Supreme Court Narrows Meaning of TCPA Autodialer Definition

Today, the Supreme Court issued its decision in Facebook v. Duguid, adopting a narrow interpretation of a key definitional term in the Telephone Consumer Protection Act (TCPA) and resolving the circuit split we previously described here and here.

In effect, the Supreme Court’s opinion means that to qualify as an “automatic telephone dialing system” (ATDS) under the TCPA, a device must use a random or sequential number generator; a device that calls a prescribed set of telephone numbers without using such a number generator would stand outside that definition and thus not be regulated by the TCPA. Continue Reading

“Cyber Shield Act” Calling for IoT Device Certification Reintroduced in Congress

By Micaela McMurrough and Jayne Ponder on March 26, 2021 Posted in Congress, Cybersecurity

Sen. Ed Markey (D-MA) and Rep. Ted Lieu (D-CA-33) reintroduced the Cyber Shield Act on March 24, 2021. The proposed legislation is not new to Congress; Sen. Markey and Rep. Lieu previously introduced the Cyber Shield Act in both 2017 and 2019. However, the bill never made it to a vote in either the House or the Senate. Continue Reading

Inside Privacy Audiocast: Episode 12 – Conversation with Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa

By Dan Cooper and Mosa Mkhize on March 19, 2021 Posted in Cross-Border Transfers, International, POPIA, Privacy and Data Security, South Africa, Uncategorized

In celebration of data privacy as a human right as part of South Africa’s Human Rights Day 2021, we feature special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa on Episode 12 of Covington’s Inside Privacy Audiocast. Together with Dan Cooper and Mosa Mkhize, we discuss the Information Regulator of South Africa’s mandate, data protection legislation in South Africa and the implementation of Protection of Personal Information Act (POPIA).

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

Members of the California Privacy Protection Agency Announced

By Alexandra Scott, Lindsey Tonsager, Libbie Canter and Jake Levine on March 17, 2021 Posted in California Consumer Privacy Act (CCPA), California Privacy Rights Act, Data Privacy

The five members of the California Privacy Protection Agency (“CPPA”) were announced today. The members – who were appointed by Governor Newsom, Attorney General Becerra, Senate President pro Tempore Atkins, and Assembly Speaker Rendon – will lead the new agency, which will have rulemaking and enforcement authority under the California Privacy Rights Act (“CPRA”). Continue Reading

Bill Introduced Would Preempt State Laws and Strengthen FTC Enforcement

By Kurt Wimmer and Andrew Longhi on March 11, 2021 Posted in Data Privacy, Federal Trade Commission, U.S. Federal and State Legislative Initiatives, United States

As the push for Congress to pass comprehensive consumer privacy legislation increases, Rep. Suzan DelBene (D-WA) has re-introduced the Information Transparency & Personal Data Control Act, a compromise proposal that contains provisions sought by both parties. This bill would create national data privacy standards and increase the enforcement authority of the Federal Trade Commission (FTC) and state attorneys general. Continue Reading

German Court Overturns GDPR Fine, Raises Legal Questions About Fines Against Companies

By Lars Lensdorf, Ulrike Elteste, Robert Henrici, Moritz Hüsch and Nicholas Shepherd on March 11, 2021 Posted in Data Privacy, EU Data Protection, European Union, European Union, GDPR, International, Privacy and Data Security

On February 18, 2021, the District Court of Berlin overturned a €14.5 million fine that had been imposed on German real estate company Deutsche Wohnen SE. The Court held that the fine – which was issued by the Berlin Supervisory Authority (“SA”) and had been the second highest fine in Germany so far under the EU General Data Protection Regulation (“GDPR”) – failed to satisfy certain rules under German law, and therefore was invalid.

This case raises important questions on the interplay between the GDPR and German law regarding the attribution of regulatory offenses to a company. In this blog post, we consider this topic in greater depth and how it may eventually be resolved in court.

SMARTWATCH Act and AHRQ’s Inquiry

By Libbie Canter, Anna D. Kraus and Shane Rogers on March 4, 2021 Posted in Data, Health Privacy

Two recent actions by lawmakers are intended to address certain uses of technology in health. First, two Senators have introduced a bipartisan bill related to the collection and use of identifiable health data from wearable health trackers. Second, following an appeal from Democratic lawmakers, the Agency for Healthcare Research and Quality (“AHRQ”) plans to review the use of race-based algorithms in medical care. Continue Reading

Virginia Enacts Comprehensive Privacy Law

By Rafael Reyneri and Libbie Canter on March 4, 2021 Posted in Data Privacy, State Legislatures, Uncategorized

On March 2, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state to enact a comprehensive privacy law (Nevada has enacted an online privacy law, albeit with a narrower scope). As we have previously explained, the VCDPA follows the framework established by the Washington Privacy Act. We recently compared Virginia’s law against other key state privacy frameworks. Continue Reading

European Commission Publishes Draft UK Adequacy Decisions

By Dan Cooper and Paul Maynard on March 2, 2021 Posted in Data Privacy, EU Data Protection, European Union, United Kingdom

On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data. The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.

French Supervisory Authority Publishes Results of Public Consultation on the Digital Rights of Minors

By Kristof Van Quathem, Juliette Leportois and Nicholas Shepherd on March 2, 2021 Posted in Children's Privacy, Data Privacy, EU Data Protection, International

In January 2021, the French Supervisory Authority (“CNIL”) published a summary report of contributions it received in response to a public consultation and survey on the digital rights of minors launched in April 2020 (see the press release here and a summary report here, both in French). Stakeholders who responded to the consultation included companies, professionals dedicated to the legal and educational issues related to children, parents and minors.