data privacyIn our prior blog post, we discussed how the Washington Privacy Act (WPA) had passed the state’s senate and would be taken up by the state’s House of Representatives. On March 22, 2019, the House Innovation, Technology & Economic Development Committee held a public hearing on the legislation. A recording of the almost two-hour hearing is available here.

Although the WPA passed nearly unanimously through the state senate, the house version of the legislation includes significant deviations from the senate bill. A great side-by-side comparison of the two bills prepared by Committee Staff member Yelena Baker is available here. Some of the more notable differences are:

  • Private Right of Action: The house version would allow private litigants to bring actions against controllers for violations of the WPA. The proposed language would require a consumer to first notify the controller of the alleged violation and provide it with 30 days to cure. In the absence of a cure, the consumer would have to notify the Attorney General’s office of the consumer’s intent to bring an action. If the AG’s office did not act in 30 days, the consumer could file suit. However, the consumer would not be able to recover its attorneys’ fees and costs in the lawsuit.
  • Covered Entities: The senate version would apply to legal entities that are doing business in Washington or that produce products or services that are intentionally targeted to Washington residents and that either control or process data of 100,000 or more Washington residents or that derive 50% of their gross revenue from the sale of personal data and that process or control personal data of 25,000 or more Washington residents. The house version would only require that entities be doing business in Washington or produce products or services that are intentionally targeted to Washington residents.
  • Definition of Personal Data:  The house version would not exclude “publicly available information” from the definition of personal data.

Numerous witnesses testified at the committee hearing. The general takeaway was that business advocates felt that the senate version of the WPA was preferable with many witnesses citing the inclusion of the private right of action in the senate version as being problematic. Privacy advocates were of the opinion that both bills were deficient but that the house version was better. There also was significant disagreement over whether the WPA would provide stronger consumer protections than the CCPA.

With CCPA compliance efforts ramping up, Husch Blackwell’s privacy and data security practice group compiled the most frequently asked client questions and answers into one resource – the California Consumer Privacy Act Guidebook. The CCPA Guidebook is a great resource for any entity that is trying to understand the CCPA and what it will require when it goes into effect on January 1, 2020. Among other topics, the CCPA Guidebook discusses:

  • What entities are subject to the CCPA and exceptions;
  • The CCPA’s definition of personal information;
  • What rights the CCPA provides and who holds those rights;
  • What is a verifiable request;
  • How does the right to access personal information work;
  • How does the right to be forgotten work; and
  • Relevant dates

You can download a copy of the CCPA Guidebook by clicking here.

Having escaped the bleak midwinter of the Midwest for a few brief days, I find myself sitting poolside in sunny Orlando experiencing a few tantalizing hours of near summer temps. As I watch the inflatables being splashed about gleefully by children (mine included) impervious to the water’s lingering chill, my thoughts naturally turn to privacy and security (which is not a euphemism for my ill-fitting swimsuit by the way).

Continue Reading Husch Blackwell’s Pete Enko asks, “Will State Laws Move the Privacy Ball in 2019?”

On Wednesday, Washington took a major step towards becoming the second state to enact broad privacy legislation when its state senate approved the Washington Privacy Act. The bill passed the senate with overwhelming bipartisan support on a vote of 46-1 (with 2 excused). It now moves to the House where a companion bill has been working its way through that chamber. You can read our analysis of the bill here.

Washington is one of numerous states currently considering privacy legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). The CCPA’s enactment has even motivated Congress to consider federal privacy legislation. Although it is anyone’s guess how this legislation will play out over the next few months, Washington appears to be well-poised to become the next state to weigh in on how privacy law should develop in this country.

One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA.  Continue Reading Analyzing How Financial Institutions are Treated in Proposed State Privacy Laws

Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.

The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.
Continue Reading Proposed Washington Privacy Act Seeks to Protect Consumer Data Privacy from Current and Future Technology Advancements

You can add Nevada to the growing list of the states that are considering privacy-related legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). Nevada is one of three states that already require certain entities to provide online privacy notices to disclose the types of personal information that they collect from consumers. Senate Bill 220 would supplement that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). An entity that receives such a notice would be forbidden from selling the consumer’s personal information. Continue Reading Proposed Nevada Privacy Legislation Would Create Private Right of Action

It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.
Continue Reading Third-Party Contractors Get Schooled in Data Privacy – New York Style

On January 25, 2019, the Illinois Supreme Court released a unanimous decision holding that individuals do not need to plead or prove actual damages or harm to maintain a private right of action under the Illinois Biometric Information Privacy Act (740 ILCS 14/1) (the Act) when a private entity fails to comply with the Act’s procedural protections. The decision upholds privacy rights of individuals in their unique biological information as defined under the Act.

Learn details about the decision and what this means for businesses operating in Illinois in Husch Blackwell’s recent legal alert.