The California Attorney General’s Office released its long-awaited proposed CCPA Regulations this afternoon.  The proposed Regulations are 24 pages long, and address a number of important technical compliance issues including how businesses should:

  • provide just in time notice to consumers of personal information collected;
  • provide notice to consumers of the right to opt out of the sale of personal information;
  • provide notice to consumers of financial incentives;
  • provide a CCPA compliant privacy policy;
  • provide methods for consumers to submit requests to know and requests to delete their personal information;
  • respond to consumer requests to know and requests to delete their personal information
  • respond to consumer requests to access or delete household information;
  • respond to requests to opt-out;
  • respond to requests to opt-in after consumers exercise their right to opt out of the sale of personal information; and
  • verify consumer requests.

The AG’s office also released a 47 page Initial Statement of Reasons.

Ballard’s Privacy & Data Security lawyers are carefully reviewing the proposed Regulations. We will post our thoughts on the effect of the proposed Regulations, what they mean from a compliance standpoint, what issues the proposed Regulations fail to address, and what’s next for the CCPA in the coming days.

The perplexing question of what U.S. companies must do to comply with EU “cookie” law became slightly more clear with the recent decision of the European Court of Justice (CJEU) in Planet49 GmbH, but numerous questions still remain. A main source of confusion about cookies is the interplay between two EU privacy laws, the ePrivacy Directive and the GDPR. The former governs, among other things, the placement of cookies and marketing pixels on the browsers of website visitors and the latter governs the subsequent processing of personal data, which in many cases includes cookies. Some cookies, in other words, are subject to the ePrivacy Directive but not the GDPR. Another complication is that the ePrivacy Directive does not have an extra-territorial effect whereas the GDPR does have such an effect.

Many privacy professionals had hoped that the CJEU’s ruling in Planet49 would provide some much-needed clarity to a muddled legal picture. And it does, sort of.

Background

The case involved participation in a lottery organized by Planet49 GmbH, an online gaming company. To enter the lottery, internet users were prompted to enter their personal information, then presented with two checkboxes. The first required the user to agree to be contacted by other businesses for promotional offers. The second checkbox, which contained a pre-ticked box, required the user to consent to cookies. In order to participate in the lottery, the first checkbox needed to be ticked.

The first question referred to the CJEU concerned whether the use of a pre-ticked box was sufficient to obtain valid consent for placing cookies on a user’s device. The second question referred to the CJEU was whether service providers need to give users information specifically about the duration of the operation of the cookies and access by third parties.

How Planet49 Establishes Some Clear Guidelines

The CJEU’s recent ruling in Planet49 helps to clarify some of the rules governing the placement of cookies. First, the CJEU ruled that Planet49’s use of pre-ticked boxes is not a sufficient basis to establish consent. The writing had been on the wall for the use of pre-ticked boxes even before the GDPR became effective like other references, so this part of the ruling is not surprising.

What makes the ruling significant is the Court’s finding that consent requires some action on the part of the user. Although the ruling technically addresses consent under the ePrivacy Directive, the CJEU’s ruling suggests that inferring consent from passive activities, such as the continued browsing of a website, might not meet the GDPR’s more exacting “affirmative consent” standard. This finding aligns with recent guidance from the ICO, CNIL and the German Data Protection Authority (DPA), who have all issued guidance aligning consent under the ePrivacy Directive with the GDPR standard and have explicitly stated that the continued browsing of a website alone does not constitute consent. The CJEU did not go quite this far, but the days may be numbered for cookie banners that infer consent from continued browsing.

Second, the ruling makes clear that data controllers must gather consent for the placement of all non-essential cookies on a user’s device. This includes analytic cookies, which are commonly used by most companies with a website.

Lastly, the CJEU ruling requires that data controllers disclose the duration for cookie retention as well as the sharing of cookies with third parties in order to satisfy the ePrivacy Directive’s requirement that consent be “freely given specific and informed indication of the user’s wishes.” The ruling does not state what the maximum retention period for a cookie should be, but some EU regulators have suggested retention periods in recent guidance.

