On September 13, 2019—the last day of the legislative session—California lawmakers approved five amendments intended to clarify the scope of the California Consumer Privacy Act (the “CCPA”), but rejected several industry-backed proposals that would have exempted personal information used for targeted advertising and loyalty programs.

Five amendments passed:  AB 25, 874, 1146, 1355, and 1564. 

New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead.  New York was one of a number of states that proposed sweeping privacy legislation after the enactment of the California Consumer Privacy Act (CCPA). The proposed New York law, in fact, was broader than the CCPA

At what has been described as a marathon hearing that lasted late into the night of July 9, the California Senate Judiciary Committee advanced several amendments to the California Consumer Privacy Act (the “CCPA”), but major changes that opponents claimed would have eroded privacy protections for consumers largely failed.  The bills advanced from the Senate

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record.
Continue Reading

On March 6, 2018, the FTC hosted a live Twitter chat to mark the twentieth anniversary of the Children’s Online Privacy Protection Act (COPPA).  The stated purpose of the chat was to discuss the FTC’s work to enforce COPPA and to ensure the FTC’s rule implementing the law stays in step with evolving technologies and data collection practices.

The chat began with the FTC pointing to its published FAQs, as well as two recent COPPA settlements: a $650,000 settlement with VTech Electronics Limited, which was the FTC’s first children’s privacy case involving Internet-connected toys, and a $235,000 settlement with Prime Sites, Inc., which focused on how a company can gain “actual knowledge” that it is collecting information from a child.
Continue Reading

The U.S. Supreme Court heard oral arguments this morning in United States v. Microsoft, No. 17-2, which presents the question whether a United States court may issue a search warrant to a U.S.-based electronic communications service for email account data held on a server outside of the United States.

Here’s the transcript of this

For those of you heading to Legaltech in New York next week, please join me and a great panel for what promises to be a lively discussion of hot topics in IoT and Mobile Discovery.  I’ve been fortunate enough to have been included in Relativity’s session on this topic at a number of conferences, and

Among the more significant changes under the GDPR are new limitations on the use of consent to permit the processing of personal data. Recent WP29 guidelines on consent expand on previous opinions (for example Opinion 15/2011 regarding the definition of consent or Opinion 06/2014 regarding the legitimate interests of data controllers) and confirm that the use of consent must pass a very high bar to be effective under the GDPR.

Consent is one of six lawful bases to process personal data under the GDPR.  Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Continue Reading

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017. The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.
Continue Reading