Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.September 13 was the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA) prior to its January 1, 2020, effective date. After months of speculation and anticipation, we finally have clarity (subject to the Governor’s approval) on the CCPA’s provisions.

Although there were changes – and both business and privacy advocates are claiming victories – the CCPA did not undergo a dramatic change. For businesses, the most notable changes are the addition of limited exemptions for the personal information of employees and business to business contacts as well as changes to the definition of personal information. On the other hand, privacy advocates will point to what did not change, namely, the CCPA retained its core privacy rights.

Below we discuss the changes.

Continue Reading Analyzing the California Legislature’s Changes to the California Consumer Privacy Act

Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.

On September 6, the California legislature passed amendments to the state’s data breach notification statutes (Cal. Civ. Code §§ 1798.29 & 1798.82) and information security statute (Cal. Civ. Code § 1798.81.5). The bill was enrolled and presented to the Governor on September 11.

If signed by the Governor, the legislation will expand the types of personal information that are covered under those statutes to include (1) tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless stored for facial recognition purposes.

This is the first CCPA-related bill to pass the California legislature prior to the September 13 deadline.  Husch Blackwell will be hosting a webinar on September 16 to analyze what bills did and did not pass. For more information, click here.

The passage of this legislation implicates the CCPA through § 1798.150 of the CCPA, which provides that any “consumer whose nonencrypted or nonredacted personal information, as defined in [Cal Civ. Code § 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages of between $100 and $750 per consumer per incident. By expanding the types of personal information included in Cal Civ. Code § 1798.81.5(d)(1)(A), the legislation expands the types of personal information subject to the CCPA’s statutory penalties.

It goes without saying that businesses that are operating in California and collecting these additional types of personal information should take steps to ensure that they are properly protected, including the use of encryption and redaction.

FConceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.riday, September 13 is the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA). Join us on Monday, September 16 for a first look at what bills passed and how any amendments will impact your CCPA compliance efforts. During this webinar, we will review and discuss the fate of numerous assembly bills (AB), including:

  • AB 25: employee information carve-out
  • AB 846: customer loyalty program carve-out
  • AB  873 and 874: changes to the definitions of “deidentified” and “personal information”
  • AB 1564: changes to methods for receiving verifiable consumer requests
  • AB 1130 and 1035: changes to California’s data breach notification statute

This is a must-attend webinar for anyone with organizational responsibility for CCPA compliance.

Click here for more information and to register.

data privacyKey Point:  On October 1, 2019, the amendments to Nevada’s privacy policy statute will go into effect, requiring entities subject to the statute to revise their online privacy policies and create an internal process to ensure compliance with the new opt-out right.

As we initially discussed back in May, the Nevada legislature recently amended the state’s existing online privacy policy statute, N.R.S. 603A.300 to .360, to require “operators” (as that term is defined in the statute) to establish a designated request address through which consumers can submit verified requests directing operators not to make any “sale” of covered information collected about consumers. That provision will be enforceable by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.”

Notably, a close read of the legislation shows that operators must provide an opt-out right even if they are not currently selling information. Specifically, the legislation states that, after receiving a verified request, operators “shall not make any sale of any covered information the operator has collected or will collect about the consumer.” Therefore, operators cannot rely on the fact that they do not presently sell covered information and will need to take steps to log these requests in case anything changes in the future.

To comply with these changes, entities subject to the statute should revise their online privacy policies by the October 1, 2019, deadline.

Our detailed examination of Nevada’s existing statutory requirements and the changes effective October 1 is available here.

iPhone close-up of appsIn 2010, Mark Zuckerberg famously stated that privacy was no longer a “social norm.”  Today, the Facebook founder is no doubt viewing social norms around privacy a bit differently, as are U.S. regulators and consumers.

On Wednesday, the Federal Trade Commission (FTC) confirmed that it agreed to a settlement with Facebook, Inc. stemming from Facebook’s alleged privacy violations in the Cambridge Analytica scandal.  In the settlement order (Order), Facebook agreed to pay a record-breaking $5 billion penalty to resolve the FTC’s claims that Facebook violated a prior FTC order by repeatedly using deceptive disclosures and settings to undermine users’ privacy preferences and allowing Facebook to share users’ personal information without prior consent with third party applications.

Continue Reading The FTC-Facebook Settlement Signals Major Shift in US Privacy Regulation

data privacyKey Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.

On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.

Continue Reading New York Expands the Data Security Requirements and Increases the Data Breach Penalties for Entities Holding New Yorkers’ Private Information

digital keyKey Point: If signed by the Governor, the legislation will require entities doing business in New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.

As it closed its session, the New York legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill, which the New York Attorney General’s (“AG”) office strongly supports, is now at the governor’s office for review. New York AG Letitia James stated New York will join the “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”

If Governor Cuomo signs the bill, New York will build upon its existing data breach notification law, and add a new requirement for data custodians in the private and public sectors to adopt reasonable measures to safeguard sensitive data of New York residents.

Continue Reading New York Poised to Expand Data Security Requirements for Entities Doing Business in the State

data privacyOn July 11, Husch Blackwell’s privacy and data security practice group will host a webinar analyzing the Gramm-Leach-Bliley Act (GLBA) exemption in the California Consumer Privacy Act (CCPA). In this webinar, we will discuss the following topics:

  • History of the CCPA’s GLBA exemption
  • Analysis of the GLBA’s definition of nonpublic personal information and relevant definitions from implementing regulations
  • Hypothetical examples
  • Personal information sharing issues (both inter- and intra-company)
  • Identification of the exemption’s limitations

Click here for more information and to register.

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Key Point: The Illinois data breach notification statute will now require entities to notify the Illinois Attorney General if a breach affects 500 or more Illinois residents.

The Illinois General Assembly recently voted to approve an amendment to the state’s Personal Information Protection Act (“PIPA”) (815 ILCS 530/1 et seq.) with regards to companies’ and organizations’ obligations when a data breach occurs. Illinois Governor J.B. Pritzker is expected to sign the amendment into law. Continue Reading Illinois Legislature Passes Amendment to State’s Data Breach Notification Statute