising industry stakeholders to develop the industry’s approach to addressing consumer Do Not Sell requests arising out of the multiparty, downstream sharing of consumer behavioral data to effectuate interest-based advertising. IAB’s efforts began by addressing what level of industry cooperation is required in ad buying transactions to cause compliance with the CCPA, and developing policy parameters around a technical solution to pass “signals” relating to the sale of personal information (or restrictions thereof).

The downstream sharing of this behavioral data involved in digital advertising is implicated by Section 1798.115(d) of the CCPA, which requires that a third party cannot onward sell (i.e., sell data that has been sold to it) unless the consumer has received explicit notice and is provided the opportunity to opt-out pursuant to Section 1798.120. In short, the IAB framework addresses the fact that various participants in the interest-based advertising ecosystem must onward sell personal information, but do not have the ability to obtain the explicit notice required by .115(b), which is only afforded to website and mobile application publishers (a website operator with advertising on its site or app). Continue Reading

CCPA Exceptions: What Qualifies as Activity ‘Wholly Outside’ of California?

Much has been said about the scope of the California Consumer Privacy Act (CCPA) and the far-reaching implications the law will have on businesses throughout the United States. Although it is true that the territorial reach of the law is broad, it is not without limits. The CCPA explicitly includes a geographic exception that may be important in determining the applicability of the law to personal information processed by businesses that do not have a physical presence (including employees) in California.

CCPA Section 1798.145(a)(6) states that the obligations imposed by the law “shall not restrict a business’s ability to … [c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California.” The statute provides that commercial conduct will be considered “wholly outside of California” where:

  1. The business collects information while the consumer is outside of California;
  2. No part of the sale of the consumer’s “personal information” occurs in California; and
  3. No “personal information” collected while the consumer is in California is sold.

The exception includes a provision to prevent a potential “traveling Californian” loophole: Businesses may not store personal information about a California resident while the consumer is in California (such as on their mobile device), and then later “collect” that personal information when the consumer and stored personal information are outside of California. Continue Reading

CCPA Amendments – Where They Stand Today

A little more than 100 days prior to the effective date of the California Consumer Privacy Act (CCPA), six amendments (A.B. 25, A.B. 874, AB 1146, A.B. 1202, A.B. 1355 and A.B. 1564) to the act were approved by California lawmakers at the close of the legislative session, which ended on Friday, Sept. 13. The governor must sign or veto these bills by Oct. 13. Most notably, if they become law, the bills would delay implementation of most of the CCPA’s data subject rights to human resources data and business-to-business transaction communications data for one year. A bill that would have clarified that certain data collection and use in connection with loyalty programs was permissible (A.B. 846) was pulled by the author, but may be brought back up in the next legislative session if the regulations implementing the act, a first draft of which is expected from the California Attorney General’s (Cal AG) office in late September or early October, do not address the issue. The proposed amendments also would require a business that collects and sells consumer personal information (PI), but does not have a direct relationship with those consumers, to register with the state as a data broker. In addition, the bills address the scope of personal information that is covered by the act, the meaning of certain consumer rights and how those rights are to be administered, and what training is required of personnel that will handle privacy inquiries and requests.

Data Broker Registry

AB 1202 would require “businesses” that knowingly collect and sell consumer personal information, that lack a direct relationship with those consumers, to register with the Cal AG, whose office would then publish the names and contact information of the registrants on the Cal AG’s website. A prior version of the bill would have also required data brokers to give consumers certain precollection notice of the categories of personal information collected and the purposes for the collection, which could have been satisfied by posting such notice on the data broker’s website, but those provisions were struck prior to passage. The intent of the law is to provide consumers with a way to identify businesses that may be collecting and selling their information that they may not know how to contact to determine if they have collected their personal information and to exercise their do-not-sell and other consumer privacy rights (e.g., to obtain a copy of the personal information and/or request its deletion). Continue Reading

Just How Far Does California’s New IoT Security Law Reach?

