On March 2, 2021, Governor Ralph Northam signed into law Virginia’s Consumer Data Protection Act (VCDPA), a comprehensive data privacy law similar to the California Consumer Privacy Act (CCPA). Virginia is now the second state to adopt a comprehensive data privacy law, and many more states are expected to follow suit in the near future. The VCDPA will go into effect on January 1, 2023, the same day that California’s new data privacy law, the California Privacy Rights Act (CPRA), goes into effect. Below is an overview of the key provisions of the VCDPA. Continue Reading Virginia Joins California in Adopting a Comprehensive Data Privacy Law

As the California legislature reconvened in Sacramento in January with hopes for a more regular legislative session in 2021, it again returned its focus to address the potential for bias and discrimination from the use of automated decision systems (ADS) by businesses. Assemblymember Ed Chau, chair of the Assembly Privacy and Consumer Protection Committee, is spearheading a bill—AB 13, or the Automated Decision Systems Accountability Act of 2021. AB 13 would require any business in California that provides a person with a program or device that uses an ADS to “to take affirmative steps to ensure that there are processes in place to continually test for biases during the development and usage of the ADS.” Continue Reading California Legislature Returns Its Focus to Automated Decision Systems

In late January 2021, a class action lawsuit was filed in the U.S. District Court for the Southern District of California against a children’s hospital for allegedly failing to properly safeguard minor patients’ medical information in light of a ransomware attack on its cloud software provider. Plaintiffs allege claims against the hospital based on purported violations of the Confidentiality of Medical Information Act (CMIA), California Consumer Records Act (CCRA), negligence, invasion of privacy, and implied contract. See John Doe v. Rady Children’s Hospital-San Diego, Inc., Case No. 21CV00114-JM-RBB (S.D. Cal. Jan. 20, 2021).

Plaintiffs allege in the complaint that the hospital failed to use a vendor with “fair, reasonable, or adequate computer systems and data security policies” and that the hospital did not obtain authorization for the disclosure of patient information—as required of healthcare providers under the CMIA—to the unauthorized individuals. The hack allegedly took place over several months in 2020 and involved medical information of nearly 20,000 patients, including their names, addresses, birthdates, physician names, and admission information.

In light of the pending case, healthcare providers are reminded to properly safeguard health information to reduce the risk of class action litigation, even if relying on a cloud software provider. Some of the ways to reduce risk in this area include (1) carefully vetting the use of vendors, in particular their security controls and procedures, (2) reviewing and updating vendor contracts to ensure that proper protections are in place, and (3) reviewing security policies and procedures to ensure that they are up to date and comprehensive to meet applicable laws.


On February 2, 2021, a California magistrate judge dismissed claims against a defendant tech company based on alleged violations of the California Consumer Privacy Act (CCPA) because the plaintiff admittedly failed to allege a security breach. Continue Reading California Judge Dismisses CCPA Claim in Absence of Alleged Security Breach

With the introduction of the final regulations under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), consumers have more rights to limit the sale and sharing of their personal data than ever before. In particular, the CCPA gives consumers or their authorized agents the right to opt out of the sale of their personal information.[1] Adding on to the CCPA, the CPRA also gives consumers the right to limit the use and disclosure of sensitive personal information and to opt out of the sharing of personal information for cross-context behavioral advertising.[2]

Under the CCPA, businesses have an obligation to give consumers notice of their right to opt out and provide one or more designated methods for consumers to exercise that right, including an interactive webform accessible via a clear and conspicuous homepage link titled “Do Not Sell My Personal Information.”[3] Businesses must honor opt-out requests within 15 days of receipt.[4] The CCPA Regulations also indicate that businesses must treat user-enabled global privacy controls that communicate or signal the consumer’s choice to opt out of the sale of their personal information—controls such as a browser plug-in or privacy setting, device setting, or other mechanism—as valid requests to opt out for that browser, device, or (if known) consumer.[5] Similarly, the CPRA also addresses the implications of opt-out preference signals, giving businesses the option of honoring such signals in lieu of providing an opt-out link.[6] Continue Reading The Push for Global Privacy Controls

The Brazilian General Data Protection Law (LGPD) has been effective for almost six months.  Since then, there have been movements to form the National Data Protection Authority responsible for enforcing the law (ANDP), guidance on best practices for data security has been published and private enforcement of the LGPD is underway.  This quick tip will shed some light on how Brazil’s landmark privacy legislation has made way despite the continuing COVID-19 pandemic. Continue Reading LGPD Updates: Six Months Out

Yesterday, California Attorney General Xavier Becerra announced a $17.5 million multi-state settlement with The Home Depot, Inc. regarding a data breach affecting point-of-sale systems at the retailer’s facilities. The breach affected the payment card information of approximately 40 million consumers and 53 million email addresses. The settlement includes both monetary and injunctive relief, pursuant to which the retailer will implement increased security policies and procedures.

In announcing the settlement, Attorney General Becerra stated that the retailer had, among other things, failed to “stay apprised of evolving security standards.” The settlement is an important reminder of the need for companies to keep abreast of developments in consumer privacy and cybersecurity.

Attorney General Becerra joined more than 40 other state attorneys general in securing the settlement. The California case is California v. Home Depot U.S.A., Inc. et al., No. 20-CIV-05220 in the Superior Court of California for San Mateo County. The settlement, which is pending final approval, is available here.

The Fundamentals of Preparing for and Responding to a Cyber Event Are More Important Than Ever

To say 2020 has been a year of change would be quite an understatement. The COVID-19 pandemic has fundamentally transformed how we live, work, and interact with one another.

This is most definitely true for the world of cybersecurity. Bill Conner, the chairman and CEO of SonicWall, probably captured it best: “We’re in the midst of one of the most turbulent times in cybersecurity history. Over the past six months … we’ve seen shifts we thought would take decades happen virtually overnight.” Continue Reading 2020: The Year COVID-19, Corporate Reputation & Cybersecurity Collided

Update: The Governor signed the law on Friday, September 25, 2020.

Life science and healthcare companies operating in California face unique challenges regarding California Consumer Privacy Act (CCPA) compliance because of existing inconsistencies between the CCPA and the Health Insurance Portability and Accountability Act (HIPAA). California Assembly Bill (AB) 713 addresses these inconsistencies by easing burdens imposed by the CCPA on medical research and by bringing certain provisions of the CCPA in line with HIPAA and other federal and state health data regulations. At the same time, the bill will impose additional requirements on the use of deidentified health data. AB 713 has passed the California legislature unanimously and will be signed or vetoed by Governor Newsom by September 30, 2020. If signed, the bill will immediately go into effect. Continue Reading The CCPA May Soon Be Amended to Strengthen CCPA Exemptions for Medical and Research Data

In the latest chapter of the discussions about Brazil’s LGPD, on August 26, 2020, the Senate rejected the article in the Executive Order (‘Medida Provisória’ – MP) which provided for the extension of its implementation to May 3, 2021. Accordingly, the MP will lose effect in relation to that article, and the LGPD will go into force promptly, pending only the presidential sanction. The implementation of the LGPD articles covering the administrative penalties remains set for August 1, 2021, as per the amended Law enacted on June 10, 2020. Continue Reading In a Surprise Move, the Brazilian Landmark Privacy Law, LGPD, Is About to Be in Effect