Privacy Law Blog

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

Read the full post on our Blockchain and the Law blog.

D.C. Circuit’s Long-Awaited Ruling Narrows FCC’s 2015 TCPA Order

On March 16, 2018, the D.C. Circuit Court of Appeals released a long-awaited decision in ACA International, et al. v. FCC, unanimously ruling to narrow a 2015 Federal Communications Commission (FCC) order (the “2015 Order”) that expanded the scope of the Telephone Consumer Protection Act (TCPA).

The TCPA is a federal law that governs marketing to telephones (including text messages) and fax machines, as well as the use of automatic telephone dialing systems (referred to as autodialers or ATDSs). The TCPA generally prohibits the use of an autodialer to call or text wireless telephone numbers without prior consent. The FCC is the federal agency charged with interpreting the TCPA and issuing rules implementing the TCPA. Since there is a private right of action under the TCPA and the potential amount of statutory damages is high (for example, as much as $500-$1,500 for each text per plaintiff), TCPA litigation continues to plague companies.

This ruling is significant because it will affect the many district court cases considering the issue of what constitutes an autodialer that were stayed in anticipation of the D.C. Circuit’s ruling.

The Court’s Ruling

In its ruling, the D.C. Circuit addressed four issues:

  1. Which sorts of automated dialing equipment are subject to the TCPA’s restrictions on unconsented calls;
  2. When a caller has obtained a party’s consent, does a call nonetheless violate the TCPA if, unbeknownst to the caller, the consenting party’s wireless number has been reassigned to a different person who has not given consent;
  3. How a consenting party may revoke her consent; and
  4. Whether the FCC too narrowly fashioned an exemption from the TCPA’s consent requirement for certain healthcare-related calls.

With respect to the first issue, the D.C. Circuit struck down the 2015 Order’s clarification of what constitutes an autodialer. The TCPA defines an autodialer as equipment that has the capacity (1) to store or produce telephone numbers to be called, using a random or sequential number generator, and (2) to dial such numbers. In the 2015 Order, the FCC stated that a device’s “capacity” is not limited to its current configuration and includes “potential functionalities” such as modifications and the addition of software. The court rejected the FCC’s broad construction, noting that such a construction “would appear to subject ordinary calls from any conventional smartphone to the [TCPA’s] coverage, an unreasonably expansive interpretation of the statute.”  According to the court, under the FCC’s rule, “any uninvited call or message from the device is a statutory violation,” and thus conventional smartphone users could face a $500 penalty for calling a person without first getting consent to contact them. The D.C. Circuit also examined whether a device qualifies as an autodialer only if it can generate random or sequential numbers to be dialed. The court explained that the 2015 Order gives no clear answer to this question, leaving affected parties “in a significant fog of uncertainty.” Thus, the FCC’s expansive interpretation in the 2015 Order of when a device has the “capacity” to perform the functions to qualify as an autodialer failed to satisfy the requirements of reasoned decisionmaking.[1]

With respect to the second issue, the court vacated the FCC’s approach to calls made to a phone number that, although previously assigned to a person who had given consent, has since been reassigned to another nonconsenting person. In the 2015 Order, the FCC concluded that such calls violate the TCPA but granted  a one-call, post-reassignment safe harbor. The D.C. Circuit held that this one-call safe harbor is arbitrary and capricious because the FCC did not explain why it was no longer reasonable to rely on the prior express consent after just one call or message. (In fact, the FCC conceded that the first call may not give a caller notice of a reassignment.) Therefore, the court set aside the FCC’s treatment of reassigned numbers as a whole.

With respect to the third issue: The 2015 Order allowed parties to revoke their consent through any “reasonable means” that clearly express a desire to receive no further messages from the caller. Petitioners challenged the FCC’s refusal to implement standardized revocation procedures that would provide more certainty. The D.C. Circuit upheld this allowance, noting that the petitioners’ concerns were overstated.

With respect to the fourth issue, the court sustained the scope of the FCC’s exemption for non-telemarketing, time-sensitive, healthcare-related calls. Petitioners challenged this exemption on grounds that it restricts communications that were otherwise permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and is arbitrary and capricious. The court rejected these arguments, reasoning that there is no obstacle to complying with both HIPAA and the TCPA. While HIPAA prohibits covered entities and their business associates from using or disclosing protected health information, they are generally permitted to use or disclose that information for treatment, payment or healthcare operations. Additionally, the court did not find the exemption to be arbitrary and capricious.

Significance and Impact of the Ruling

Prior to the 2015 Order, the majority of federal courts adopted the “current capacity” test when considering the issue of whether “capacity” requires an actual, present capacity to function as an autodialer without modification. This test was rejected by the FCC in the 2015 Order. Petitioners’ appeal to the D.C. Circuit challenged the FCC’s interpretation in the 2015 Order. Because district courts are bound by the FCC’s orders in TCPA cases, many district courts stayed cases considering the issue of what constitutes an ATDS, awaiting the D.C. Circuit’s order in this case. With respect to the two issues for which the court set aside the FCC’s interpretation (what constitutes an autodialer, and treatment of reassigned numbers), the court did not replace the FCC’s interpretation with its own interpretation, leaving courts considering these issues with limited guidance. We will continue to watch TCPA cases and how they are affected by the D.C. Court’s order.


