The Denmark Data Protection Authority (DPA) ruled on April 11, 2019 that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance.

In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded for training purposes, but the company offered no mechanism for customers to opt-in or opt-out of the recording. During one such call, the customer requested that the call not be recorded, but the service agent said there was no way to turn off the recording. The Denmark DPA rejected the company’s arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company’s telephone recording practices violated the GDPR.
Continue Reading

Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection: H.B. No. 4518, the Texas Consumer Privacy Act (“Texas CPA”) and H.B. No. 4390, the Texas Privacy Protection Act (“TPPA”). These bills bear a strong resemblance to the California Consumer Privacy Act (the “California CPA”), and would lay the groundwork for extensive administrative schemes protecting consumers’ rights to their personal information.

Texas CPA

The Texas CPA bears strong similarity to California CPA. The Texas CPA, which, if adopted, would take effect September 1, 2020, applies to companies that do business and collect consumer data and:

  • Derive at least 50% of their annual revenue selling consumers’ personal information; or
  • Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
  • Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
  • The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
  • A consumer’s right to disclosure, from the business, of the personal information the business collected.
  • A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
  • A consumer’s right to opt out of the sale of his or her personal information.


Continue Reading

On March 20, 2019, the Supreme Court refused to address the adequacy of a $8.5 million Google privacy class action settlement and instead remanded to a lower court to determine whether the class action plaintiffs had standing to assert a claim under the Stored Communications Act (“SCA”).  The Court’s holding serves as a reminder that

New proposed legislation in California, backed by state Attorney General (AG) Xavier Becerra, would amend the new California Consumer Privacy Act (CCPA) to make it easier for private plaintiffs and public officials to sue for violations while further increasing regulatory uncertainty and compliance costs for businesses.  Specifically, SB 561 would expand the CCPA’s private right of action, remove the Act’s public enforcement “cure” provision, and eliminate the ability of affected companies to seek compliance guidance from the AG.

The CCPA is a sweeping new privacy law which goes into effect in January 2020.  It gives California residents substantial control over personal data held by certain California businesses, requiring disclosure of what personal information the business collects, how that information is used or sold, and allowing consumers to control or delete that information upon request.  It currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations, and it allows the AG to seek civil penalties of up to $2,500 for most violations, and up to $7,500 for violations found to be intentional.
Continue Reading

For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation.
Continue Reading

The U.S. Supreme Court’s grant this week of the petition for certiorari in a case involving the Telephone Communication Protection Act (TCPA) prohibition on unsolicited fax advertisements could have significant implications for the Federal Communication Commission’s (FCC) anticipated ruling on what constitutes an automatic telephone dialing system (ATDS) under the TCPA.

The petitioner in PDR Network v. Carlton & Harris Chiropractic sent a fax in 2013 to a West Virginia chiropractor offering a free copy of the Physicians’ Desk Reference. The chiropractor declined the offer and sued PDR in West Virginia federal court, alleging that PDR had violated the TCPA by sending it an unsolicited fax advertisement. PDR moved to dismiss, arguing that the fax was not an “unsolicited advertisement” because it offered the desk reference for free rather than for purchase. The chiropractor disagreed, arguing that the fax was an “unsolicited advertisement” because a 2006 FCC rule interpreted the term to include “facsimile messages that promote goods or services even at no cost.”
Continue Reading

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business.
Continue Reading

The online world is increasingly shaped by forces beyond our control.  Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see,

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR. 
Continue Reading

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.
Continue Reading