On March 19, 2021, Colorado State Senators Richard Rodriguez (D) and Paul Lundeen (R) introduced Senate Bill 21-190 as part of a bipartisan effort to make Colorado the latest state to implement comprehensive legislation establishing certain consumer data privacy rights. Dubbed “A Bill for an Act Concerning Additional Protection of Data Relating to Personal Privacy,” SB 21-190 largely follows in the footsteps of California’s CCPA, Virginia’s CDPA and the European Union’s GDPR with a stated intent to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate.” Continue Reading Colorado Joins Ranks of States Introducing Consumer Data Privacy Legislation
Guest Author Bird & Bird, Anna Shashina, Partner
On March 1, 2021, substantial amendments to the Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses that publish or use personal data on the internet. In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorize the processing of their data in the public domain. Data subjects also have a right to request that data operators that are disseminating their data (and any company down the data processing chain) cease transferring such data.
What Are the Key Amendments? Continue Reading Russia: Overhaul of Publicly Disseminated Data Processing
On March 15, 2021, the California Attorney General approved additional regulations for the California Consumer Privacy Act (CCPA), which focuses on the right to the right to opt-out of sale, authorized agents, and notices to consumers under 16 years of age. Specifically, sections 999.306, 999.315, 999.326 and 999.332 were revised and/or added to the CCPA regulations in this final review. This privacy quick tip highlights the changes that were made. Continue Reading California Attorney General Approves New Regulations Governing the California Consumer Privacy Act
On March 17, 2021, California officials announced their appointees to the five-member inaugural board of the California Privacy Protection Agency (CPPA). Approved by voters in the November 2020 election cycle, the California Privacy Rights Act (CPRA) called for the creation of the CPPA, an administrative agency tasked with the enforcement of the CPRA and the 2018 California Consumer Privacy Act (CCPA). Below is an overview of the CPPA Board and the appointees who will be leading the agency. Continue Reading California Officials Announce Board Member Appointees to the California Privacy Protection Agency
A federal court in California recently dismissed a lawsuit brought under the California Consumer Privacy Act (CCPA) against Walmart, concluding that the CCPA did not apply retroactively and that the plaintiff had failed to specify the date of the alleged violation giving rise to his claim. The case—Gardiner v. Walmart Inc.—represents a meaningful hurdle for potential CCPA plaintiffs whose claims are either undated or predate the CCPA’s effective date. Continue Reading Court Rules that CCPA Does Not Apply Retroactively and Requires Specific Allegations Regarding Date of Violation
On March 2, 2021, Governor Ralph Northam signed into law Virginia’s Consumer Data Protection Act (VCDPA), a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA). Virginia is now the second state to adopt a comprehensive data privacy law, and many more states are expected to follow suit in the near future. The VCDPA will go into effect on January 1, 2023, the same day that California’s new data privacy law, the California Privacy Rights Act (CPRA), goes into effect. Below is an overview of the key provisions of the VCDPA. Continue Reading Virginia Joins California in Adopting a Comprehensive Data Privacy Law
As the California legislature reconvened in Sacramento in January with hopes for a more regular legislative session in 2021, it again returned its focus to address the potential for bias and discrimination from the use of automated decision systems (ADS) by businesses. Assemblymember Ed Chau, chair of the Assembly Privacy and Consumer Protection Committee, is spearheading a bill—AB 13, or the Automated Decision Systems Accountability Act of 2021. AB 13 would require any business in California that provides a person with a program or device that uses an ADS to “to take affirmative steps to ensure that there are processes in place to continually test for biases during the development and usage of the ADS.” Continue Reading California Legislature Returns Its Focus to Automated Decision Systems
In late January 2021, a class action lawsuit was filed in the U.S. District Court for the Southern District of California against a children’s hospital for allegedly failing to properly safeguard minor patients’ medical information in light of a ransomware attack on its cloud software provider. Plaintiffs allege claims against the hospital based on purported violations of the Confidentiality of Medical Information Act (CMIA), California Consumer Records Act (CCRA), negligence, invasion of privacy, and implied contract. See John Doe v. Rady Children’s Hospital-San Diego, Inc., Case No. 21CV00114-JM-RBB (S.D. Cal. Jan. 20, 2021).
Plaintiffs allege in the complaint that the hospital failed to use a vendor with “fair, reasonable, or adequate computer systems and data security policies” and that the hospital did not obtain authorization for the disclosure of patient information—as required of healthcare providers under the CMIA—to the unauthorized individuals. The hack allegedly took place over several months in 2020 and involved medical information of nearly 20,000 patients, including their names, addresses, birthdates, physician names, and admission information.
In light of the pending case, healthcare providers are reminded to properly safeguard health information to reduce the risk of class action litigation, even if relying on a cloud software provider. Some of the ways to reduce risk in this area include (1) carefully vetting the use of vendors, in particular their security controls and procedures, (2) reviewing and updating vendor contracts to ensure that proper protections are in place, and (3) reviewing security policies and procedures to ensure that they are up to date and comprehensive to meet applicable laws.
On February 2, 2021, a California magistrate judge dismissed claims against a defendant tech company based on alleged violations of the California Consumer Privacy Act (CCPA) because the plaintiff admittedly failed to allege a security breach. Continue Reading California Judge Dismisses CCPA Claim in Absence of Alleged Security Breach
With the introduction of the final regulations under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), consumers have more rights to limit the sale and sharing of their personal data than ever before. In particular, the CCPA gives consumers or their authorized agents the right to opt out of the sale of their personal information. Adding on to the CCPA, the CPRA also gives consumers the right to limit the use and disclosure of sensitive personal information and to opt out of the sharing of personal information for cross-context behavioral advertising.
Under the CCPA, businesses have an obligation to give consumers notice of their right to opt out and provide one or more designated methods for consumers to exercise that right, including an interactive webform accessible via a clear and conspicuous homepage link titled “Do Not Sell My Personal Information.” Businesses must honor opt-out requests within 15 days of receipt. The CCPA Regulations also indicate that businesses must treat user-enabled global privacy controls that communicate or signal the consumer’s choice to opt out of the sale of their personal information—controls such as a browser plug-in or privacy setting, device setting, or other mechanism—as valid requests to opt out for that browser, device, or (if known) consumer. Similarly, the CPRA also addresses the implications of opt-out preference signals, giving businesses the option of honoring such signals in lieu of providing an opt-out link. Continue Reading The Push for Global Privacy Controls