On June 14, the California Privacy Protection Agency (CPPA), the first state agency in the country dedicated to privacy, held its first public meeting. In her opening remarks, Acting Chairwoman Jennifer M. Urban introduced each of the Board members: John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le. The meeting covered an extensive agenda, available here, which highlighted the processes and procedures required by the Board to perform its duties, including issuing final regulations under the California Privacy Rights Act of 2020 (CPRA), which will go into effect on January 1, 2023.

The Board discussed the urgent need to hire at least two executive leadership positions to meet its July 1, 2022 deadline to issue final regulations under the CPRA. The Board also approved several subcommittees, including a Regulations Subcommittee, which will be dedicated to developing the CPRA regulations.

During the meeting, the Administrative Procedures Act process that the Board will follow in developing the CPRA regulations was described. Any regulations drafted and proposed by this Board will be sent to the Office of Administrative Law (OAL) in the form of a notice package. Once published in the state’s registrar, a minimum of a forty-five day public comment period will allow written comments to be submitted about the proposed regulations. After the public comment period, the Board will adopt the regulations as initially proposed or make additional modifications to the text. If modifications are made, there will be an additional public comment period of fifteen days. If the Board approves the changes, the final regulations will be sent to the OAL for final approval. Approved regulations by the OAL will become effective on a quarterly basis, however, the Board can also request the OAL to make the effective date of any such regulations to be the date of filing with the Secretary of State.

The Board plans to meet on a monthly basis, and all such meetings will be open to the public. Although the Board has not yet set a specific date for its next meeting, the Board will provide at least ten calendar days of notice and release an agenda to the public in advance of each meeting.

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute. Continue Reading Supreme Limits the Scope of Computer Fraud and Abuse Act

Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia.  Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.

Similar to the California and Virginia laws, the CPA affords Colorado “consumers” certain privacy rights and imposes duties on the “controllers” and “processors” of those consumers’ personal data.  While the CPA generally follows the model set by the Virginia law, it contains important differences that will put Colorado at the forefront of consumer privacy.

Thresholds to Applicability

The CPA defines consumer to mean an individual who is a Colorado resident acting in an individual or household context, and does not include an individual acting in a commercial or employment context.  The definition of consumer therefore has a built in exclusion for the employment and business-to-business contexts.

The CPA only applies to controllers—defined to mean any person that, alone or jointly with others, determines the purposes for and means of processing personal data—that conduct business in Colorado and meet at least one of two thresholds:  (1) controlling or processing the personal data of 100,000 or more consumers during a calendar year; and/or (2) deriving revenue from the sale of personal data and processing or controlling the personal data of 25,000 or more consumers.  Personal data processed by a “processor” on behalf of a controller counts towards those thresholds.

The CPA contains several substantive exclusions to applicability.  For example, unlike the California model’s limited exclusion, the CPA contains a full exclusion for financial institutions subject to the federal Gramm-Leach-Bliley Act.  The CPA also does not apply to certain types of health and patient information governed by HIPAA.

Consumer Rights Under the CPA

The law grants Colorado consumers specific rights over the way their personal data is processed by controllers.  Personal data means “information that is linked or reasonably linkable to an identified or identifiable individual.”  Publicly available or otherwise de-identified information, along with employment records, is not included within this definition.

The rights afforded to consumers include: (1) the right to opt out of certain processing of personal data; (2) the right to access personal data; (3) the right to correct inaccurate personal data; (4) the right to delete personal data; and (5) the right to data portability.

Consumers can exercise these rights by submitting formal requests, and controllers must act on the request within 45 days.

Duties of Controllers and Processors

The duties of controllers include: (1) the duty of transparency; (2) the duty of purpose specification; (3) the duty of data minimization; (4) the duty to avoid secondary use; (5) the duty of care; (6) the duty to avoid unlawful discrimination; and (7) duties regarding “sensitive” data.

With respect to the duty of transparency, controllers will need to ensure that their privacy policies clearly and meaningfully disclose specific types of practices, as well as the manner in which consumers may exercise their rights.  The CPA does not require a “Do Not Sell My Information” page like the California law, but the Colorado Attorney General will be promulgating rules that detail the technical specifications for one or more universal opt-out mechanisms.

With respect to sensitive data, controllers must obtain consent to collect personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child.  In the case of a child below thirteen years old, consent should be given by the child’s parent or legal guardian.

Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA.  Processors must also enter into a contract with the controller setting out various criteria relating to what personal data will be processed, how the data will be processed and retained, and audit/compliance rights.