What the CJEU Ruling Doesn’t Resolve

For U.S. companies with physical operations in the EU, the CJEU ruling does not address a number of thorny issues. In particular, one open question is what, if any, user actions short of physically clicking an “Accept” button might constitute a valid cookie consent. While continued browsing might not be sufficient active to establish consent, would clicking out of a cookie banner?

The CJEU ruling also does not address the question of whether use of cookie walls (whereby access to a website requires that website visitors agree to use of cookies) are permissible under the ePrivacy Directive or GDPR. There is a split among EU data regulators on this, with CNIL and the German DPA holding that cookies walls are not permissible whereas the ICO has held that cookie walls may, under certain circumstances, be valid.

The subsequent processing of tracking cookies for the placement of targeted ads is another issue that remains muddled in the wake of the CJEU opinion. The ICO has taken the position that a data controller cannot rely on legitimate interests as a basis for subsequent processing of cookies, particularly tracking cookies. The CNIL and the German DPA have not gone so far as the ICO and appear to leave open the possibility that legitimate interests may be permissible for subsequent processing of cookies.

For U.S. companies that don’t have an establishment in the EU, compliance is even more complicated insofar as these companies may be subject to the GDPR but not the ePrivacy Directive. The GDPR only governs the processing of cookies or other online identifiers that gather or contain personal information whereas the ePrivacy Directive covers the placement of any cookie or file on a user’s browser. Thus, for U.S. companies that don’t maintain an EU establishment, it remains unclear whether the guidance of EU data regulators regarding analytic cookies, for example, applies.

Conclusion

The bottom line is that for U.S. companies doing business in Europe, the CJEU’s recent ruling provides some important guardrails useful for fashioning cookie banners and policies, but numerous questions remain unresolved. Until an ePrivacy Regulation is released, U.S. companies will likely follow the proverbial herd, trying their best to hide in a crowd of other companies also struggling to understand where the lines lay.

Remarks Focus on Account Takeovers, BEC Schemes, Beneficial Ownership, Technological Innovation and SARs

FinCEN Director Kenneth A. Blanco delivered prepared remarks on September 24 at the 2019 Federal Identity (FedID) Forum and Exposition in Tampa, Florida.

Director Blanco summarized the topics of his remarks by stating the following:

  1. First, I would like to tell you a little about FinCEN. Who we are, what we do, and why I am here to speak with you today.
  2. Second, I will speak to how illicit actors are leveraging identity. Specifically, I will highlight some of the trends FinCEN is seeing in how criminals exploit and compromise identities.
  3. Third, I will discuss how we use identity to protect our national security and keep our communities and families safe from harm.

As to the “who” and “what” of FinCEN, Director Blanco emphasized the agency’s role as “Administrator of the Bank Secrecy Act” and “THE Financial Intelligence Unit” of the U.S. Director Blanco went on to describe current developments in how “identity” – described by Director Blanco as “who we are legally” – is employed in the financial sector and government. Such developments are “critically important,” in part because “the features that make identity information valuable to companies also make these data stores high value targets for criminals and other bad actors, including terrorists and rogue states.”

Director Blanco next addressed the abuse of personally identifiable information by means of “account takeover,” which involves the targeting of customer accounts to gain unauthorized access to funds. He noted that FinCEN receives approximately 5,000 account takeover reports each month (totaling about $350 million), but that this figure amount merely reflects “attempts” and not actual losses. Director Blanco further noted that, “Criminals often acquire these leaked credentials through hacks, social engineering, or by purchasing them on darknet fora to facilitate the account takeover. Depository institutions, such as banks, are the most common targets given their high numbers of customer accounts, but institutions like insurance companies, money services businesses, and casinos, and of course their customers, are also affected.” Director Blanco then called for improving “cyber hygiene” by, among other things, implementing strong authentication solutions (such as multi-factor authorization and authentication procedures for processing payments or allowing access to sensitive information).  He reminded the audience that FinCEN held in July 2019 a FinCEN Exchange on business email compromise (BEC) fraud schemes targeting U.S. financial institutions and their customers, and that FinCEN had issued a July 16, 2019 Advisory on BEC fraud.

