Photo of Samuel F. Cullari

Although the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the California Attorney General (AG) was not authorized to begin enforcement until July 1, 2020.  With the pandemic and the delay in finalizing the regulations, it was unclear how or when AG enforcement would begin.  Any such confusion can be dispelled, because California’s Supervising Deputy AG, Stacey Schesser, has confirmed that initial compliance notice letters have been sent.

In a keynote presentation with the International Association of Privacy Professionals, Schesser offered an important window into the AG’s planned – and existing – enforcement efforts.  Most notably, as mentioned above, on July 1, 2020, the AG sent out initial letters to allegedly noncompliant businesses.  Although the letters themselves remain confidential, Schesser provided some insight into their substance:

  • They targeted multiple industries and business sectors.
  • They focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where AG thought one was necessary).
  • The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made using social media.

Continue Reading CCPA enforcement letters sent; Supervising Deputy Attorney General offers insight

On March 26, 2020, amendments to Washington, D.C.’s data breach notification law were enacted in bill number B23-0215.  Put briefly, the amendments impose various prevention, response, and mitigation obligations on businesses regarding data breaches that affect D.C. residents.  Below is a summary of the key changes of which businesses should be aware.
Continue Reading Amendments to D.C.’s data breach law create new data security and breach notification obligations for businesses

As businesses and individuals across the globe struggle to adapt to a new normal of remote work and social distancing due to the COVID-19 (a/k/a novel coronavirus) pandemic, they should also be aware of a number of U.S. data privacy and data security implications arising from these changes. In addition, businesses must be cognizant of

On March 10, 2020, Vermont Attorney General T.J. Donovan initiated an enforcement action based on Vermont’s new data broker law against Clearview AI, Inc.

Vermont’s data broker law, which became effective January 1, 2019, governs data brokers, which it defines as companies that collect and sell or license to third parties the personal information of a consumer with whom the business does not have a direct relationship. The law requires that data brokers (a) annually register with the Vermont Secretary of State, including completing certain necessary disclosures, and (b) maintain minimum data security standards. The law also prohibits any businesses or individuals – not just data brokers – from acquiring brokered personal information through fraudulent means or for the purpose of stalking, harassment, discrimination, or fraud.

According to the complaint, Clearview, which only registered as a Vermont data broker in January 2020 shortly before the publication of a New York Times article discussing many of the issues outlined in the complaint, uses “screen scraping” to amass a database of three billion photographs. Clearview then combines those photographs with facial recognition technology to create a commercial service that allows a customer to upload a photograph and “instantly identify the individual through facial recognition matching.” While Clearview claims the technology exists to help law enforcement, the complaint alleges that Clearview has also provided its app to for-profit entities, investors, and foreign governments.Continue Reading Vermont Attorney General brings first data broker enforcement action

A federal court in Missouri recently held that a restaurant’s promotional text messages did not violate the Telephone Consumer Protection Act (TCPA) because the messaging equipment used by the restaurant did not qualify as an automatic telephone dialing system (ATDS) as defined by the statute. The district court noted a split between the circuit courts

The public spoke and the California Attorney General (AG) listened.  Nearly four months after releasing initial proposed CCPA regulations, the California AG has issued a revised draft addressing many of the comments and concerns of both industry and privacy attorneys.  Although the structure and fundamental principles have not changed, the revisions will impact most CCPA

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with

On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, like those of other states, is designed to better align with the way in which consumers interact with technology today. As consumers share more information about themselves via the internet, states continue to place the onus on the companies and organizations collecting that information to guard against its loss or misuse.

Washington’s amendment expands upon the breach notification law in the following key ways:

  • First, it shortens the period between the discovery of a breach of consumers’ personal information (as defined by the law) and the time in which notification of the breach must be provided to those consumers from 45 days to 30 days. This change also applies to notifications to the attorney general, who now must be notified within 30 days after the breach was discovered, also down from 45 days (the requirement to notify the attorney general still only applies if notification must be provided to more than 500 Washington residents).
  • Second, the notification to the attorney general must now also include:
    • A list of the types of personal information implicated in the breach;
    • The timeframe of exposure, if known, including the date of the breach and the date of its discovery;
    • A summary of steps taken to contain the breach; and
    • A sample copy of the breach notification letter without any personally identifiable information.

In the event that more information becomes known as the investigation into the breach progresses, updates must be provided to the attorney general under the amended law.
Continue Reading Washington becomes the latest state to amend its data breach notification law

On November 13, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) released comments it received from over 200 government, non-profit, academic, and private sector organizations on developing the Administration’s approach to consumer privacy.[1]

Since September, the NTIA has sought public comments to specifically address a number of questions that focused on the outcomes, goals, risks, and implementation of its proposed high-level framework for consumer privacy protection. The Administration’s framework articulated a set of organizational practices focused on data transparency, minimization of collection, the storage, use, and sharing of data, security, and risk management, in addition to broader goals to reconcile a disparate regulatory patchwork and ensure that resources for privacy protections and enforcement are properly allocated. If a few of these concepts sound familiar, it’s because they loosely mirror elements of existing privacy frameworks established at the industry, state, and international levels, and the sources and arbiters of those frameworks took this opportunity to urge the Administration to follow these examples more closely. As the Executive Branch agency principally responsible by law for advising the president on information policy issues, the goal of the NTIA’s request for comment is to inform the Administration’s approach to consumer privacy. As such, the Administration’s consideration and reaction to the comments received is likely to affect future discussions and proposals in the ongoing debate regarding federal privacy legislation. As expected, many of the comments are framed against the backdrop of recent, related changes in law, with particular focus on the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Here, we summarize some of the significant comments and proposals received by the NTIA.Continue Reading Public comment for private matters: NTIA receives over 200 comments on proposed approach to protecting consumer privacy informed by GDPR, CCPA & more

On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and they are “not intended to have any regulatory effect.” Regardless, the Best Practices provide insight into the DOJ’s concerns with respect to cybersecurity and its expectations regarding organizations’ levels of effort on cybersecurity.

The newly published Best Practices are an update to the Best Practices issued in April 2015. Notable items in the updated Best Practices are:

  • Integration of CISA to the Best Practices: The Best Practices incorporate the Cybersecurity Information Sharing Act of 2015 (CISA), which “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks with appropriate consent.” CISA provides an exception to other potentially conflicting laws, such as the Wiretap Act and the Pen Register/Trap and Trace Act, as long as the CISA requirements are met. Under CISA, private entities are permitted to monitor information or an information system for a “cybersecurity purpose,” which means a “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” CISA is also meant to promote sharing information about cybersecurity threats by affording protections to private entities against certain liabilities (as long as CISA requirements are met).
  • Descriptions of basic cybersecurity procedures: The Best Practices describe several protocols as basic cybersecurity procedures. Specifically, they recommend: (i) a reasonable patch management program to address software vulnerabilities; (ii) access controls and network segmentation to limit the data at risk; and (iii) maintenance of copies of server logs
    Continue Reading DOJ issues updated best practices on cyber incidents; incorporates CISA