Photo of Sarah Bruno

Washington State legislators continue in their effort to pass only the second comprehensive privacy legislation in the U.S., the Washington Privacy Act (WPA).  Introduced on January 11, 2021, the WPA is currently making its way through committee hearings.  The debate continues, with the Washington State Senate Ways & Means Committee recently holding a public hearing to discuss the enforcement provision proposed in the WPA.  Currently, $1.4 million is proposed to the Washington State Attorney General’s office for enforcement of the WPA.  Some are calling for an increased budget, others for private right of action.
Continue Reading Washington State weighs enforcement mechanism for its comprehensive privacy bill

Many online platforms are using verification tools to address the broader concern of trustworthiness and credibility on the Internet. With a general move toward a “verified internet,” these online platforms are looking at new verification measures, including facial recognition and other biometric technology. The online adult video platform Pornhub announced last week that it will be introducing biometric technology to verify users who upload videos. In a statement, Pornhub explained that verification will be done by Yoti, a digital identity verification company, “by providing a current photo and government-approved identification document.”

Yoti advertises that it is a “privacy driven” verification solution. The company is a conduit between consumers and the platform owners, like Pornhub. Essentially, a consumer will provide Yoti with their biometric identifier, such as a video or voice recording, plus their government identification. Yoti will then verify that data for the platform owner, such as Pornhub. Pornhub will not see that information, but will rely on the verification to allow the consumer to access their site.
Continue Reading Use of biometric technology is latest trend toward a verified internet

Before the dust has even settled on many California Consumer Privacy Act (CCPA) compliance projects, California voters have welcomed the future of privacy by overwhelmingly approving Proposition 24: The California Privacy Rights Act (CPRA).  Building off of the CCPA framework, the CPRA expands the rights of California consumers, adds new responsibilities for both business and service providers, and creates a new state agency, the California Privacy Protection Agency (the Agency), to take over enforcement from the state Attorney General.  Here are the notable changes:

First, every business will be happy to know that the B2B and employee information sunsets have been extended until January 1, 2023 (after being extended by another year until 2022 by the legislature).
Continue Reading CPRA: The next frontier in (California) privacy

On September 9, Senator Reuven Carlyle (D-WA) presented an updated draft of the Washington Privacy Act (WPA), suggesting that the WPA will be up for consideration in Washington State’s 2021 legislative session. The next legislative session is scheduled to convene on January 11, 2021, at which point the fate of the WPA will again be

In August 2018, Brazil passed its General Data Protection Law (LGPD), which could become effective as soon as September 16, 2020. Now is the time for organizations that collect personal data of individuals in Brazil or process personal data in Brazil to assess their processing activities and consider how to comply with the new law,

Recently in a landmark decision, United States PTO v. Booking.com B.V. the U.S. Supreme Court clarified certain trademark rights for “.com.” There, the High Court ruled 8-1 that Booking.com, a popular online travel reservation agency, could register its company name – BOOKING.COM – as a trademark. In doing so, the Supreme Court struck down the

Hollywood movie star Reese Witherspoon and her clothing line, Draper James, LLC, have found themselves the subjects of a public relations debacle, and now, a class action after running a promotion for teachers gone horribly wrong.

In April, Draper James ran an Instagram promotion to recognize and thank teachers for their work during the COVID-19 pandemic. The April 2, 2020 promotion post stated: “Dear Teachers: We want to say thank you. During quarantine we see you working harder than ever to educate our children. To show our gratitude, Draper James would like to give teachers a free dress.”

The Instagram post went on to provide further details of the promotion, including that to “apply”, teachers needed to fill out a form  with their name and work email addresses, a photo of their school IDs, the grade level and subjects they teach, as well as their school name and state. In exchange for providing what the teachers alleged to be “sensitive personal, employment information,” teachers thought they would receive a free dress from the brand. While the Instagram post did caveat in a parenthetical that the offer was “valid while supplies last – winners will be notified on Tuesday April 7th” the post did not disclose that only 250 teachers would receive a free dress. The lawsuit claims that the “vague illusory comment” was insufficient to place a reasonable consumer on notice that that this was a sweepstakes or that the brand would “only be making an unreasonably limited number of products available under this offer.”
Continue Reading Legally blown: Reese Witherspoon and her fashion line face breach of contract and privacy class action over ‘free dress’ giveaway

It is natural for businesses to be concerned about the security of their premises and to explore new technologies that can help mitigate health and safety risks related to that security. As retailers get back to business in the United States, the laws implicating biometrics and the increase in use cases for biometric technologies have

After many months and several rounds of revisions, the Office of the California Attorney General has finally submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).

The complete package, which includes the Final Text of Proposed Regulations and the Final Statement of Reasons, was submitted on June 1, 2020.  A comparison between the most recent second modified regulations – which were released on March 27, 2020 – and the Final Text of Proposed Regulations reveals very few changes.  In fact, the changes were entirely grammatical, with no substantive revisions.  This means that the last round of revisions, summarized here, will be implemented.

Continue Reading The wait is over: Final CCPA regulations have been submitted

In a world where we have been ordered to stay home and shelter in place to combat the spread of COVID-10 our children are now learning remotely. While it is fortunate that technology allows students to continue the school year at home, remote learning presents an obstacle where children’s privacy is concerned.

In the United States, the Children’s Online Privacy Protection Act (COPPA) governs the collection of personal information from children under the age of 13. It generally requires the provider of a website or online service directed at children to obtain “verifiable parental consent” before collecting any personal information from children. “Verifiable parental consent” can be obtained in a number of ways—for example, through a signed consent form that is returned via mail or electronic scan, or the use of a credit card or other online payment system that provides notification of each separate transaction to the account holder—but whatever method is used must be reasonably designed to ensure that the person giving the consent is the child’s parent or legal guardian.
Continue Reading Remember to consent in the time of COVID-19