With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.

Last week, on January 16, 2019, Republican Sen. Marco Rubio introduced the American Data Dissemination (ADD) Act (S. 142). Recognizing the lack of a single comprehensive federal privacy law, the ADD Act seeks to “provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.” It instructs the Federal Trade Commission (FTC) to prepare privacy regulations applicable to “covered providers”—i.e., persons who provide a service that uses the internet to collect records containing personally identifiable information—for approval by Congress that are substantially similar to the requirements under the Privacy Act of 1974. Among other things, the FTC would be required to establish criteria for exempting small or newly formed providers, to restrict disclosure of records, and to provide consumers with rights to access and correct their personal data. The ADD Act, if enacted, would preempt the California Consumer Privacy Act (see our CCPA page here) and other state privacy laws, including the recently introduced New York privacy bill, which would establish a privacy bill of rights for New York residents. Continue Reading Federal Privacy Bills Introduced

The California Office of the Attorney General (OAG or Office) held the first two of its six public forums on January 8, 2019 in San Francisco and on January 14, 2019 in San Diego to solicit public comments and feedback in preparation for its rulemaking efforts under the California Consumer Privacy Act (CCPA). The OAG specifically welcomed comments across seven rulemaking categories that are included in the responsibility of the OAG:

  1. Categories of “personal information”
  2. Definition of “unique identifier”
  3. Exceptions to the CCPA
  4. Submitting and complying with requests
  5. The uniform opt-out logo or button
  6. What notices and information should businesses be required to provide to consumers
  7. Verification of consumers’ requests

In San Francisco, 14 speakers from businesses, nonprofit organizations, trade associations, universities, Perkins Coie and individual consumers sought clarifications to definitions in, and scope of, the statute and provided specific suggestions. In San Diego, a total of five speakers, including representatives from a trade association and a cybersecurity consulting firm, shared their input. Continue Reading California AG Hosts the First Two Public Forums on California Consumer Privacy Act

Since the passing of the European General Data Protection Regulation (“GDPR”), several states have introduced or passed privacy and data protection legislation. In addition to the California Consumer Privacy Act of 2018 (“CCPA”), the following state laws should be on your radar in 2019.

New Laws

  • Colorado’s H.B. 18-1128 “concerning strengthening protections for consumer data privacy,” which became effective on September 1, 2018, imposes strict obligations on businesses that maintain, own, or license personal information. Such businesses must have written policies governing the disposal of paper and electronic records containing personal information, take reasonable steps to protect such information, and provide detailed notice of a data breach to consumers and, in certain circumstances, the Attorney General.
  • Vermont’s data broker privacy law (H.B. 764), effective January 1, 2019, is the first of its kind in the United States. It regulates businesses that buy and sell personal information about consumers with whom the business does not have a relationship. The law requires data brokers to disclose what data they collect and allow customers to opt out. It also imposes registration, reporting, and security obligations on data brokers and provides for a right of action for consumers.

Continue Reading Welcome to 2019… States Take the Lead on Privacy Regulation

Today, every company is a data company. According to a 2018 survey, 95% of Americans own cellphones and 77% own smart phones, while nearly 75% of U.S. adults own computers and approximately 50% own tablets. This number only increases with the younger generation: 97% of Gen Z (those under 23) report having smart phones and accessing their data digitally. This group is also one of the most diverse ever with 48% of those identifying as African American, Latino, Asian or mixed race. They control an impressive $140 billion in consumer spend according to some studies. These are your future customers and employees. They are digitally savvy and have expectations for your company. People have constant, immediate access to data and make data-based decisions daily all while creating new and important data trails themselves. Your company (“you”), therefore, should consider looking beyond avoiding data breaches or running afoul of data protection laws, and instead treat data as a pre-tangible and valuable asset. Continue Reading Treating Data as a Pre-Tangible (and Valuable) Asset: Inventory as a First Step

Businesses, governmental agencies, and consumers are closely watching the direction the California Office of the Attorney General (“OAG” or “Office”) will take in promulgating regulations clarifying and implementing the California Consumer Privacy Act (“CCPA”). Eleanor Blume, the Special Assistant to the OAG, spoke last week with Perkins Coie and many of its clients to provide insights into the OAG’s approach. Here are some key takeaways:

Start Now. While the CCPA does not go into effect until January 1, 2020 and the deadline for the OAG to issue the regulations is not until July 1, 2020, the Office strongly urges companies to start planning for compliance now. Ms. Blume stressed that the OAG’s task is to clarify the law, not to add or eliminate any provisions, and therefore encouraged companies to familiarize themselves with the statute and begin the process of developing policies, procedures, and structures to comply with its requirements. Continue Reading Takeaways from CCPA Conversation with the California AG’s Office

Privacy policies are meant for a host of audiences, including consumers, regulators and advocates. One way to make your privacy policy more accessible to consumers is to include a short form privacy notice at the start of a policy. Short form notices deliver essential elements of how information is treated and protected, provide means to access the full policy, and often include essential privacy choices, such as opt-ins or opt-outs. Continue Reading Should You Provide a Short Form Privacy Notice?

The second annual review of the EU-U.S. Privacy Shield framework is currently underway, with the European Commission planning to release a report detailing its findings regarding the effectiveness of the Privacy Shield by January 1, 2019. The Privacy Shield framework was created to act as a conduit between the respective privacy approaches of the European Union and the United States. In July, the European Parliament warned that it would suspend the EU-U.S. Privacy Shield agreement unless the United States took steps to demonstrate its obligations under the framework. Since then, the United States has been collaborating with the European Union to preserve the international data flows in place under the Privacy Shield, emphasizing its importance for both EU and U.S. consumers and businesses. Continue Reading Is the Privacy Shield Here to Stay?

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations(Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense. Continue Reading Canada’s New Breach Regulations