In April 2019, the California Assembly Privacy and Consumer Protection Committee rejected a proposal known commonly as the “Privacy for All Act” (AB-1760), which among other things would have provided a private right of action for all violations of the California Consumer Privacy Act (CCPA). The rejection of AB-1760 was a blow to consumer privacy advocates. A similar measure, SB-561, would also have provided a private right of action for all privacy violations. That bill has also been defeated, meaning that the CCPA’s private right of action provisions will not be expanded this year.
Continue Reading

Following the speedy enactment of the California Consumer Privacy Act (CCPA or Act) in June 2018, business and consumer advocates alike have been pressuring California lawmakers to clarify the many ambiguities raised by the Act’s sweeping requirements. California lawmakers recently responded to these calls for greater clarity by proposing a slate of amendments to address some of the more controversial provisions of the CCPA, including the definition of “personal information”, requirements regarding information sharing, and the scope of industry exemptions.
Continue Reading

Following numerous privacy complaints, the State Office for Data Protection Supervision (BayLDA) recently conducted a random audit on 40 companies and found widespread problems with their cookie disclosures. The purpose of the audit was to determine whether website users were able to obtain transparent information regarding the use and tracking of their information by third-party

As tax season winds on, the W-2 form scam has emerged as one of the most dangerous and common phishing email schemes during this time of year.

W-2s are information-rich documents containing an employee’s name, Social Security number, address, salary, and other personal information. Each year, cyber criminals target these documents in order to sell the sensitive information contained therein and to submit fraudulent tax returns in hopes of defrauding the IRS.
Continue Reading

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record.
Continue Reading

Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR. Under Article 3(2), US companies without an “establishment” in the EU are required to comply with the GDPR where their processing activities relate to the “offering of goods or services” to EU data subjects or where they “monitor” the behavior of EU data subjects. The meaning of these concepts is a particularly vexing question for US companies that have a website accessible to Europeans or have some European customers, but lack a physical presence in the EU.
Continue Reading

This month marks 15 years of observing National Cyber Security Awareness Month (NSCAM) in October.

The program was started way back in 2004, by the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate Americans about ways to stay safer and more secure online.

Technology has transformed most aspects of daily life since 2004, when:

  • Smartphones didn’t exist (Blackberry’s don’t count).
  • Thefacebook.com was born in a Cambridge dorm room.
  • Google launched a new product called “gmail” – and went public.
  • “Blog” was Merriam-Webster’s word of the year.
  • Twitter, YouTube et al. did not exist.
  • Netflix was a mail-order, DVD-rental business.
  • California was the only state that had enacted a data breach notification law.


Continue Reading

On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018.
Continue Reading

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable.
Continue Reading

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR. 
Continue Reading