Photo of Mark Quist

Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.

Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.

Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.

Continue Reading Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

Beginning in May 2022, employers in New York state will be required to make certain disclosures to their workers if they engage in electronic monitoring of employee communications. On November 8, a bill signed into law by Governor Kathy Hochul requires that all employers provide written notice to newly-hired employees if they intend to monitor

The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:

  • A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
  • Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
  • Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
  • Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
  • Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities

The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.

Continue Reading FTC significantly amends GLBA Safeguards Rule

California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.

CPPA executive director and staff to be appointed

With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.

Extension of the July 1, 2022 rules deadline

With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline. 
Continue Reading California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year

The protection afforded by attorney-client privilege brings about a candid conversation between lawyers and clients. Privilege can attach to communications covering a variety of topics, from responding to a data subject access request (DSAR) to handling a security incident or managing complex and time consuming investigations on a multinational scale. Different privilege rules may apply

A trio of consumer data privacy bills modeled after Europe’s General Data Protection Regulation (GDPR) has been introduced in the Wisconsin State Assembly. The three bills, collectively dubbed the Wisconsin Data Privacy Act (WDPA), were sponsored by Republican State Representative Shannon Zimmerman, who is seeking to make Wisconsin “the most consumer-friendly state in our nation on data privacy.” Collectively, Assembly Bills 870, 871, and 872 seek to grant Wisconsin residents a host of rights related to companies’ collection and processing of their personal data and would impose a number of related regulatory obligations on companies that process personal data.

Consumer rights

  • A right to request information about what personal data a company has processed;
  • A requirement that companies obtain opt-in consent before collecting or making any use of the consumer’s personal data;
  • A right to request that a company stop any processing of the consumer’s personal data and give notice to cease processing personal data to every entity the company has shared the consumer’s data with (unless this is impossible or involves unreasonable efforts); and
  • A right to request deletion of the consumer’s personal data.


Continue Reading Wisconsin representative proposes “groundbreaking” data privacy law modeled after GDPR, including statutory penalties up to $20 million or 4 percent of total annual revenue

The recently announced multistate settlement between credit reporting company Equifax Inc. and the Attorneys General of 48 states, Puerto Rico, and the District of Columbia (the AGs) demonstrates the increasingly active role of state regulators in policing the privacy and security practices of businesses that handle consumers’ personal information. The multistate settlement is part of a comprehensive agreement between Equifax, the AGs, and other state and federal regulators, under which Equifax will pay at least $575 million and up to $700 million to resolve investigations and litigation arising out of a 2017 data breach alleged to have affected over 147 million consumers.
Continue Reading Equifax agrees to enhanced security and privacy measures and will pay states and the Consumer Financial Protection Bureau at least $575 million to resolve multistate investigation of 2017 data breach.

The Federal Trade Commission (FTC) announced a joint state-and-federal initiative, “Operation Call It Quits,” which targets illegal telemarketing practices that violate the FTC’s Telemarketing Sales Rule (TSR).

The TSR, which applies to interstate telephonic marketing communications intended to “induce the purchase of goods or services or a charitable contribution,” makes it illegal to engage in “abusive” acts and practices like failing to transmit caller identification information, calling telephone numbers listed on the National Do Not Call Registry, and using certain types of prerecorded messages or “robocalls.” The TSR also makes it illegal to engage in “deceptive” acts and practices while on a telemarketing call, like processing billing information without authorization, failing to fully disclose certain information before a customer consents to pay for goods or services, and misrepresenting material details of a sale. As part of this latest sweep of TSR enforcement, the FTC announced four newly filed actions:

  • In the first action, the FTC filed suit in the U.S. District Court for the Middle District of Florida against corporate and individual defendants alleged to have made illegal robocalls to “financially distressed consumers” with offers of “bogus credit card interest rate reduction services.”
  • In the second action, the FTC filed suit in the U.S. District Court for the Central District of California against individual and corporate defendants accused of using illegal robocalls to sell “fraudulent money-making opportunities.”
  • The third action, filed on the FTC’s behalf by the U.S. Department of Justice (DOJ) in the Middle District of Florida, targeted the “informational technology (IT) guy” alleged to have developed and operated computer-based “autodialer” technology used to make millions of illegal robocalls.
  • The fourth action, filed by the DOJ on the FTC’s behalf in the U.S. District Court for the Central District of California, alleges that a business and its individual owners sought to develop marketing leads for home solar energy companies by making millions of illegal robocalls and engaging in other abusive practices, including making more than 1,000 calls to a single telephone number in one year.


Continue Reading FTC and state law enforcement officials step up efforts against illegal telemarketing