Georgia AG, FTC and US Chamber Institute for Legal Reform discuss “crazy quilt patchwork” of privacy laws in the US

Divonne SmoyerAlexis CoccoCourtney E. FisherBy Divonne Smoyer, Alexis Cocco and Courtney E. Fisher on Posted in Privacy & Data Protection, Regulatory

On March 2, 2020, Reed Smith and the International Association of Privacy Professionals (IAPP) presented a panel discussion on 2020 privacy laws and trends featuring Attorney General Christopher Carr of Georgia; Linda Holleran Kopp of the Bureau of Consumer Protection, Division of Privacy and Identity Protection of the Federal Trade Commission (FTC); and Oriana Senatore, Senior Vice President of Policy & Research at the U.S. Chamber Institute for Legal Reform (ILR).

A clear theme from the discussion was that federal legislation is the best path for privacy reform in the United States.  The current “patchwork quilt” of federal and state data privacy laws and enforcement by the FTC (and other agencies) as well as by states – now complicated exponentially by enforcement actions by cities and counties and the presence of private rights of action increasingly proposed for state privacy legislation – is not the way to best balance privacy consumer protection and business compliance.  Indeed, the evolving privacy landscape is now approaching a “crazy quilt patchwork.” Continue Reading

A legal outlook on the three most common barriers to upgrading archiving technology

Anthony DianaTherese CraparoBy Anthony Diana and Therese Craparo on Posted in Information Governance, Regulatory

Modern businesses have a more global reach than ever before. Technology has fundamentally changed the way employees work, communicate and collaborate. While global connectivity offers businesses opportunities, it also creates substantial challenges when it comes to archiving communications.

Earlier this month, we co-hosted a thought leadership event in New York City with Smarsh, a multinational “software as a service” (SaaS) company. The lively discussion focused on legal and compliance issues facing financial services organizations today. One specific topic kept coming up: many large financial service organizations are using outdated electronic communications archiving technology for managing compliance and e-discovery. What those firms are missing are the benefits possible with modern technologies – from agility, to productivity to predictability, among others. Firms resist upending the status quo and adopting new, advanced technology systems, mainly for these reasons:

Cost: Moving large quantities of historical data can be expensive and resource intensive.

Risk: A migration brings the risk of data loss and, subsequently, regulatory or discovery exposure.

Inertia: Not gaining alignment across key stakeholders pushes the problem down the road.

Click here to access the full article published by Smarsh discussing simple ways to overcome these common challenges, and stay competitive.

CCPA litigation is here: putative class action filed for alleged notice and collection violations

Sarah BrunoAlexis CoccoCasey PerrinoBy Sarah Bruno, Alexis Cocco and Casey Perrino on Posted in In the Courts, Privacy & Data Protection

Although the California Consumer Privacy Act (CCPA) specifically precludes private lawsuits except for those resulting from certain data breaches, that has not stopped at least one plaintiff from bringing a putative class action based on an alleged CCPA violation.

A proposed class action was filed on February 27, 2020, in the Southern District of California against Clearview AI (Burke v. Clearview AI, Inc., S.D. Cal., No. 3:20-cv-00370-BAS-MSB). The complaint alleges that Clearview’s facial recognition technology – which scrapes, without notice or consent, social media websites for images of consumers’ faces – violates, among other laws, both the CCPA and the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Clearview’s facial recognition software uses the billions of scraped images in its database to generate a type of biometric information, known as a “faceprint,” to match a face to other personally identifiable information; it then sells access to the faceprint database to law enforcement agencies and private companies. The complaint charges that Clearview improperly collected personal information without properly notifying consumers.

Continue Reading

The growth of Adtech and how it falls into privacy laws’ crosshairs

Sarah BrunoCasey PerrinoBy Sarah Bruno and Casey Perrino on Posted in Privacy & Data Protection, Regulatory

The onslaught of privacy regulations has impacted every industry and, while it seems that no industry can be flat footed – from auto manufacturers to ecommerce platforms – one in particular has had to remain especially nimble: the advertising technology (Adtech) industry.

 The Adtech industry has struggled with privacy regulations, including the CCPA, but it has taken the reins of the challenge. Some players have added language to their agreements to ensure they are considered service providers, while others are focused on the definition of personal information and developing systems to ensure the data they receive or share falls outside of it. While the effectiveness of these solutions and whether they are compliant with the CCPA will likely be tested in the coming year, they give companies in the Adtech ecosystem a few attractive options for compliance with the requirement to allow consumers to opt out of the sale of their personal information.

For the full article, please read here.

