On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.Continue Reading CafePress FTC settlement signals future approach to enforcement actions

Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

After many months and several rounds of revisions, the Office of the California Attorney General has finally submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).

The complete package, which includes the Final Text of Proposed Regulations and the Final Statement of Reasons, was submitted on June 1, 2020.  A comparison between the most recent second modified regulations – which were released on March 27, 2020 – and the Final Text of Proposed Regulations reveals very few changes.  In fact, the changes were entirely grammatical, with no substantive revisions.  This means that the last round of revisions, summarized here, will be implemented.Continue Reading The wait is over: Final CCPA regulations have been submitted

On March 26, 2020, amendments to Washington, D.C.’s data breach notification law were enacted in bill number B23-0215.  Put briefly, the amendments impose various prevention, response, and mitigation obligations on businesses regarding data breaches that affect D.C. residents.  Below is a summary of the key changes of which businesses should be aware.
Continue Reading Amendments to D.C.’s data breach law create new data security and breach notification obligations for businesses

Last week, on March 11, the California Department of Justice, Office of the Attorney General (AG) released its second set of revisions to its draft regulations under the California Consumer Privacy Act (CCPA). This second set of proposed revisions is based in part on comments received in response to an initial set of proposed revisions released by the AG last month (see February 10 Reed Smith client alert here). Written comments to this second set of proposed revisions must be submitted by March 27, 2020.

This set of proposed revisions was not extensive. Highlights appear below.
Continue Reading Still working on it – draft CCPA regulations are modified a second time

The onslaught of privacy regulations has impacted every industry and, while it seems that no industry can be flat footed – from auto manufacturers to ecommerce platforms – one in particular has had to remain especially nimble: the advertising technology (Adtech) industry.

 The Adtech industry has struggled with privacy regulations, including the CCPA, but it

After soliciting public comments since last November, the Chinese Ministry of Public Security (MPS) published the finalized Guideline for Internet Personal Information Security Protection (Guideline) on April 10, 2019. The Guideline applies to Personal Information Holders, defined as entities or individuals that “control and process personal information” through their provision of services using the Internet,

On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, like those of other states, is designed to better align with the way in which consumers interact with technology today. As consumers share more information about themselves via the internet, states continue to place the onus on the companies and organizations collecting that information to guard against its loss or misuse.

Washington’s amendment expands upon the breach notification law in the following key ways:

  • First, it shortens the period between the discovery of a breach of consumers’ personal information (as defined by the law) and the time in which notification of the breach must be provided to those consumers from 45 days to 30 days. This change also applies to notifications to the attorney general, who now must be notified within 30 days after the breach was discovered, also down from 45 days (the requirement to notify the attorney general still only applies if notification must be provided to more than 500 Washington residents).
  • Second, the notification to the attorney general must now also include:
    • A list of the types of personal information implicated in the breach;
    • The timeframe of exposure, if known, including the date of the breach and the date of its discovery;
    • A summary of steps taken to contain the breach; and
    • A sample copy of the breach notification letter without any personally identifiable information.

In the event that more information becomes known as the investigation into the breach progresses, updates must be provided to the attorney general under the amended law.
Continue Reading Washington becomes the latest state to amend its data breach notification law

BREAKING: California Attorney General Xavier Becerra (AG) announced a proposed series of amendments to the California Consumer Privacy Act (CCPA) that would:

  • Expand consumers’ private right of action to include all alleged violations of their rights under the CCPA;
  • Eliminate businesses’ 30-day opportunity to “cure” alleged violations prior to being subject to civil enforcement by

Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.Continue Reading Comprehensive data privacy legislation introduced in Massachusetts – includes private right of action without a need to prove harm