Data Security and Data Protection Assessments

Both controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk.  For many companies, this type of data security requirement already exists for personally identifiable information under Colorado’s data security law.  However, personal data under the CPA is significantly broader than personally identifiable information under Colorado’s data security law.

The CPA also has the new requirement of performing “data protection assessments” for controllers whose processing presents a heightened risk of harm to a consumer.  Processing that presents a heightened risk of harm is defined to include processing for the purpose of targeted advertising and profiling, selling personal data, and processing sensitive data.  When performing the data protection assessment, controllers will have to weigh the benefits against the risks to the rights of the consumer, as well as potential safeguards that may mitigate those risks.  Controllers must make the data protection assessments available to the attorney general upon request.

Rulemaking and Enforcement

Unlike the Virginia law, the attorney general has the authority to promulgate rules for the purpose of carrying out the CPA.  Whereas the authority to promulgate rules generally implies discretion, the attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023.  The attorney general also has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA, which must be done by January 1, 2025 if at all.

The CPA expressly provides that it does not create a private right of action for a violation of the CPA.  Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties set forth in C.R.S. § 6-1-112.  Under that statute, penalties can be up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.

*          *          *

Colorado’s entry into the privacy law world will require significant changes for many businesses.  The attorney general’s rules will provide more guidance, but businesses should, at the very least, begin ensuring that they have a full grasp of their data collection, usage, and documented policies so that they can prepare to meet their compliance obligations.

Ballard Privacy & Data Security partners Phil Yannella, Kim Phan and Greg Szewczyk recently wrote an article on managing compliance with the growing patchwork of state privacy laws for the Media Law Resource Center (MLRC).  The article was made available at last week’s  Legal Frontiers in Digital Media virtual conference sponsored by the MLRC and will appear in an upcoming edition of “Legal Frontiers in Digital Media,” MLRC Bulletin (June 2021).  A copy of the article is available here: Continue Reading Managing Compliance with a Patchwork of State Privacy Laws

2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA). Continue Reading The State of Proposed Biometrics Laws

On May 12, 2021, President Joe Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. The Executive Order was issued in response to the recent SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents, which were, according to the White House, “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Continue Reading President Biden’s Cybersecurity Executive Order Has Implications for the Private Sector

On April 29, 2021, the Federal Trade Commission (FTC) hosted a virtual workshop, entitled “Bringing Dark Patterns to Light,” to examine “dark patterns.” In her opening remarks, Acting FTC Chairwoman Rebecca Kelly Slaughter broadly described “dark patterns” as “user interface designs that manipulate consumers into taking unintended actions that may not be in their interest.” Chairwoman Slaughter highlighted several examples of dark patterns, including confusing cancellation procedures that force users to navigate multiple screens, online applications that hide the material terms of a product or service through the use of inconspicuous drop down links and auto-scroll features, and the addition of products to users’ shopping carts without their knowledge or consent. Continue Reading FTC Workshop Signals Increased Regulatory Focus on Dark Patterns

In a thoughtful opinion that diverges from how other circuit courts have addressed the issue, the Second Circuit recently issued a ruling clarifying the circumstances when data breach plaintiffs can rely on fear of identity theft to establish Article III standing. Continue Reading Second Circuit Ruling Clarifies When Data Breach Plaintiffs Have Adequately Plead Article III Standing

In a unanimous decision, the U.S. Supreme Court limited the reach of the Telephone Consumer Protection Act (“TCPA”) by narrowing what technology qualifies as an Automatic Telephone Dialing System (“ATDS”).  Among other restrictions, the TCPA prohibits calls to phone numbers using an ATDS without prior express consent.  The TCPA defines an ATDS as “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”

In Facebook v. Duguid, the Court held that the key phrase “using a random or sequential number generator” modifies both “to store” and “to…produce.”  Therefore, automatic dialing technology only qualifies as an ATDS if it has the capacity to store numbers “using a random or sequential number generator” or to produce numbers “using a random or sequential number generator.”

Although the Court repeatedly mentioned “capacity,” it likewise highlighted current use.  Practically then, “equipment that merely stores and dials telephone numbers” (as Justice Sotomayor, writing for the Court, described the devices that would be an autodialer under the plaintiff’s interpretation), no longer necessarily runs afoul of the TCPA’s ATDS prohibitions.  Importantly, as the Court makes clear, the ruling does not affect the TCPA’s prohibition on calls that use “an artificial or prerecorded voice,” such as prerecorded voice messages.

While this ruling will likely curb litigation, clients should remember that they can still face stiff statutory penalties for violations of other TCPA provisions unaffected by the ruling as well as other federal and state statutes that restrict communication.  The Supreme Court’s opinion can be found here.

We will soon be releasing a podcast discussing the ruling and will publish a separate blog post to announce the release.