Separately, Director Blanco warned of bad actors who exploit weaknesses posed by the ubiquity of Social Security numbers (“SSN”). A FinCEN analysis of Suspicious Activity Reports (“SARs”) filed since January 2003 found more than 600,000 SSNs affiliated with identity theft reported from financial institutions, many of which were associated with more than one name. “That is mind-boggling, and it points to something wrong with how identity is being verified and authenticated across much of the financial system.”

Director Blanco then discussed the use of identity as a means to counter illicit activity. In doing so, he emphasized that beneficial ownership information is a critical issue whose “importance to our national security cannot be understated.” Notably, Director Blanco criticized the lack of an ability to collect identity information as a “dangerous and widening gap in our national security apparatus.” Although he praised the agency’s promulgation of the customer due diligence rule (a topic on which we have written extensively, see, e.g., here, here and here), he called for a separate rule to collect beneficial ownership information at the corporate formation stage. “To be sure, it is not that shell companies should not exist—it is just that the authorities should be able to know who owns and controls them when there is a legitimate law enforcement need, subject to appropriate information access safeguards. But currently, there is no federal standard requiring those who establish shell companies in the [U.S.] to provide basic, but critical information at company formation.”

Finally, Direct Blanco stated that FinCEN has strongly supported “responsible innovation” in the financial sector in regards to using technological advances to comply with BSA regulations. “Innovative indicators that reveal customers’ digital footprints and activities are extremely helpful to financial institutions in the conduct of their day-to-day business, including helping them understand customer activity and monitoring for suspicious activity.” He observed that FinCEN changed the SAR form in 2018 in order to allow for the reporting of up to 99 technical indicators, such as IP addresses, MD5 hashes, PGP keys, and device identifiers.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.

Over the past several years, state legislatures have become more aggressive in passing laws to protect consumers’ digital rights. The promulgation of state data security and privacy laws, such as the California Consumer Privacy Act, is a prime example of this trend. Another less publicized example of state oversight of online activities is legislation regulating automatic renewals, which have become very common and present new and little appreciated regulatory and litigation risks. Here’s a quick primer on these laws.

As background, automatic renewals refer to the business practice of subscribing a customer to receive a product or service and billing customers periodically for products and services without needing to obtain their express consent before each charge. Automatic renewals can benefit both customers and businesses; customers enjoy having their favorite products or services delivered to them automatically and businesses benefit from steady delivery of their products and services. On the other hand, regulators remain concerned that these automatic renewals can be misused by online retailers, publications and service providers, who may not always provide consumers with adequate disclosures or provide an easy mechanism to cancel their subscriptions before being charged again.

On the federal level, internet-based automatic renewals are regulated by the Federal Trade Commission (FTC) under the Restore Online Shoppers’ Confidence Act (ROSCA). This law requires clear disclosures of material terms, informed consent before obtaining financial information to process a purchase, and a simple mechanism to cancel the charges. Violations of ROSCA are categorized as unfair or deceptive acts or practices under the Federal Trade Commission Act. The FTC has become more aggressive in policing ROSCA, recently settling charges against Hardwire Interactive Inc. for $3,000,000.

On the state level, 26 states have implemented some form of automatic renewal laws. States that recently adopted these laws include California in 2018, and Vermont, Virginia, Washington, D.C. and North Dakota, in 2019. The North Dakota law is the most recent and provides a private cause of action for consumers injured by illegal renewals. Virginia also provides a private right of action for injured consumers.

In California, the law requires disclosures to customers for automatic renewals, free gifts, and trials as well as to offer a way for customers to cancel their subscriptions online. Vermont’s automatic renewal law requires that in addition to accepting the contract, the customer must also take affirmative action to opt into automatic renewal provisions of the contract. In Virginia, businesses must obtain a customer’s affirmative consent to the automatic renewal terms prior to charging the customer. In D.C., customers need to opt into the subscription after the end of their free trial, requiring the business to go back to the customer and ask for their consent.

