Privacy

Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.

The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.

You can add Nevada to the growing list of the states that are considering privacy-related legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). Nevada is one of three states that already require certain entities to provide online privacy notices to disclose the types of personal information that they collect from consumers. Senate Bill 220 would supplement that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). An entity that receives such a notice would be forbidden from selling the consumer’s personal information.

It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.

What if your next idea—which could be the next big idea—involves a web-based collection, compilation, or a sliver of “big data” that is so ingenious that customers and investors will line up to get their hands on it? The idea most likely comes with an e-commerce angle, such as a unique feature complete with pricing

US relations with the European Union took another hit last week, when the European Parliament voted to suspend Privacy Shield, the agreement between the US and the EU that allows companies to transfer the personal information of EU citizens out of the EU to US companies that have promised to adhere to the General Data Protection Regulation (“GDPR”). Between the Facebook-Cambridge Analytica scandal, the passage of the CLOUD Act and the Russian hack (sorry – alleged Russian hack) of the 2016 election, the EP felt that Privacy Shield did not provide an adequate level of protection for EU citizens. The US has until September 1 to become compliant.

Colorado’s Protections for Consumer Data Privacy law (“new law”) takes effect on September 1, 2018 and requires that businesses holding personal information for Colorado residents destroy the data they don’t need, protect the data they decide to keep, and disclose any security breaches involving that data within 30 days of its occurrence. The new law amends existing obligations and adds new obligations applicable to businesses holding information about Colorado residents.

On February 27, 2018, the Supreme Court heard arguments in United States v. Microsoft Corp., a case that will decide whether a digital communications provider has to comply with a U.S. search warrant for user data that is stored outside of the U.S. U.S. v. Microsoft could have major consequences for digital privacy and international data sharing, especially for the cloud-computing industry.