Photo of Alexis Cocco

Before the dust has even settled on many California Consumer Privacy Act (CCPA) compliance projects, California voters have welcomed the future of privacy by overwhelmingly approving Proposition 24: The California Privacy Rights Act (CPRA).  Building off of the CCPA framework, the CPRA expands the rights of California consumers, adds new responsibilities for both business and service providers, and creates a new state agency, the California Privacy Protection Agency (the Agency), to take over enforcement from the state Attorney General.  Here are the notable changes:

First, every business will be happy to know that the B2B and employee information sunsets have been extended until January 1, 2023 (after being extended by another year until 2022 by the legislature).
Continue Reading CPRA: The next frontier in (California) privacy

In a recent Q&A with Nevada Attorney General (AG) Aaron Ford, the first term AG discusses Nevada’s new data privacy law (Senate Bill 220), which provides consumers with a right to opt out of the sale of their data. AG Ford also outlines his perspective on federal privacy law and his office’s data breach enforcement

In a recent Q&A with Illinois Attorney General Kwame Raoul, the first term AG discusses potential changes to data breach laws in Illinois and whether his state could implement a privacy statue similar to the California Consumer Privacy Act (CCPA), the effectiveness of federal data breach legislation, and reasonable steps that businesses could take to

Although the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the California Attorney General (AG) was not authorized to begin enforcement until July 1, 2020.  With the pandemic and the delay in finalizing the regulations, it was unclear how or when AG enforcement would begin.  Any such confusion can be dispelled, because California’s Supervising Deputy AG, Stacey Schesser, has confirmed that initial compliance notice letters have been sent.

In a keynote presentation with the International Association of Privacy Professionals, Schesser offered an important window into the AG’s planned – and existing – enforcement efforts.  Most notably, as mentioned above, on July 1, 2020, the AG sent out initial letters to allegedly noncompliant businesses.  Although the letters themselves remain confidential, Schesser provided some insight into their substance:

  • They targeted multiple industries and business sectors.
  • They focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where AG thought one was necessary).
  • The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made using social media.

Continue Reading CCPA enforcement letters sent; Supervising Deputy Attorney General offers insight

Hollywood movie star Reese Witherspoon and her clothing line, Draper James, LLC, have found themselves the subjects of a public relations debacle, and now, a class action after running a promotion for teachers gone horribly wrong.

In April, Draper James ran an Instagram promotion to recognize and thank teachers for their work during the COVID-19 pandemic. The April 2, 2020 promotion post stated: “Dear Teachers: We want to say thank you. During quarantine we see you working harder than ever to educate our children. To show our gratitude, Draper James would like to give teachers a free dress.”

The Instagram post went on to provide further details of the promotion, including that to “apply”, teachers needed to fill out a form  with their name and work email addresses, a photo of their school IDs, the grade level and subjects they teach, as well as their school name and state. In exchange for providing what the teachers alleged to be “sensitive personal, employment information,” teachers thought they would receive a free dress from the brand. While the Instagram post did caveat in a parenthetical that the offer was “valid while supplies last – winners will be notified on Tuesday April 7th” the post did not disclose that only 250 teachers would receive a free dress. The lawsuit claims that the “vague illusory comment” was insufficient to place a reasonable consumer on notice that that this was a sweepstakes or that the brand would “only be making an unreasonably limited number of products available under this offer.”
Continue Reading Legally blown: Reese Witherspoon and her fashion line face breach of contract and privacy class action over ‘free dress’ giveaway

After many months and several rounds of revisions, the Office of the California Attorney General has finally submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).

The complete package, which includes the Final Text of Proposed Regulations and the Final Statement of Reasons, was submitted on June 1, 2020.  A comparison between the most recent second modified regulations – which were released on March 27, 2020 – and the Final Text of Proposed Regulations reveals very few changes.  In fact, the changes were entirely grammatical, with no substantive revisions.  This means that the last round of revisions, summarized here, will be implemented.Continue Reading The wait is over: Final CCPA regulations have been submitted

On March 26, 2020, amendments to Washington, D.C.’s data breach notification law were enacted in bill number B23-0215.  Put briefly, the amendments impose various prevention, response, and mitigation obligations on businesses regarding data breaches that affect D.C. residents.  Below is a summary of the key changes of which businesses should be aware.
Continue Reading Amendments to D.C.’s data breach law create new data security and breach notification obligations for businesses

On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.

As stated in the Order, which became effective immediately, telehealth services may help reduce the spread of COVID-19, and strict compliance with certain state telehealth requirements would otherwise “prevent, hinder, or delay appropriate actions to prevent and mitigate the effects of the COVID-19 pandemic.” The Order impacts certain health care facilities, health care providers, health care administrators, clinics, home health agencies, and  hospice providers, generally in instances where non-compliance occurs during the “good faith provision of telehealth services.”Continue Reading California relaxes key telehealth regulatory requirements during COVID-19 emergency

The Telephone Consumer Protection Act (the TCPA) restricts telemarketing and the use of automated telephone equipment for phone calls, faxes, and text messages. The TCPA provides a private right of action and significant statutory penalties, and therefore is an area of significant risk for any company that communicates with its customers, particularly by phone or text. In an effort to ease restrictions in light of the COVID-19 outbreak, the Federal Communications Commission (FCC) has issued guidance clarifying that informational calls that are directly related to the imminent health or safety risk arising out of the COVID-19 outbreak and made by certain types of callers are exempt from the TCPA requirements under the “emergency purposes exception.”

Under the TCPA, telemarketers are required to obtain prior express written consent before making calls to landline or wireless phones with prerecorded telemarketing messages and before using an automatic telephone dialing system (ATDS) to call or text any wireless phones with telemarketing messages.

Notably, the TCPA expressly excludes calls made for “emergency purposes,” from the Act, including “calls made necessary in any situation affecting the health and safety of consumers.” This exception is intended for situations posing “significant risks to public health and safety” where the use of such calls could “speed the dissemination of information regarding” such risks or conditions.Continue Reading FCC issues guidance on the TCPA’s “emergency purposes exception” based on the COVID-19 pandemic

As businesses and individuals across the globe struggle to adapt to a new normal of remote work and social distancing due to the COVID-19 (a/k/a novel coronavirus) pandemic, they should also be aware of a number of U.S. data privacy and data security implications arising from these changes. In addition, businesses must be cognizant of