In an effort to give consumers more control over the data businesses collect from and about them, the California legislature passed the California Consumer Privacy Act (CCPA) in 2018 (and amended it a few months later). The CCPA gives consumers the right to know about and have deleted the data businesses have gathered about them, among other rights. However, the CCPA applies to “consumers” and defines “consumers” so widely that it would cover employees and job applicants, which are not ordinarily understood to be consumers.
Businesses and California consumers are one step closer to understanding what their respective obligations and rights are under the California Consumer Privacy Act of 2018 (the “CCPA”). The CCPA is California’s landmark legislation that seeks to give California consumers the rights to learn about and control certain aspects of how a business handles the personal information that a business collects about them. It achieves this by requiring businesses to implement certain measures that enable consumers to exercise these rights. For an in-depth discussion of the CCPA more generally, please read our previous posts (here and here). Continue Reading
Reflecting the movement to toughen data security laws on a state-by-state basis, on July 25, 2019, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”). The Act amends New York State’s current data breach notification law, which covers breaches of certain personally-identifiable computerized data (referred to in the New York breach law as “Private Information”). The Act also breaks new ground by imposing substantive data security requirements on businesses that own or lease the Private Information of New York residents, regardless of whether the businesses otherwise conduct business in New York State. Both portions of the Act are backed by potential civil penalties for noncompliance.
GDPR fines are seemingly like buses, you wait over a year for enforcement action by the UK’s data supervisory authority, the ICO, and then two come along at once – and with quite dramatic effect. Continue Reading
Earlier this month, the FTC sent a letter to Wildec, LLC, the Ukraine-based maker of several mobile dating apps, alleging that the apps were collecting the personal information and location data of users under the age of 13 without first obtaining verifiable parental consent or otherwise complying with the Children’s Online Privacy Protection Act (COPPA). The letter pressed the operator to delete personal information on children (and thereafter comply with COPPA and obtain parental consent before allowing minors to use the apps) and disable any search functions that allow users to locate minors. The letter also advised that the practice of allowing children to create public dating profiles could be deemed an unfair practice under the FTC Act. Subsequently, the three dating apps in question were removed from Apple’s App Store and Google’s Google Play Store following the FTC allegations, showing the real world effects of mere FTC allegations, a response that might ultimately compel Wildec, LLC to comply with the statute (and cause other mobile apps to reexamine their own data collection practices). Wildec has responded to the FTC’s letter by “removing all data from under age accounts” and now prevents minors under the age of 18 from registering on the dating apps. Continue Reading
Senate Bill 561’s smooth sail through the California legislature came to an end on Thursday, May 16. On the eve of the deadline for all fiscal committees to hear and report on the bills introduced in their house, the Senate Appropriations committee decided to hold the bill. Meaning, SB 561 will not pass out of the Senate this session.
Notably, the controversial bill was a proposed CCPA amendment that threatened to expand the Act’s private right of action by allowing consumers to bring actions when any of their CCPA rights were violated. Currently, the CCPA only permits consumers to bring actions in the event of a data breach. For a detailed review of the CCPA, please view our previous posts.
The bill would have also affected the way that the Attorney General could enforce the CCPA. The CCPA provides businesses that have violated the Act 30 days to cure the violation, and allows businesses and third parties to request guidance from the Attorney General on how to comply with the Act. The bill would have eliminated the 30-day window and would have put the onus on the Attorney General to promulgate any guidance. A more detailed review of SB 561 is available in a previous post.
While this does not necessarily mean it’s the end of the road for SB 561 – after all, the CCPA was resurrected from an inactive file – it does mean good-bye for now.
In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace. Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse. Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections. The GDPR authorizes Member States to implement such additional protections. As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.