On October 1, 2022, the Colorado Attorney General‘s Office announced that it had submitted the first draft of its Rules implementing the Colorado Privacy Act.

The draft Colorado Rules run only 38 pages long—in notable contrast to the draft California regulations that run 66 pages (albeit in redline).  Moreover, the draft Colorado Rules address several important issues that were notably absent from the draft California regulations, including regulations on profiling, data protection assessments (also known as data protection impact assessments and privacy risk assessments under other laws), and the universal opt-out mechanism.

We will be doing deep dives into the Rules, but at first review, it appears that the draft Colorado Rules follow the principle-guided rule making approach Attorney General Weiser discussed at the Colorado Privacy Summit as opposed to a hyper-prescriptive model. 

In addition to the draft Rules, the Colorado Attorney General also released a Notice of Proposed Rulemaking.  Similar to the Pre-Rulemaking considerations, the Attorney General invited comments generally, but especially on specifically listed topics, including the definitions, the consumer personal data rights, the universal opt-out mechanism, controller obligations, loyalty programs, consent, data protection assessments, and profiling. 

The draft Rules will be published in the Colorado Register and available for comment on October 10, 2022.

Subscribe to the CyberAdviser blog to see further analysis on the Colorado and California regulations, as well as other important privacy updates.

With the CPRA set to become effective in a little more than three months, Ballard Spahr partners Phil Yannella and Greg Szewczyk discuss CPRA rule-making, the recent Sephora settlement, and outline key compliance steps that businesses should address before the January 1, 2023 deadline.

Colorado Attorney General Philip Weiser gave his first public comments since April last Thursday at Ballard Spahr LLP’s 2022 Annual Colorado Privacy Summit.  In an hour-long fireside chat with Ballard Spahr’s Co-Chair of Privacy and Data Security Greg Szewczyk, AG Weiser discussed the rulemaking process under the Colorado Privacy Act.  A recording of the interview is available here.   

The forthcoming Colorado regulations are particularly important because of the four non-California states with privacy laws going into effect in 2023—all of which follow the same general model—Colorado is the only state with implementing regulations.  Accordingly, AG Weiser’s approach is likely to have widespread influence across the nation. 

AG Weiser laid out his philosophy of “accessible, transparent, and thoughtful” rulemaking.  First, he noted that public participation—particularly participation sooner than later—is key to harmonizing the law with business and technology.  The Colorado AG emphasized that regulators give serious consideration to stakeholder input; he hopes that such a rulemaking process will make stakeholders “proud” of democracy at work. 

Second, AG Weiser discussed transparency by laying the groundwork for enforcement efforts.  He stated that the majority of the enforcement focus will be on organizations that are willfully non-compliant, rather than playing a game of “gotcha” with organizations aiming for compliance in good faith.

Next, adding to the thoughtfulness of the process, AG Weiser seeks to harmonize compliance with the patchwork of other state privacy laws.  Instead of importing the California rules, AG Weiser’s office aims to “show the world there’s another way” without contradicting those preexisting frameworks.

Beyond the Colorado Privacy Act and its regulations, AG Weiser highlighted the importance of other consumer protection laws in Colorado such as the auto-renewal law.  With the proposed regulations lurking on the horizon sometime “soon,” this fireside chat gives viewers a helpful lens for approaching compliance with the Colorado Privacy Act.

The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception.  As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. 

Specifically, with the expiration of these exemptions, covered businesses will be obligated to provide their California employees, contractors, job applicants, and business contacts with the full array of disclosures and rights available to California consumers under the CPRA.  Extending CPRA rights to employees in particular is likely to pose a significant policy and operational lift for many businesses.

For example, in addition to the disclosures already required under the CCPA, employers will now have to provide employees with the rights of access, correction, portability, and deletion of their personal information.  Given the nature of the information that businesses may hold about their employees—including internal performance reviews, work evaluations, and human resources or disciplinary reports—effectuating these rights may be logistically difficult in a way that standard consumer requests are not.  Businesses will have to review the scope of these rights carefully to identify what information may be subject to employee review and what information may fall under an exemption. 

The sunsetting of these exemptions is likely to have a particularly large impact on businesses without direct-to-consumer sales and companies in federally regulated industries (such as financial institutions), as those types of businesses often had relatively little data subject to the CCPA. 

With only four months until 2023, businesses have already been focusing significant efforts on complying with the CPRA and the four other privacy laws going into effect next year.  The lapsing of the CPRA’s B2B and employee exemptions will make these months feel even shorter.