Sixth Post in an Extended Series on Legislative Changes to BSA/AML Regulatory Regime

As we have blogged, the Anti-Money Laundering Act of 2020 (“AMLA”) contains major changes to the Bank Secrecy Act (“BSA”), coupled with other changes relating to money laundering, anti-money laundering (“AML”), counter-terrorism financing (“CTF”), and protecting the U.S. financial system against illicit foreign actors.

A recurring theme of the changes offered by AMLA is information sharing. AMLA mandates that the Department of Treasury’s supervision priorities must include “appropriate frameworks for information sharing among financial institutions, their agents and service providers, their regulatory authorities, associations of financial institutions, the Department of the Treasury, and law enforcement authorities.” The increased emphasis on information sharing is accompanied by provisions requiring confidentiality and data security protocols.

The Financial Crimes Enforcement Network (“FinCEN”) is already beginning to address AMLA’s focus on the sharing and protection of information, as it explained in its recent detailed Report on FinCEN’s Innovation Hours Program, which focuses on fostering technological innovation in AML/CTF compliance.  In this post, we explore AMLA’s expansion of information sharing, corresponding privacy and data security protections, and the tensions that lie therein.

InformationSharing Provisions

AMLA is replete with new avenues for information sharing. We address those provisions here, which fall into three categories: (1) the information-sharing provisions of the Corporate Transparency Act (“CTA”), (2) expansions to information sharing via public-private partnerships, and (3) expansions to information sharing within financial institutions, specifically between a domestic and foreign branch.

Information Sharing under the CTA

Arguably, the most important information-sharing provisions are in the CTA. The CTA establishes a beneficial ownership (“BO”) database housed within the Department of Treasury. This database will include a BO’s full name, date of birth, current address, and a unique identifying number from an acceptable identification document (or an acceptable FinCEN identifier). In a previous blog post in this series, we discussed how the new BO database may relieve financial institutions of some customer due diligence obligations and could allow regulators to spend more time on investigation of substance, rather than determining an entity’s BOs. Although the BO database will be stored at the Department of Treasury, the CTA provides for interagency, state, cross-border, and public-private sharing of BO information to assist in law enforcement and prosecution efforts. If requested, access will be given to regulators and law enforcement only to the information needed and only to those individuals that require access. Financial institutions may also satisfy customer due diligence requirements by requesting information from the BO database, but only if given consent by the reporting company.

Although we discuss AMLA’s privacy and data security provisions in detail below, the CTA’s privacy and data security provisions are important enough to highlight here. While the privacy and data security regulations described by the CTA are likely not to be published until later in 2021, their general contents are explained by AMLA.

The CTA requires each requesting agency to establish and maintain a secure system to store BO information, establish privacy and data security protocols, and certify compliance with the Secretary of Treasury on a semi-annual basis. The regulations will also limit access to the BO database information in two ways. First, the BO database information will only be available to requesting agencies upon written request describing the reasons for the request. Second, access to the BO database information is limited to personnel who must go through appropriate training, use identity verification to obtain access to the BO database information, and must also be authorized—by agreement with the Secretary of Treasury—to access that information.

Finally, the CTA requires regulations enforcing strict compliance with minimum data security protocols and access requirements. The regulations will require recordkeeping by the requesting agency showing what information was requested (and by whom), audits by the requesting agency and the Secretary of Treasury, and any other additional safeguards deemed necessary by the Secretary of Treasury. Violations of these regulations may lead to criminal or civil penalties.

Public-Private Partnerships

AMLA also codifies public-private partnerships for information sharing in three ways. First, AMLA creates the “Office of the Domestic Liaison,” which reports to FinCEN’s Director. The Office of the Domestic Liaison will contain a Chief Domestic Liaison and regional, Domestic Liaisons. The Domestic Liaisons will be a conduit between the federal functional regulators and BSA officers at financial institutions. Importantly, the Domestic Liaisons will receive confidential feedback from financial institutions on BSA examinations and will help coordinate public-private information sharing matters. Having individuals dedicated to facilitating and strengthening these public-private partnerships may help foster more and more useful information sharing.

Second, AMLA acknowledges the FinCEN Exchange, a “public-private information sharing partnership among law enforcement agencies, national security agencies, financial institutions, and FinCEN” that has existed since December 2017. AMLA codifies this ad hoc program into the statutory scheme. Although AMLA does not provide details, it appears the FinCEN Exchange will continue to share information on “broader typologies” and “high priority issues” for AML/CTF issues with financial institutions.

