Reed Smith IP, Tech & Data attorneys Divonne Smoyer and Alexis Cocco conducted an in-depth Q&A with Maryland Attorney General Brian Frosh. During the interview, he discusses his priorities for data privacy and security for Maryland, including his hopes for future legislation in both Maryland and federally. AG Frosh is currently in his second term

Last week, the California Assembly’s Committee on Privacy and Consumer Protection, which exercises jurisdiction over privacy and personal information protection matters, approved several amendment bills intended to clarify and narrow the scope of the California Consumer Privacy Act (CCPA or the Act). In January 2020, the CCPA will impose landmark burdens and obligations on businesses

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.

Continue Reading Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm

Companies that employ algorithms, machine learning and artificial intelligence (AI) in their day-to-day business may face increased attention from federal antitrust and consumer protection regulators in the future. On November 13–14,  the Federal Trade Commission (FTC) addressed this topic in their hearings on “Competition and Consumer Protection in the 21st Century.” The panelists, an assembly

Since California enacted its Automatic Purchase Renewals Law (APRL) in 2010, the plaintiffs’ class action bar has been active in suing companies with subscription-based services for their alleged failures to comply with the APRL requirements. The lawsuits stem from the alleged failure to comply with the disclosure, consent, and acknowledgment requirements applicable to many types of subscriptions. Non-compliance has resulted in million-dollar class action settlements and government civil penalties. This summer, the APRL got tougher.

The APRL applies to companies that charge payment cards of California consumers as part of using “automatic renewals” or providing “continuous services.” An “automatic renewal” is an arrangement to automatically renew and charge for a subscription at the end of its term. A “continuous service” is an arrangement where subscription continues and charges are initiated until the consumer cancels the service.

Generally, and even before the amendment, the APRL requirements include:

  • Presenting the terms of the automatic renewal offer or continuous service in a clear and conspicuous manner where or when the offer is made.
  • Obtaining consumer’s affirmative consent before charging a consumer for the automatic renewal or continuous service.
  • Providing an acknowledgment of key terms, including cancellation instructions, to the consumer.
  • Implementing a method to cancel (as described in the acknowledgment) by toll-free phone, email, mail, or other “cost-effective, timely, and easy-to-use” method, and permitting consumers to cancel prior to charging at the end of a free trial.
  • Notifying the consumer in a clear and conspicuous manner prior to any material changes to the original terms.


Continue Reading California toughens law governing subscription auto-renewals

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Indiana Attorney General Curtis Hill. AG Hill has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams, along with continuing to take a hard

The German Federal Cartel Office (”FCO“) has launched a sector inquiry into “online price comparison websites.” This sector inquiry is the first specific proceeding in which the FCO applies its new competencies in the area of consumer protection given to it by the 9th amendment to the German Act against Restraints of Competition (“ARC”). Another sector inquiry concerning consumer protection issues in everyday digital life might follow next year.

Background

Sector inquiries are not targeted against individual companies. Their purpose is to thoroughly examine the conditions on a general market in order to identify potential infringements of legal provisions. The FCO will summarise the results of its investigation in a report. If infringements by individual companies are detected in the course of the sector inquiry, this might subsequently lead to the initiation of proceedings against individual companies. In the past, this was only possible in relation to infringements of competition law.

By the amendment to the ARC, which entered into force on 9 June 2017, the FCO has also been given such competencies in the area of consumer protection and has set up a new division for this specific purpose. The new competencies should be seen as a supplement and back-up to the well-established system of privately enforced consumer protection. Currently, the FCO has only investigative powers, but it has not yet been granted decision making and enforcement powers in relation to consumer protection issues.

Its new investigation powers allow the FCO to launch a sector inquiry whenever there are indications for a severe violation of consumer protection laws or the legal requirements for general terms and conditions that affect a large group of customers.

The FCO has identified the so-called “digital economy” as an area where one infringement by one company could harm millions of customers. Therefore, it decided to focus on this area for its first sector inquiry by its new division for consumer protection.

Continue Reading German FCO launches sector inquiry into online price comparison websites

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had no duty of care to protect the compromised information was based upon a thorough analysis of factors the Pennsylvania Supreme Court has established for determining the existence of a duty.  The dissent analyzed the same factors but argued that on balance, they weighed in favor of finding a duty.
Continue Reading Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

In a press release dated 17 May 2016, the Federation of German Consumer Organizations (Verbraucherzentrale Bundesverband – vzbv) announced that on 8 April 2016, the Court of Appeal Berlin (Kammergericht Berlin; “Court”) issued a judgment against WhatsApp Inc., prohibiting WhatsApp the use of English Terms & Conditions on its website for contracts with consumers in Germany, unless German T&Cs are provided as well (“Judgment”). However, the Judgment is not yet binding.
Continue Reading German Court orders WhatsApp to provide consumers in Germany with T&Cs in German language

Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident.  His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.

Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use.  He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
Continue Reading Georgia Attorney General Supports Federal Data Breach Standard