data privacyIn March we published an extensive analysis of proposed bills that would amend or supplement the California Consumer Privacy Act (CCPA). With a number of those bills having either passed the Assembly or been withdrawn , it is a good time to update our analysis.

In the below post, we identify and analyze these bills. In doing so, we first provide a summary of where the legislative process stands. We then analyze the most significant proposed changes and takeaways. Finally, we provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.

Over the next few months, Husch Blackwell’s privacy and data security blog will continue to track these bills. Register here to stay up-to-date.

Continue Reading An Updated Deep Dive into Proposed Amendments to the CCPA

Texas flagThe 86th Texas Legislature passed several bills related to cybersecurity during its regular session, which came to a close on May 27, 2019.

Texas Privacy Protection Advisory Council

HB 4390, which creates a Texas Privacy Protection Advisory Council to study privacy laws in Texas, other states, and relevant foreign jurisdictions, has been sent to the Governor for signature. Composed of members of the Texas House of Representatives, Texas Senate, and relevant industry members appointed by the Governor, the Council will be charged with recommending statutory changes regarding privacy and protection of information to the Legislature. The Council will expire on December 31, 2020.

Continue Reading 86th Texas Legislature Passes Bills Related to Cybersecurity

On May 15, 2019, President Trump issued Executive Order 13873 (“E.O. 13873”) and declared a national emergency in response to increasing actions by “foreign adversaries” to create and exploit “vulnerabilities in information and communications technology and services” supplied to the U.S.  E.O. 13873 broadly prohibits persons subject to U.S. jurisdiction from engaging in information and communications technology or services transactions with “foreign adversaries” that: (i) pose undue sabotage or subversion risks to U.S. information and communications technology or services, (ii) pose an undue risk to critical U.S. infrastructure or the U.S. digital economy, or (iii) otherwise pose an unacceptable risk to U.S. national security.  Within one hundred fifty (150) days of E.O. 13873, the Secretary of Commerce, in consultation with other executive agencies, will issue formal rules or regulations which will identify the specific “foreign adversaries” who are subject to E.O. 13873’s prohibitions, establish criteria for determining the types of transactions that are prohibited by E.O. 13873 and establish procedures for obtaining licensing to conduct transactions that would otherwise be prohibited by E.O. 13873 and its associated rules and regulations.

Continue Reading President Trump Declares National Emergency over Technology Threats

data privacyThose who have spent time critically thinking about the California Consumer Privacy Act (CCPA), can undoubtedly identify a number of ambiguities and uncertainties. Some of those may be resolved through the current legislative amendment process or the forthcoming Attorney General interpretive regulations. However, notwithstanding those efforts, there likely will be many unresolved issues when the CCPA becomes effective.

Continue Reading Are Credit Unions Covered by the CCPA?

data privacyKey Point:  Although not as far-reaching as the CCPA, the Nevada legislation will require entities subject to the statute to revise their online privacy notices and create an internal process to ensure compliance with the new opt-out right.

As we previously reported, the Nevada legislature has been considering legislation to amend Nevada’s existing online privacy notice statutes, NRS 603A.300 to .360. On May 23, 2019, the Nevada Assembly unanimously passed that legislation. The Senate previously passed it in April. The legislation is now headed to the Governor’s office for signature.

The legislation amends Nevada’s law in two notable ways. First, entities subject to the statute will need to establish a designated request address through which consumers can submit verified requests directing the entity not to make any “sale” of covered information collected about consumers. That provision will be enforceable only by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.” Second, the legislation excludes financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and certain motor vehicle manufacturers from having to comply with the online privacy notice statute.

Continue Reading Nevada Legislature Passes Bill Allowing Residents to Opt-Out of Sales of Covered Information

data privacyKey Point: SB 561, which would have expanded the CCPA’s private right of action, has failed.

According to multiple reports, SB 561 failed to pass the California Senate on Thursday. The failure of SB 561 is a significant victory for businesses as the bill would have expanded the California Consumer Privacy Act’s (“CCPA”) private right of action to allow individual consumers to sue businesses for violations of the CCPA’s privacy-related rights. The current version of the CCPA only allows individual consumers to sue for certain types of data breaches and leaves enforcement of the CCPA’s privacy-related rights to the California Attorney General’s office. SB 561 was backed by the California Attorney General’s office and privacy-rights organizations. It was strongly opposed by business interests. You can read more about SB 561’s failure here and here. 

Continue Reading CCPA: Bill to Expand Private Right of Action Fails

data privacyOn June 5, Husch Blackwell’s privacy and data security practice group will host another webinar on the California Consumer Privacy Act (CCPA). In this webinar, we will:

  • Provide a brief overview of the CCPA and its requirements
  • Analyze the current proposed amendments and how they would modify the CCPA
  • Discuss the proposed amendments that have failed
  • Examine the Attorney General’s anticipated regulations
  • Provide an update on other proposed state privacy laws

 

Click here for more information and to register.

Texas flagAs we previously reported, the Texas legislature has been considering two bills directed at addressing consumer privacy. Those bills were proposed in the wake of last year’s enactment of the California Consumer Privacy Act.

On May 7, 2019, the Texas House voted overwhelmingly to pass one of those bills – HB 4390 – however, the version it passed was significantly amended and will no longer provide any privacy rights to Texas residents.

Continue Reading Texas Looks Unlikely to Pass CCPA-Like Consumer Privacy Legislation

data privacy[Update:  After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject to the CCPA with little to no legislative direction as to how they can demonstrate that they are undertaking reasonable security procedures and practices. It also exposes the CCPA to the argument that the subject language is void for vagueness. Given the substantial penalties businesses are exposed to under the CCPA’s private right of action, the failure of the legislature to address this issue is notable especially considering that Ohio implemented legislation last year that California could have used as a guide.]

Given the near ubiquitous coverage of proposed CCPA amendments, it may be hard to believe that any bill could fly under the radar, but that appears to be the case with AB 1035, which would amend the CCPA’s private right of action to link “reasonable security procedures and practices” to NIST standards.

Continue Reading CCPA: Proposed Bill Would Link Reasonable Security to NIST Standards

data privacyAs we first reported in February, the Nevada legislature has been considering legislation that would amend its online privacy notice statutes, NRS 603A.300 to 360. Among other things, Nevada’s existing law requires “operators” to provide a notice to consumers that (1) identifies the types of information the operator collects online, (2) describes the process (if any) for consumers to review or request changes to their information, (3) describes the process by which the operator notifies consumers of changes to the notice, and (4) discloses whether a third party may collect covered information about an individual’s online activities over time and across different Internet websites or online services.

Continue Reading Nevada Senate Passes Watered-Down Online Privacy Bill