California legislature proposes ‘urgency statute’ to revise CCPA’s health care and research exemptions

Kimberly GoldAlexis CoccoBy Kimberly Gold and Alexis Cocco on Posted in Privacy & Data Protection, Regulatory

As currently drafted, the California Consumer Privacy Act (“CCPA”) leaves many questions unresolved regarding how the law applies to data collected and used in the health care and life sciences industries, particularly in the research context. Clinical research sponsors and other industry participants have raised concerns about how the CCPA may impede care delivery and research efforts and, as a result, limit medical advancement.

Proposed CCPA amendment AB 713 would harmonize the CCPA with the de-identification standards set forth in the Health Insurance Portability and Accountability Act and its implementing regulations, expand the CCPA’s exemptions for research data, and provide other important clarifications for health care providers and their vendors, research sponsors and other organizations engaged in health care delivery or research. With this proposal, California legislators have acknowledged the need to clarify the scope of the CCPA for health care and research data, declaring the bill an “urgency statute,” meaning it would take effect immediately upon signature by the California governor.

For the full article, please visit The Privacy Advisor.

Wisconsin representative proposes “groundbreaking” data privacy law modeled after GDPR, including statutory penalties up to $20 million or 4 percent of total annual revenue

Mark QuistAlexis CoccoPaul ConnellBy Mark Quist, Alexis Cocco and Paul Connell on Posted in Privacy & Data Protection, Regulatory

A trio of consumer data privacy bills modeled after Europe’s General Data Protection Regulation (GDPR) has been introduced in the Wisconsin State Assembly. The three bills, collectively dubbed the Wisconsin Data Privacy Act (WDPA), were sponsored by Republican State Representative Shannon Zimmerman, who is seeking to make Wisconsin “the most consumer-friendly state in our nation on data privacy.” Collectively, Assembly Bills 870, 871, and 872 seek to grant Wisconsin residents a host of rights related to companies’ collection and processing of their personal data and would impose a number of related regulatory obligations on companies that process personal data.

Consumer rights

  • A right to request information about what personal data a company has processed;
  • A requirement that companies obtain opt-in consent before collecting or making any use of the consumer’s personal data;
  • A right to request that a company stop any processing of the consumer’s personal data and give notice to cease processing personal data to every entity the company has shared the consumer’s data with (unless this is impossible or involves unreasonable efforts); and
  • A right to request deletion of the consumer’s personal data.

Continue Reading

First decision on qualification of Bitcoins made by German tax court

Martin BuenningBy Martin Buenning on Posted in Privacy & Data Protection, Regulatory

On July 20, 2019 the German tax court for the federal states of Berlin and Brandenburg published the first decision of a German tax court on the qualification of “bitcoins” in a provisional legal protection procedure.

The court confirmed that a bitcoin qualifies as an “asset” for German taxation and (tax) accounting purposes.

At the same time, the court concluded that a bitcoin is not a security or financial asset because it does not represent a claim for (re)payment of money.

The capital gain derived by a private individual is taxable if realized within one year after the acquisition (that is, a disposition after one year would not be taxable).

The German Generally Accepted Accounting Principles (GAAP) applicable to intangible assets apply to bitcoins if held as a business asset.

Read more about the decision in our recent client alert.

New key features of FTC data security orders highlighted by Consumer Protection Bureau Director

Gerard StegmaierCourtney E. FisherBy Gerard Stegmaier and Courtney E. Fisher on Posted in Data & Cyber Security, Regulatory

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders.  In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities.  Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders.  Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.

The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements.  The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.

As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability.  These changes fall into the following three categories:

(1) The orders are more specific.

(2) The orders increase third-party assessor accountability.

(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.

Continue Reading

Circuit split on automatic telephone dialing systems under the TCPA reinforces importance of obtaining prior express written consent

Kimberly GoldSamuel F. CullariAlexis CoccoRaagini ShahBy Kimberly Gold, Samuel F. Cullari, Alexis Cocco and Raagini Shah on Posted in In the Courts, Regulatory

A federal court in Missouri recently held that a restaurant’s promotional text messages did not violate the Telephone Consumer Protection Act (TCPA) because the messaging equipment used by the restaurant did not qualify as an automatic telephone dialing system (ATDS) as defined by the statute. The district court noted a split between the circuit courts on this issue, highlighting the uncertainty regarding whether the equipment at issue must have the capacity for sequential or random number generation to fall within the definition of an ATDS, thus requiring prior express written consent.

The TCPA requires that prior express written consent be obtained for all telemarketing calls and text messages made using an ATDS or a prerecorded voice to a wireless number. In Beal v. Outfield Brew House, Case No. 2:18-cv-4028-MDH (W.D. Mo. Feb. 20, 2020), the defendant, Outfield Brew House, LLC (Brew House), collected phone numbers from customers who provided their contact information on paper cards (which contained some TCPA disclosure language). Brew House did not maintain copies of the signed paper cards, but rather entered the customer contact information from the cards into a spreadsheet and shredded the cards. Brew House employees then uploaded that information into its text messaging system. To send text messages, a Brew House employee would log into a text messaging system, select a subset of customers to whom promotional texts would be sent, and manually press a button to send a text message to those customers. The plaintiff, a customer who had received promotional text messages from Brew House, filed a putative class action alleging that Brew House violated the TCPA by sending text messages to customers using an ATDS without their prior express written consent. Brew House moved for summary judgment, which the district court granted.

