Photo of Bob Bowman

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts and data privacy.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.

Saturday, November 2, will mark 60 days until the California Consumer Privacy Act (CCPA) goes into effect. While each organization will have its unique compliance challenges, as discussed below, there are a discrete set of tasks – at a minimum – that each organization needs to undertake in the next 60 days as the first steps toward compliance.

In addition, on November 13, members of Husch Blackwell’s privacy and cybersecurity practice group will present a webinar to discuss these tasks in greater detail.  For more information or to register, click here.

Keypoint: As of January 1, 2020, manufacturers of IoT devices will need to comply with new laws in California and Oregon.

It may be hard to believe but the California Consumer Privacy Act is not the only new law that will go into effect on January 1, 2020. Rather, new laws in California and Oregon that regulate IoT devices also will go into effect on that date. Below is an overview of those laws.

Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.

On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.

In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations.  Click here to register.

We previously posted that Alastair Mactaggart, one of the co-authors of the California Consumer Privacy Act (CCPA), intended to submit a new ballot initiative to strengthen the privacy rights that already exist in the CCPA. The full text of the ballot measure – which is entitled the California Consumer Privacy Rights and Enforcement Act of 2020 – is now available on the California Attorney General’s website.  There also is an annotated version of the initiative available here.

While Mactaggart’s press release identified a few of the proposed changes, our initial review of the initiative is that it would bring about a substantial rewrite of the CCPA.  While there is a lot to unpack in this initiative, here are our initial highlights:

September 13 was the final day for the California legislature to pass bills amending the California Consumer Privacy Act (CCPA) prior to its January 1, 2020, effective date. After months of speculation and anticipation, we finally have clarity (subject to the Governor’s approval) on the CCPA’s provisions.

Although there were changes – and both business and privacy advocates are claiming victories – the CCPA did not undergo a dramatic change. For businesses, the most notable changes are the addition of limited exemptions for the personal information of employees and business to business contacts as well as changes to the definition of personal information. On the other hand, privacy advocates will point to what did not change, namely, the CCPA retained its core privacy rights.

Below we discuss the changes.

Key Point:  Although not as far-reaching as the CCPA, the Nevada legislation will require entities subject to the statute to revise their online privacy notices and create an internal process to ensure compliance with the new opt-out right.

As we previously reported, the Nevada legislature has been considering legislation to amend Nevada’s existing online privacy notice statutes, NRS 603A.300 to .360. On May 23, 2019, the Nevada Assembly unanimously passed that legislation. The Senate previously passed it in April. The legislation is now headed to the Governor’s office for signature.

The legislation amends Nevada’s law in two notable ways. First, entities subject to the statute will need to establish a designated request address through which consumers can submit verified requests directing the entity not to make any “sale” of covered information collected about consumers. That provision will be enforceable only by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.” Second, the legislation excludes financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and certain motor vehicle manufacturers from having to comply with the online privacy notice statute.

The influence of the Internet of Things (IoT) will undoubtedly be transformational with a total potential economic impact estimated to be $3.9 trillion to $11.1 trillion a year by 2025. In the race into the IoT marketplace, there are both known and unknown legal hurdles that will affect those who offer of goods and services during the proliferation of the Internet of Things.

Posting a terms of use document on your website or mobile application defines the terms that govern your customers’ use of your website or mobile application and greatly reduces your exposure to liability when providing goods or services through a web-based application. A privacy policy describes to your consumers what information you collect, how you collect