Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s efforts are also intended to bring about conformity with the privacy principles that have become the norm in other countries such as in Europe, thereby increasing interoperability between the U.S. privacy framework and that which has arisen in the rest of the world.

For now, the Consumer Privacy Bill of Rights is still a blueprint and does not include enforceable rules, but the Administration is pursuing implementation through legislation and a multistakeholder rule-making process.

Litigants navigating the conflict between U.S. discovery obligations and foreign data protection laws have a new ally, the American Bar Association (“the ABA”). The ABA recently passed Resolution 103, which “urges” that:

[W]here possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides

The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe’s digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27 member states of the EU (the “member states”) some flexibility as to how the 1995 Data Protection Directive is implemented in their jurisdiction, the new law would apply directly so that there would be an entirely uniform set of data protection standards across the EU.

Key changes include…

The deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is only a month away. By March 1, 2012, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information. This alert summarizes the requirements that will become effective as

In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule."

We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent of their users.  (In other words, they add a new offering to their service that expands their use or sharing of consumer data, and they default their users into the new offering.) Sometimes they back off temporarily when faced with media backlash or Congressional or regulatory scrutiny, but the pattern nonetheless persists in the long term.  Sometimes we scratch our heads in wonder, since the FTC has taken the position in countless actions for over a decade that if you make a material, adverse, retroactive change to your privacy policy, you need to obtain consent from consumers to apply your new policy to the data you collected under your old policy.