Third, AMLA instructs the Secretary of the Treasury to “convene a supervisory team of relevant Federal agencies, private sector experts in banking, national security, and law enforcement, and other stakeholders to examine strategies to increase cooperation between the public and private sectors.” This supervisory team may use its diverse perspectives to offer insights into future avenues for information sharing within public-private partnerships.

Information Sharing within Financial Groups

AMLA also contains a pilot program allowing financial institutions to share information related to suspicious activity reports (“SARs”), as well as the fact that a SAR has been filed, with foreign branches. This would allow financial institutions to more effectively combat cross-border money laundering or terrorist financing. While the animating regulations must be developed, the contours of the pilot program are relatively clear. The pilot program will allow information sharing with foreign branches, but will impose penalties on foreign branches for public disclosure of the information shared. The pilot program will also not permit financial institutions to share information with foreign branches in China, Russia, or jurisdictions that are state-sponsors of terrorism or are subject to sanctions.

Privacy and Data Security Provisions

Along with information sharing, AMLA provides additional provisions on privacy and data security. Most notably, AMLA creates the role of Bank Secrecy Act Information Security Officers (“BSA ISOs”), each of whom will serve within the federal functional regulators, FinCEN, and the IRS. The BSA ISOs will be central to marrying the new information-sharing provisions to data security protocols. To perform this function, the BSA ISOs will help create data security regulations and internal protocols, be consulted on information-sharing policies and data security concerns, and may help develop new technologies to strengthen future data security.

They will also be given a seat at the table on the Subcommittee on Information Security and Confidentiality, an AMLA-created subcommittee within the Bank Secrecy Act Advisory Group. AMLA instructs that the Subcommittee will “advise the Secretary of the Treasury regarding the information security and confidentiality implications of regulations, guidance, [and] information[-]sharing programs.” In addition to the BSA ISOs, the Subcommittee will also include the heads of the federal functional regulators and representatives from financial institutions, law enforcement, and FinCEN. The Report on FinCEN’s Innovation Hours Program details that FinCEN’s BSA ISO and the Subcommittee will work closely with the Bank Secrecy Act Advisory Group on Innovation and Technology to “support responsible AML/CFT innovation.” The combination of voices hopefully will provide the necessary BSA expertise, technological know-how, and industry experience to advise the Secretary of Treasury into the future.

The information-sharing provisions discussed above also contain their own requirements. Whether information sharing is interagency, between federal and state or federal and foreign authorities, or between public and private actors, the privacy and data security provisions remain the same:

  • AMLA requires the collecting agency to, by regulation or otherwise, establish protocols for privacy and data security;
  • AMLA requires the collecting agency to impose its protocols for privacy and data security on those receiving the information;
  • AMLA restricts sharing to the narrowest possible group of individuals on the narrowest possible amount of information and generally restricts its use to AML/CTF functions; and
  • AMLA suggests the collecting agency should revisit its privacy and data security protocols often, by requiring annual or biannual reports or by requiring the protocols to be created by regulation (as opposed to baking them into the statutory scheme).

Key Takeaways

AMLA provides more avenues for information to be shared between agencies, states, foreign law enforcement, and financial institutions. As the opportunities for information sharing expand and personal, confidential information continues to spread, concerns over privacy and data security multiply—especially when that information has national security implications.

AMLA acknowledges the centrality of information sharing as a regulatory response to increasingly complex, cross-border and interagency schemes. Allowing more—and more seamless—information sharing may give regulators and law enforcement the ability to use that information to more effectively fuel their investigations and track down wrongdoers. Information sharing will also give financial institutions insight into regulatory focus and industry trends, theoretically allowing the financial institutions to better track and triage AML/CTF priorities.

But increased information sharing is necessarily in tension with privacy and data security concerns. With more people given access to sensitive information, there are more chances for inadvertent disclosure or nefarious actors to gain access. Moreover, to the extent a small subset of agencies or vendors may serve as a hub for information-sharing purposes, lessons from the SolarWinds hack apply (which we blogged about). A data security weakness in one is a weakness for all. Finally, sharing across borders brings its own set of challenges, including translating protocols linguistically and technologically and ensuring maintenance of proper systems and data security protocols.

Pursuit of increased information—and increased information sharing—almost always leads to heightened privacy and data security concerns. But these concerns need not lead to barriers. AMLA contains a number of provisions that require creation of protocols and procedures, mandate continuing maintenance, narrowly restricts access, and solicits ideas from a variety of perspectives. These are sensible solutions on paper, but only time will tell whether this legislative vision will create both robust information sharing and adequate privacy and data protection.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also visit CyberAdviser, our blog focused on the latest news and developments in privacy and cybersecurity law, produced by the members of our Privacy and Data Security Group.