At issue in the case was whether Brew House’s text messaging equipment could be considered an ATDS when it could not produce numbers to be called using a random or sequential number generator. The district court noted the split between the circuit courts on this issue; both the Third Circuit and the Eleventh Circuit have held that a phone or messaging system that does not randomly or sequentially generate phone numbers and then dial those numbers could not be considered an ATDS under the TCPA. The Ninth Circuit, on the other hand, has held that an ATDS is not limited to devices with the capacity to call numbers produced by a random or sequential number generator, but also includes devices with any capacity to dial stored numbers automatically. The district court in Beal declined to follow the Ninth Circuit’s reasoning and instead adopted the narrower definition of an ATDS embraced by the Third and Eleventh Circuits.

Comment

While Beal may be good news for businesses that contact customers using messaging or dialing systems, the case highlights the ongoing uncertainty regarding the definition of an ATDS in the federal courts. The risks associated with violating the TCPA are very high: class actions are prevalent because the TCPA provides for strict liability, a private right of action, and significant statutory damages ($500 per violation, or up to $1,500 per willful violation). Importantly though, obtaining the consumer’s prior express written consent provides a defense to TCPA actions, although circuits are also split regarding who bears the burden of proof on that issue. For this reason, companies should establish procedures to document, store, and track a person’s written consent to receive any calls or texts in order to limit their exposure under the TCPA, regardless of which definition a court may adopt.

To learn more about this topic, please join Reed Smith for a CLE webinar on February 26, 2020 for a discussion on the latest TCPA legal developments and regulatory and compliance risks.

#Ad #Germany – Update for influencers

Margarita TrukhinaRamona KimmichDr. Alexander HardinghausBy Margarita Trukhina, Ramona Kimmich and Dr. Alexander Hardinghaus on Posted in Cookies, Tracking & Online Behavioral Advertising, Regulatory, Social, Mobile, Analytics & Cloud (SMAC)

On February 13, 2020, the German Federal Ministry of Justice and Consumer Protection (BMJV) published a proposal to soften the regulatory requirements for influencers for labeling their posts as advertising (Proposal). Under the Proposal, statements posted on social media about products for which no consideration was given – either in the form of monetary compensation or other benefits – shall be excluded from labeling requirements. In the view of the BMJV such posts are intended solely to shape public opinion and are not made in the pursuit of commercial purposes (see the BMJV’s press release of February 13, 2020, available in German here).

Background

Recommendations from influencers are highly trusted by their followers. To ensure a sufficient level of transparency, the German regulators have provided regulatory guidance on the labeling of posts as advertising. However, in the past German courts have inconsistently interpreted the statutory labeling requirements applicable to advertising in the context of social media posts by influencers. This has resulted in various restrictive orders against German influencers (please find further details of German case law on this topic in our articles: “Update on transparency requirements for influencer marketing”, “Frankfurt Court of Appeals ruling on influencer marketing and manufacturer tags”, and “Update on transparency requirements for influencer marketing”). The Proposal’s key aim is to achieve legal certainty for influencers.

Planned changes under the Proposal

Pursuant to Section 5a(6) of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbwerb – UWG), the failure to properly identify the purpose of a commercial activity may constitute an act of unfair competition. Under the Proposal the following commercial activities shall be excluded from Section 5a(6) UWG:

“As a general rule, a commercial activity is not to be deemed to have a commercial purpose if (a) it primarily serves informative purposes or the shaping of public opinion and (b)  no payment or similar consideration has been granted.”

However, according to the Proposal, the burden of proof shall remain with the influencer.

Comment

The BMJV’s intention to achieve a sufficient level of legal certainty and exclude certain content from the labeling requirements is a step in the right direction. Notably, the Proposal sets limits to the approach taken by German courts, which has led to almost every influencer post being labeled as advertisement.

However, under the Proposal various points remain uncertain. A main concern is that the Proposal gives no guidance on which scenarios should fall within the scope of “similar consideration.” While this question will not be of interest to successful celebrities and other leading influencers who receive considerable compensation for each single post, it will have a significant impact on rising stars who may receive products, including items of rather low value, for free instead of monetary compensation. The Proposal lacks clarification as to the circumstances under which non-monetary compensation shall trigger corresponding labeling requirements.

Influencers, brand ambassadors and organizations that cooperate with them should monitor further developments concerning the legal framework on labeling requirements.

LexBlog