These laws require businesses to restructure the way their current automatic renewal processes work. Businesses must take into account the additional consent requirements and update their systems so that customers are not automatically billed until the business receives all the opt ins required to process the transaction. Also, because most businesses conduct business in more than one state, the automatic renewal process needs to be compliant for every state in which the business operates.

The state laws also provide regulatory penalties for non-compliance. In October 2018, Spark Networks, the parent company of dating websites JDate and Christian Mingle, settled an enforcement claim brought by the California Attorney General for $1,500,000 for automatic renewal violations. In addition to fines, some states give customers additional rights regarding automatic renewals conducted in violation of the law. In California, if the business sends a product without following the requirements of the law, the customer may keep the product as an unconditional gift.

We are in the midst of a period of increased regulatory scrutiny of businesses’ online activities. If your business uses automatic renewals to deliver products and services to customers, you should consider reviewing your practices to ensure compliance with these new laws.

On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.

Five amendments passed:  AB 25, 874, 1146, 1355, and 1564.  As we have noted in prior posts, the version of AB 25 that ultimately made it through the legislature had changed from a more business-friendly exclusion for certain employment-related information to a compromise bill, whereby employers must still inform employees of the types of information they are collecting and the reason for doing so.  AB 25 also subjects employers to the private right of action with statutory damages in the event of a data breach, albeit only as to “personal information” as defined in California’s data breach notification law.  AB 25 has a one-year sunset provision, after which employee personal information will be treated the same as consumer personal information without further legislative action or regulatory guidance.

AB 1355 is also particularly important as it excludes from consumer personal information: (1) consumer information that is deidentified or aggregated; and (2) personal information gathered in the context of a business-to-business transaction.  While the latter exclusion has a one-year sunset provision, this exclusion provides a significant boon to businesses that engage primarily in B2B transactions, but were nonetheless previously concerned that they may hold significant amounts of personal information under the CCPA’s broad definition.

Notably, the legislature did not pass AB 846, which would have allowed companies to collect personal information to offer loyalty programs without worrying that the practice was discriminatory under the law.  The legislature also rejected proposals backed by the California Chamber of Commerce and the Internet Association—which includes Google, Facebook, and Amazon in its members—which would have increased exclusions relating to targeted advertising and fraud detection, as well as expanded the definition of “deidentified.”

Although this year’s legislative session is complete, there is still a chance that the Attorney General’s forthcoming regulations could alter the CCPA’s scope and application.  The proposed regulations are expected to be issued later this month or in October, followed by a comment period prior to finalization.

However, assuming the Governor signs passed amendments, companies now know the version of the CCPA which will go into effect on January 1, 2020, and should prepare accordingly.

Delaware (July 31, 2019) and New Hampshire (August 2, 2019) have become the latest states to add to the insurance cybersecurity landscape by enacting information security laws.  These laws come on the heels of Connecticut’s law enacted a few days earlierNotably, while Connecticut followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations model, Delaware and New Hampshire followed South Carolina, Ohio, Michigan, and Mississippi in adopting a version of the model law put forth in 2018 by the National Association of Insurance Commissioner (“NAIC”).  Although the New York and NAIC frameworks are similar—both require written information security programs and impose a 72-hour breach notification deadline—the legislation as enacted by each state varies, resulting in a patchwork compliance framework for insurance companies that practice across multiple states.

The New Hampshire’s Insurance Data Security Law and Delaware’s Insurance Data Security Act apply to any individual or non-governmental entity that is required to be licensed, authorized, or registered pursuant to New Hampshire’s insurance laws (each a “Licensee”), and is intended to protect “nonpublic information,” defined, generally, as any information that can be used to identify a consumer, including health care information.  Excluded from covered Licensees are those entities with fewer than 20 employees (New Hampshire) and 15 employees (Delaware), an increase from the 10 employee exception found in the NAIC model law.

