On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”).  In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi

Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.

Continue Reading

The Denmark Data Protection Authority (DPA) ruled on April 11, 2019 that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance.

In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded for training purposes, but the company offered no mechanism for customers to opt-in or opt-out of the recording. During one such call, the customer requested that the call not be recorded, but the service agent said there was no way to turn off the recording. The Denmark DPA rejected the company’s arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company’s telephone recording practices violated the GDPR.
Continue Reading

Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.

Texas CPA

The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:

  • Derive at least 50% of their annual revenue selling consumers’ personal information; or
  • Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
  • Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
  • The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
  • A consumer’s right to disclosure, from the business, of the personal information the business collected.
  • A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
  • A consumer’s right to opt out of the sale of his or her personal information.


Continue Reading

On March 20, 2019, the Supreme Court refused to address the adequacy of a $8.5 million Google privacy class action settlement and instead remanded to a lower court to determine whether the class action plaintiffs had standing to assert a claim under the Stored Communications Act (“SCA”).  The Court’s holding serves as a reminder that

New proposed legislation in California, backed by state Attorney General (AG) Xavier Becerra, would amend the new California Consumer Privacy Act (CCPA) to make it easier for private plaintiffs and public officials to sue for violations while further increasing regulatory uncertainty and compliance costs for businesses.  Specifically, SB 561 would expand the CCPA’s private right of action, remove the Act’s public enforcement “cure” provision, and eliminate the ability of affected companies to seek compliance guidance from the AG.

The CCPA is a sweeping new privacy law which goes into effect in January 2020.  It gives California residents substantial control over personal data held by certain California businesses, requiring disclosure of what personal information the business collects, how that information is used or sold, and allowing consumers to control or delete that information upon request.  It currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations, and it allows the AG to seek civil penalties of up to $2,500 for most violations, and up to $7,500 for violations found to be intentional.
Continue Reading

For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation.
Continue Reading

The U.S. Supreme Court’s grant this week of the petition for certiorari in a case involving the Telephone Communication Protection Act (TCPA) prohibition on unsolicited fax advertisements could have significant implications for the Federal Communication Commission’s (FCC) anticipated ruling on what constitutes an automatic telephone dialing system (ATDS) under the TCPA.

The petitioner in PDR Network v. Carlton & Harris Chiropractic sent a fax in 2013 to a West Virginia chiropractor offering a free copy of the Physicians’ Desk Reference. The chiropractor declined the offer and sued PDR in West Virginia federal court, alleging that PDR had violated the TCPA by sending it an unsolicited fax advertisement. PDR moved to dismiss, arguing that the fax was not an “unsolicited advertisement” because it offered the desk reference for free rather than for purchase. The chiropractor disagreed, arguing that the fax was an “unsolicited advertisement” because a 2006 FCC rule interpreted the term to include “facsimile messages that promote goods or services even at no cost.”
Continue Reading

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business.
Continue Reading