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.  This law applies broadly to employers and employment agencies operating in New York City that target New York City residents using what it refers to as Automated Employment Decision Tools.

Generally, this law prohibits employers from using Automated Employment Decision Tools to screen candidates or employees for employment decisions unless: (1) the tool has been subject to a bias audit conducted no more than one year prior to the use of such tool; and (2) a summary of the results of the bias audit, as well as the distribution date of the tool at issue, have been made publicly available on the website of the employer prior to using the tool. A “bias audit” is defined as “an impartial evaluation by an independent auditor,” which includes “the testing of an automated employment decision tool to assess the tool’s disparate impact on persons of any component 1 category required to be reported by employers pursuant to” 42 U.S.C. § 2000e-8(c) and 29 C.F.R. § 1602.7.  The law does not, however, define “independent auditor.” 

Additionally, employers or agencies that use an automated employment decision tool to screen candidates or employees must notify each individual (1) that an automated employment decision tool will be used in connection with the assessment at least 10 business days before use of the tool, and allow the candidate to request an alternative selection method; (2) of the characteristics or other metrics the tool will use to assess the candidate / employee, and (3) of the types of information collected by the tool, the sources of the data, and information regarding the employer’s data retention policy.

The bias audit required under this law must be an impartial evaluation conducted by an independent auditor.  As most employers implementing automated employment screening tools rely on third party service providers, employers should begin coordinating now to ensure compliance come January 1, 2023.  Failure to comply can result in penalties of $500 per violation for the first infraction and up to $1,500 per subsequent infraction.  

In the latest episode in our monthly webcast series, Privacy and Data Security practice co-leaders Phil Yannella and Greg Szewczyk give a comprehensive rundown of the American Data Privacy and Protection Act (ADPPA), including: The status of the bill, key components, the private right of action, and the bill’s differences from state laws. Phil and Greg also comment on the likelihood of the ADPPA becoming law.

In a class action with potentially significant impact on data sharing disclosures that companies routinely provide in online privacy policies, the Third Circuit recently ruled that NaviStone, a third party marketing service, was not a “direct party” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) and thus was potentially subject to liquidated damages under that statute for intercepting communications between the plaintiff and the website she had visited.  The interplay between the Third Circuit’s ruling and the potential impact on privacy policy disclosures require some technical background, which we have done our best to summarize.

The plaintiff in Popa v. Harriet Carter Gifts had visited the Harriet Carter Gifts website and begun the process for completing an online purchase of cat stairs.  As occurs during many website interactions, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused the plaintiff’s browser to simultaneously send a GET request to NaviStone.  When it received the GET Request, NaviStone sent code to plaintiff’s browser that enabled the installation of a cookie which both identified the browser and tracked plaintiff’s activity on the Harriet Carter website.  This communication stream also enabled NaviStone to facilitate targeted advertising to plaintiff.  The lawsuit alleged that the HTML code re-routing electronic communications to NaviStone constituted an illegal interception under Pennsylvania’s wiretap law. The district court granted summary judgment against plaintiff, but the Third Circuit reversed.

The Third Circuit’s analysis focused on whether NaviStone was a “direct party” to the communications between Harriet Carter and plaintiff, which is an exception recognized by the Federal Wiretap Law as well as the wiretap laws of other states.  Pennsylvania had previously adopted a similar exemption, but did so in the context of law enforcement investigations where police officers had masqueraded as intended recipients of communications.  The Third Circuit ruled that this was the only scenario under which WESCA recognized a direct party exception.  Critical to the Court’s determination that Pennsylvania’s direct party exception was limited to law enforcement was a 2012 amendment to the law that expressly revised the law’s definition of “intercept” to exclude monitoring by law enforcement masquerading as third parties.  Under rules of statutory construction, the Court held that this express limitation foreclosed broader exceptions, thus limiting the scope of the direct party exception.  In other words, only law enforcement officers, under the expressly identified scenarios set forth in WESCA, can avail themselves of the direct party exception.

The Third Circuit’s analysis did not end there, however.  The Court also considered – and rejected – NaviStone’s contention that the interception occurred in Virginia, where the defendant was located, finding instead that the interception occurred at the point where the communication was re-routed to NaviStone, which occurred on plaintiff’s browser.  This ruling thus disposed of NaviStone’s argument that WESCA could not regulate commerce that occurred wholly outside the Commonwealth.   

In response to NaviStone’s “parade of horribles” argument, the Third Circuit noted that its ruling does not necessarily foreclose websites’ usage of cookies or third party marketing companies.  In particular, the Court noted that WESCA provides an all-party consent exception whereby a interception is permissible if all parties to the communication consent.   Which leads to perhaps the key question: did plaintiff consent to NaviStone’s interception of her electronic communications?