Under both laws, a Licensee is required to have a written information security program in which administrative, technical, and physical safeguards are implemented based on the results of a risk assessment.  A written incident response plan and a schedule for retention/process for destruction of nonpublic information must also be components of the information security program.  Written certification to the respective state commissioner that the Licensee is in compliance with these requirements must be submitted annually (though, New Hampshire and Delaware have different submission deadlines).  Compliance with such requirements are viewed in the context of the Licensee’s size and complexity, nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information it possesses or uses.  The commissioner is authorized to “examine and investigate” any Licensee and to take “action that is necessary or appropriate” if the commissioner “has reason to believe” a Licensee is in violation of the law.  Notably, the New Hampshire law contains a safe harbor provision which deems compliant those Licensees who are in compliance with the NYDFS Cybersecurity Regulations.

Should a “cybersecurity event” occurdefined generally as unauthorized access to nonpublic information or the information systemboth laws require notification to the commissioner within three business days (relaxed from NAIC’s rigid 72 hour deadline) from the determination that such an event has occurred.  If the nonpublic information was encrypted or the impacted nonpublic information was not used or has been returned or destroyed, such circumstances do not rise to a “cybersecurity event”.  In Delaware, under certain circumstances in which notice to the affected consumers is required, Delaware imposes a 60-day deadline and, further, requires the Licensee provide free credit monitoring services to the consumer for a period of one year.  The medium by which consumers must be notified is also detailed in Delaware’s law.

The Delaware law’s compliance deadline is July 31, 2020, and the New Hampshire law’s compliance deadline is January 1, 2021.  Both laws allow an additional year to ensure that third-party service providers are compliant.  

These recent laws serve as yet another reminder that insurance licensees need to closely monitor the changing legal landscape and be ready to adapt their practices to ensure compliance.

On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”).  In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi as states that have enacted information security laws for insurance companies.  However, whereas the recent trend has been to follow the 2018 Model Act published by the National Association of Insurance Commissioners (“NAIC”), Connecticut largely followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations.

The Connecticut law will require companies to maintain an information security program that is commensurate with the size and complexity of the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law also requires oversight by the licensee’s board of directors and annual certification of compliance to the CID.  Licensees will also have to report cybersecurity incidents to the CID within three business days.  The law is effective October 1, 2019, but gives licensees until October 1, 2020 to implement their security programs.

While the Connecticut law does not break new substantive ground, it is significant for two reasons.  First, Connecticut’s law demonstrates that states have not uniformly adopted the NAIC model over the NYDFS model.  And, while the NYDFS and NAIC models are similar, there are important differences in the details.  Second, regardless of which model is chosen, Connecticut’s law highlights the fact that insurance companies operating across multiple states will have different obligations, especially with respect to breach notification.  Accordingly, insurance licensees should ensure that they are staying abreast of developments and prepared to comply with the changing patchwork of laws and regulations.

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

Continue Reading Facebook to Pay $5 Billion for Violating 2012 FTC Consent Order

Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date. Continue Reading Equifax Reaches Historic $575 Million Settlement Agreement Arising from 2017 Data Breach

New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead.  New York was one of a number of states that proposed sweeping privacy legislation after the enactment of the California Consumer Privacy Act (CCPA). The proposed New York law, in fact, was broader than the CCPA in many ways. The law would have applied to non-profits as well as for profits, and included a private right of action for data breaches of $10,000 per consumer.  The proposed law also would have designated businesses that collect personal information of New York consumers as “information fiduciaries” and imposed on such companies a “duty to exercise loyalty and care” in how the business uses personal information, as the Electronic Frontier Foundation put it.

Concerns about the overly prescriptive nature of the proposed law as well as its potential impact on small and medium-sized companies appear to have derailed the bill in the New York senate. A number of other states, including Massachusetts and Connecticut, are still considering their own privacy laws, but for the time being at least, the CCPA remains the only comprehensive US state privacy law on the books.