Group of people standing in line and looking at their smart phonesOn January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures.

There has been a significant amount of discussion regarding exactly what types of devices are covered by the new regulations and what “reasonable security measures” entail.

Who is covered?

Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software. Continue Reading

Less Than a Month to Go Until Nevada Privacy Law Effective Date

As discussed in our previous blog post on the topic, Nevada’s amendments to its privacy law are set to go into effect Oct. 1, 2019. Less comprehensive in scope than the much-heralded CCPA, the Nevada privacy law amendment has received significantly less attention than its California counterpart. Even so, the new Nevada privacy law presents its own compliance challenges that companies shouldn’t overlook in the CCPA compliance scramble.

To see a countdown clock and find resources on how to prepare for Nevada’s SB 220 and the CCPA, see our U.S. Consumer Privacy Resource Center.

Inconsistencies and Compliance Challenges

The amended Nevada privacy law establishes a requirement that “operators” of internet websites or online services set up a procedure whereby Nevada residents are given the opportunity to opt out of data sales. Specifically, organizations must establish a “designated request address”—which can be a toll-free phone number, email address, or internet website—where Nevada residents may submit requests to opt out of data sales. Companies must cease the sale of a Nevada resident’s data upon receipt of a “verified request,” defined as a “request submitted by a consumer … for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”

Continue Reading

Risk Management Strategies to Reduce Risk Associated with Telehealth

The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare and can reach individuals in remote or underserved locations. It has also been shown to increase patient satisfaction.

The Health Resources and Services Administration of the U.S. Department of Health & Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration, and may include non-clinical services.” The Centers for Medicare & Medicaid Services and all 50 states have regulations governing the use of and reimbursement for telehealth services, and commercial payers are increasingly covering these services. Reimbursement policies for telehealth services vary and may limit or restrict the type of facilities and providers who may seek reimbursement, setting geographical limitations on reimbursement for certain medical conditions. Because of the surge in the use of telehealth, healthcare providers need to be aware of the risks associated with the use of this technology and implement mitigation strategies to reduce these risks.

Continue Reading

Summer Is Over – It’s CCPA and NV Crunch Time

It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that still survive, and we should have the attorney general’s proposed regulations published for public comment within weeks. Furthermore, the digital advertising industry has decided on a way to address the CCPA and future laws that may give consumers the ability to opt out of data disclosures that are not necessary to provide core services to the consumer. Hopefully, many unanswered questions will be at least partially answered in the next two months. In the meantime, here are some previews.

Last Thursday night I co-hosted an event for Attorney General Xavier Becerra in Los Angeles. There was a lively conversation with the AG; these are some of the highlights:

  • The AG’s office has been, as we know, consulting with stakeholders to help develop the regs. However, the AG reported that they have also consulted with EU data protection authorities to get the benefit of their experiences.
  • The upcoming regulatory public comment period will be meaningful, and the AG is particularly interested in hearing about compliance challenges, inadvertent consequences and constructive suggestions for refinements. He encourages written comments with specific recommendations for edits or additional regulations.
  • The AG is particularly concerned with the lack of meaningful transparency and choice for consumers regarding their personal information (PI) and will likely be concentrating on pre-collection notice and the breadth of opt-out, both in the regulations and in enforcement priorities.
  • Previously an advocate against the right to cure, the AG expressed doubt that many types of violations could be capable of cure given that consumers’ rights would have been injured and the resulting damage already done. That said, he indicated that a good faith effort to interpret and comply would be met with a better response than outright noncompliance.
  • While promising not to be in the “gotcha” business, and seeking to work with industry to develop sound approaches to interpretation of the title, the AG indicated that his office’s mandate is enforcement and consumer protection, and the first cases brought will be “must wins” so that examples can be made for industry, both as to the substantive issues involved and the risk of noncompliance.

Continue Reading

LexBlog