NaviStone argued that the Harriet Carter privacy policy disclosed the sharing of personal information with third parties and thus plaintiff impliedly consented to the interception of her communications by NaviStone.  Pennsylvania, like many states, recognizes that prior consent to wiretapping “can be demonstrated when the person being recorded knew or should have known[] that the conversation is being recorded.”  Plaintiff argued that she had neither read the privacy policy nor agreed to its terms.  The Third Circuit ultimately declined to rule on this, remanding the issue to the District Court for further consideration.

The District Court’s pending ruling on whether prior consent can be implied through privacy policy disclosures may have a significant impact on future wiretap cases.  Thousands of U.S. websites are configured with third party code, such as NaviStone’s, to enable digital advertising.  Thirty-eight (38) states, in addition to the District of Columbia, have a wiretap law, and many such laws contain liquidated damages provisions of  $1,000 (or more) per violation.   Eleven (11) states require all-party consent to the recording of conversations. Whether all-party consent can be inferred through the posting of a privacy policy that discloses third party sharing of electronic communications will therefore be a closely watched issue by plaintiff’s attorneys, digital marketers and other third parties that obtain personally identifiable information through cookies and third party data sharing.  Any ruling that does not clearly embrace a broad reading of prior consent may lead to increased wiretap litigation in states with wiretap laws like Pennsylvania.

The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.

Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.

Continue Reading CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice

In an active week for federal regulators, the Federal Trade Commission (FTC) joined the CFPB in announcing important initiatives that may change privacy and data security practices in major ways.

On August 11, the FTC released its Advanced Notice of Proposed Rulemaking, seeking public input on a host of questions relating to what it describes as “commercial surveillance”—or “the business of collecting, analyzing, and profiting from information about people”—in order to determine whether to issue a  new rule “to protect people’s privacy and information in the commercial surveillance economy.”    The FTC’s questions are grouped into several categories, including harm to consumers, harm to children, automated systems, discrimination, consumer consent, and notice, transparency, and disclosure.  The dozens of specific questions range from broad to narrow, but they generally relate to the large amounts of data collected about consumers when they are connected to the internet.  As the FTC explains, its concerns range from data security to bias/discrimination to the inability of consumers to avoid this type of collection and processing.  The FTC also points to concerns about dark patterns, which coerce consumers into sharing personal data.

The FTC’s announcement does not come as a surprise, as Chair Lina Khan has been hinting for months that action would be forthcoming.  However, the formal announcement drew quick blowback from some.  For example, Senator Marsha Blackburn (R-Tenn.), a member of the Senate Commerce Committee, stated that the proposal “is doomed to become another cautionary tale of how the left uses the regulatory state to tear down and rebuild the economy according to their own vision.”  Similarly, FTC Commissioner Christine Wilson warned in her dissent that the FTC’s efforts could derail the ongoing efforts to pass the bipartisan American Data Privacy Protection Act (ADPPA).

The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days.  The public will also have an opportunity to share their input on these topics at a virtual public forum on September 8, 2022.  But as Commission Wilson’s warning may indicate, the announcement alone could have impacts on the negotiations relating to the ADPPA even before the comment period ends.  In any event, companies should consider themselves on notice that the FTC plans to continue its focus on analytical tools, online collections, and use or sale of profiles derived from that information.

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours.  Under the current regulations, 72-hour notice would only be required if the ransomware required notice to another governmental body or had a reasonable likelihood of materially harming any material part of normal operations.  Second, the Amendment would also require covered entities to notify the superintendent within 24 hours of making an extortion payment.  And finally, the Amendment would require covered entities to provide within 30 days a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment, and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.  If passed, this third component would represent a significant new obligation for covered entities, potentially changing the manner in which companies document ransomware responses.

In addition to the ransomware changes, the Amendments would also require, among other things: (1) multi-factor authentication for all privileged accounts, as well as for remote access to the network and enterprise and third-party applications from which nonpublic information is accessible; (2) increased expectations for board expertise; (3) significant restrictions on privileged accounts; and (4) annual independent cybersecurity audits for larger entities.  The Amendments have a short comment period ending on August 8, 2022, followed by the publishing of the official proposed amendments, after which a 60-day comment period will occur.

Given the comment periods that will occur, it is premature to speculate as to the final form of the Amendments.  However, based on the draft Amendments, it is safe to say that the NYDFS seems to be following the trend towards increased regulatory scrutiny.  Covered entities should start assessing how significant the changes would be to comply.