Having escaped the bleak midwinter of the Midwest for a few brief days, I find myself sitting poolside in sunny Orlando experiencing a few tantalizing hours of near summer temps. As I watch the inflatables being splashed about gleefully by children (mine included) impervious to the water’s lingering chill, my thoughts naturally turn to privacy and security (which is not a euphemism for my ill-fitting swimsuit by the way).
On Wednesday, Washington took a major step towards becoming the second state to enact broad privacy legislation when its state senate approved the Washington Privacy Act. The bill passed the senate with overwhelming bipartisan support on a vote of 46-1 (with 2 excused). It now moves to the House where a companion bill has been working its way through that chamber. You can read our analysis of the bill here.
Washington is one of numerous states currently considering privacy legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). The CCPA’s enactment has even motivated Congress to consider federal privacy legislation. Although it is anyone’s guess how this legislation will play out over the next few months, Washington appears to be well-poised to become the next state to weigh in on how privacy law should develop in this country.
One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA. Continue Reading Analyzing How Financial Institutions are Treated in Proposed State Privacy Laws
Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.
The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.
Continue Reading Proposed Washington Privacy Act Seeks to Protect Consumer Data Privacy from Current and Future Technology Advancements
You can add Nevada to the growing list of the states that are considering privacy-related legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). Nevada is one of three states that already require certain entities to provide online privacy notices to disclose the types of personal information that they collect from consumers. Senate Bill 220 would supplement that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). An entity that receives such a notice would be forbidden from selling the consumer’s personal information. Continue Reading Proposed Nevada Privacy Legislation Would Create Private Right of Action
It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.
Continue Reading Third-Party Contractors Get Schooled in Data Privacy – New York Style
As we move into the second month of 2019, we’d like to give an overview of the trends we see developing in the cybersecurity and data privacy area for the year. We’ll be sure to elaborate on these areas with more details as they unfold.
On January 25, 2019, the Illinois Supreme Court released a unanimous decision holding that individuals do not need to plead or prove actual damages or harm to maintain a private right of action under the Illinois Biometric Information Privacy Act (740 ILCS 14/1) (the Act) when a private entity fails to comply with the Act’s procedural protections. The decision upholds privacy rights of individuals in their unique biological information as defined under the Act.
Learn details about the decision and what this means for businesses operating in Illinois in Husch Blackwell’s recent legal alert.
What if your next idea—which could be the next big idea—involves a web-based collection, compilation, or a sliver of “big data” that is so ingenious that customers and investors will line up to get their hands on it? The idea most likely comes with an e-commerce angle, such as a unique feature complete with pricing information indexed for your customers’ convenience. A meaningful portion of your solution’s value will likely stem from this carefully selected catalog of prices. So, how do you protect it?
Our Kris Kappel and Liam Reilly provide the answers in a post on our Technology, Manufacturing & Transportation Industry Insider blog. Find out more!
US relations with the European Union took another hit last week, when the European Parliament voted to suspend Privacy Shield, the agreement between the US and the EU that allows companies to transfer the personal information of EU citizens out of the EU to US companies that have promised to adhere to the General Data Protection Regulation (“GDPR”). Between the Facebook-Cambridge Analytica scandal, the passage of the CLOUD Act and the Russian hack (sorry – alleged Russian hack) of the 2016 election, the EP felt that Privacy Shield did not provide an adequate level of protection for EU citizens. The US has until September 1 to become compliant.