[1] The D.C. Circuit assessed whether the FCC’s actions in the 2015 Order were “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and applied the two-step Chevron framework to examine whether Congress has spoken to the precise question at issue, and, if not, whether the agency’s answer is based on a permissible construction of the statute. Arbitrary-and-capricious review inquires whether the agency engaged in reasoned decisionmaking.

South Dakota Passes Breach Notification Law, Leaving Alabama the Only U.S. State Without a Breach Notification Law

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach notification law, though this may soon change. The District of Columbia and three U.S. territories – Guam, Puerto Rico and the U.S. Virgin Islands – also have data breach notification laws in place.

South Dakota’s law requires that any person or business that conducts business in South Dakota and owns or licenses computerized “personal information”[1] or “protected information”[2] of the state’s residents (such persons/businesses referred to as “information holders”) disclose any “breach of system security” to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law gives information holders a sixty-day window (from date of discovery or notification of the breach) to notify individuals, unless law enforcement determines that the notification should be delayed. However, if the information holder holds an appropriate investigation, reasonably determines that the breach will not likely result in harm to the affected residents and notifies the South Dakota attorney general of its determination, then the information holder is not required to notify affected residents.

Additionally, information holders must notify (1) all consumer reporting agencies and (2) if the breach affects over 250 South Dakota residents, the South Dakota attorney general. This consumer reporting agency notification obligation is unique, as most state breach notification laws only require such notification if a high number of residents, for example 500 or 1,000 residents, are affected.

The law provides the state Attorney General (and, potentially, affected residents) with imposing remedies. A violation of the breach notification law is considered a deceptive act or practice under South Dakota Codified Laws (“SDCL”) § 37-24-6, South Dakota’s consumer protection law. The South Dakota attorney general may (1) “prosecute each failure to disclose” under the breach notification law’s provisions as a deceptive act or practice under SDCL § 37-24-6, (2) impose a civil penalty of up to $10,000 per day per violation and (3) avail himself of any of the remedies provided under chapter 37-24 of SDCL. South Dakota Attorney General Jackley reportedly stated that failure to be notified under the breach notification law entitles affected residents to a private right of action under SDCL § 37-24-31.

[1] “Personal information” is defined as a person’s name in combination with any of the following: (a) Social Security numbers, (b) driver’s license numbers or other government-issued unique identification numbers, (c) account, credit card or debit card numbers, in combination with any required code, PIN or information that would permit access to a person’s financial account, (d) health information as defined by HIPAA, and (e) employee identification numbers in combination with any code or biometric data required for authentication.

[2] “Protected information” is defined as (a) user names and email addresses in combination with any associated passwords or security question answers which would provide access to online accounts, and (b) account, credit card or debit card numbers in combination with any required code or password that permits access to a person’s financial account. Please note that (b) overlaps with part of the definition of “personal information,” but not completely.

A Primer on the SHIELD Act: New York’s Move to Adopt More Stringent Data Security Requirements

In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. The two-part blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.

Read Part I of this blog post.

Read Part II of this blog post.

SEC Issues Updated Guidance on Public Company Cybersecurity Disclosures

On February 21, 2018, the Securities and Exchange Commission (SEC) issued an interpretive Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the “Guidance”) to assist public companies in meeting their cybersecurity disclosure requirements under the federal securities laws. The Guidance notes that, as reliance on networked systems and the Internet have increased, so too have the risks and frequency of cybersecurity incidents, and companies have no choice but to incur the considerable costs of addressing information security risks, particularly in the wake of a cybersecurity incident. Examples of such costs include IT costs, employee training, remediation expenses, litigation, agency investigations and enforcement actions, reputational harm and damage to long-term shareholder value.

Read the full client alert here.


GDPR FAQ’s for Fund Managers

The General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25 May 2018. It will have an impact on EU fund managers and may have an impact on non-EU fund managers depending on their operations. Below are FAQs to help EU and non-EU fund managers determine the extent to which the GDPR may affect them and the next steps they should consider taking. Compliance with GDPR is especially important given the potential fines (up to EUR 20 million or 4% of a business’s worldwide annual turnover) that can be imposed for breaches.

GDPR: FAQ for EU Fund Managers

GDPR: FAQ for Non-EU Fund Managers

Colorado and Vermont Adopt Cybersecurity Rules Covering Broker-Dealers and Investment Advisers

State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont.

The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider themselves to be regulated by Vermont’s financial regulator.

Colorado’s and Vermont’s cybersecurity rules require covered entities to implement certain practices including: authentication practices for employee access (which could include multi-factor or two-factor authentication), procedures for authenticating client instructions received via electronic communication, and an annual cybersecurity risk assessment. Notably, Vermont’s regulation also requires that covered entities maintain cybersecurity insurance and provide identity restoration services in the event of a breach. Continue Reading