California Legislature Passes Amendments to the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a major new state law poised to affect the privacy landscape not just in California, but in the U.S. as a whole. (For a detailed overview of the CCPA, read our previous post.) On August 31, the California legislature passed several amendments to the CCPA that will have a significant impact on its implementation. Continue Reading

Tags: California Attorney General, California Civil Code, California Consumer Privacy Act of 2018 (“CCPA”), California Financial Information Privacy Act, California law, data protection, driver's privacy protection act, Gramm-Leach-Bliley Act, personal information, privacy law, Senate Bill 1121

New York DFS Cybersecurity September 2018 Deadline

By Tiffany Quach on September 3, 2018 Posted in Cybersecurity, Legislation

The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.

By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information). Continue Reading

Tags: Application security, Audit trails, Compliance, data retention, encryption, monitoring, NYDFS Cybersecurity Regulation, state of new york

General Data Protection Regulation and Charitable Organizations FAQs

By Stéphanie Martinier on July 31, 2018 Posted in GDPR, Privacy Law

In the context of enforcement of the European General Data Protection Regulation (“GDPR)[1] on May 25, 2018, charitable organizations have showed an increased concern as to whether the GDPR applies to them, and what being subject to the GDPR means. Continue Reading

Tags: Data Privacy Laws, ePrivacy Directive, European Union (EU), GDPR, General Data Protection Regulation (GDPR), non profit, not-for-profit, personal data

The California Consumer Privacy Act of 2018

By Kristen J. Mathews and Courtney M. Bowman on July 13, 2018 Posted in California, Data Privacy Laws, Privacy Law

This has been a big year in the data protection world, with the headline-grabbing General Data Protection Regulation (GDPR) occupying most of the spotlight with its plethora of privacy-related requirements and potential for high fines for violators. While companies (justifiably) may be focused on the GDPR at the moment, it’s also important to keep an eye on new privacy laws on the horizon in order to avoid last-minute scrambles for compliance as effective dates near. Foremost among these new laws is the California Consumer Privacy Act of 2018. The Act was introduced and signed quickly in order to prevent voters from facing a similar ballot initiative in the November election. This post provides an overview of the new law, which will go into effect beginning January 1, 2020. Continue Reading

Tags: California Attorney General, California Civil Code, California Consumer Privacy Act of 2018 (“CCPA”), California law, consu, data protection, disclosure, General Data Protection Regulation (GDPR), opt-out, personal information, privacy law

Lessons from the SEC’s First Cyber-Disclosure Enforcement Action

By Margaret A. Dale and Mark Harris on June 29, 2018 Posted in Cybersecurity, Privacy Law, SEC

The SEC’s new Cyber Unit released its first cyber-disclosure enforcement action. We recently authored an article on the key takeaways of the SEC’s new cybersecurity initiatives.

Read the full New York Law Journal article here.

Tags: Cyber Unit, cyber-based threats, cyber-related misconduct, enforcement action, Securities and Exchange Commission

Blockchain, Personal Data and the GDPR Right to be Forgotten

By Nicole Kramer on May 3, 2018 Posted in European Union, GDPR, International

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

Read the full post on our Blockchain and the Law blog.

Tags: blockchain, EU regulation, European Union (EU), GDPR, General Data Protection Regulation

D.C. Circuit’s Long-Awaited Ruling Narrows FCC’s 2015 TCPA Order

By Divya Taneja and Tiffany Quach on March 27, 2018 Posted in Direct Marketing, FCC, TCPA

On March 16, 2018, the D.C. Circuit Court of Appeals released a long-awaited decision in ACA International, et al. v. FCC, unanimously ruling to narrow a 2015 Federal Communications Commission (FCC) order (the “2015 Order”) that expanded the scope of the Telephone Consumer Protection Act (TCPA).

The TCPA is a federal law that governs marketing to telephones (including text messages) and fax machines, as well as the use of automatic telephone dialing systems (referred to as autodialers or ATDSs). The TCPA generally prohibits the use of an autodialer to call or text wireless telephone numbers without prior consent. The FCC is the federal agency charged with interpreting the TCPA and issuing rules implementing the TCPA. Since there is a private right of action under the TCPA and the potential amount of statutory damages is high (for example, as much as $500-$1,500 for each text per plaintiff), TCPA litigation continues to plague companies.

This ruling is significant because it will affect the many district court cases considering the issue of what constitutes an autodialer that were stayed in anticipation of the D.C. Circuit’s ruling.

The Court’s Ruling

In its ruling, the D.C. Circuit addressed four issues:

Which sorts of automated dialing equipment are subject to the TCPA’s restrictions on unconsented calls;
When a caller has obtained a party’s consent, does a call nonetheless violate the TCPA if, unbeknownst to the caller, the consenting party’s wireless number has been reassigned to a different person who has not given consent;
How a consenting party may revoke her consent; and
Whether the FCC too narrowly fashioned an exemption from the TCPA’s consent requirement for certain healthcare-related calls.

With respect to the first issue, the D.C. Circuit struck down the 2015 Order’s clarification of what constitutes an autodialer. The TCPA defines an autodialer as equipment that has the capacity (1) to store or produce telephone numbers to be called, using a random or sequential number generator, and (2) to dial such numbers. In the 2015 Order, the FCC stated that a device’s “capacity” is not limited to its current configuration and includes “potential functionalities” such as modifications and the addition of software. The court rejected the FCC’s broad construction, noting that such a construction “would appear to subject ordinary calls from any conventional smartphone to the [TCPA’s] coverage, an unreasonably expansive interpretation of the statute.” According to the court, under the FCC’s rule, “any uninvited call or message from the device is a statutory violation,” and thus conventional smartphone users could face a $500 penalty for calling a person without first getting consent to contact them. The D.C. Circuit also examined whether a device qualifies as an autodialer only if it can generate random or sequential numbers to be dialed. The court explained that the 2015 Order gives no clear answer to this question, leaving affected parties “in a significant fog of uncertainty.” Thus, the FCC’s expansive interpretation in the 2015 Order of when a device has the “capacity” to perform the functions to qualify as an autodialer failed to satisfy the requirements of reasoned decisionmaking.[1]

With respect to the second issue, the court vacated the FCC’s approach to calls made to a phone number that, although previously assigned to a person who had given consent, has since been reassigned to another nonconsenting person. In the 2015 Order, the FCC concluded that such calls violate the TCPA but granted a one-call, post-reassignment safe harbor. The D.C. Circuit held that this one-call safe harbor is arbitrary and capricious because the FCC did not explain why it was no longer reasonable to rely on the prior express consent after just one call or message. (In fact, the FCC conceded that the first call may not give a caller notice of a reassignment.) Therefore, the court set aside the FCC’s treatment of reassigned numbers as a whole.

With respect to the third issue: The 2015 Order allowed parties to revoke their consent through any “reasonable means” that clearly express a desire to receive no further messages from the caller. Petitioners challenged the FCC’s refusal to implement standardized revocation procedures that would provide more certainty. The D.C. Circuit upheld this allowance, noting that the petitioners’ concerns were overstated.

With respect to the fourth issue, the court sustained the scope of the FCC’s exemption for non-telemarketing, time-sensitive, healthcare-related calls. Petitioners challenged this exemption on grounds that it restricts communications that were otherwise permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and is arbitrary and capricious. The court rejected these arguments, reasoning that there is no obstacle to complying with both HIPAA and the TCPA. While HIPAA prohibits covered entities and their business associates from using or disclosing protected health information, they are generally permitted to use or disclose that information for treatment, payment or healthcare operations. Additionally, the court did not find the exemption to be arbitrary and capricious.

Significance and Impact of the Ruling

Prior to the 2015 Order, the majority of federal courts adopted the “current capacity” test when considering the issue of whether “capacity” requires an actual, present capacity to function as an autodialer without modification. This test was rejected by the FCC in the 2015 Order. Petitioners’ appeal to the D.C. Circuit challenged the FCC’s interpretation in the 2015 Order. Because district courts are bound by the FCC’s orders in TCPA cases, many district courts stayed cases considering the issue of what constitutes an ATDS, awaiting the D.C. Circuit’s order in this case. With respect to the two issues for which the court set aside the FCC’s interpretation (what constitutes an autodialer, and treatment of reassigned numbers), the court did not replace the FCC’s interpretation with its own interpretation, leaving courts considering these issues with limited guidance. We will continue to watch TCPA cases and how they are affected by the D.C. Court’s order.

[1] The D.C. Circuit assessed whether the FCC’s actions in the 2015 Order were “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and applied the two-step Chevron framework to examine whether Congress has spoken to the precise question at issue, and, if not, whether the agency’s answer is based on a permissible construction of the statute. Arbitrary-and-capricious review inquires whether the agency engaged in reasoned decisionmaking.