The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework. Comments are due by 5:00 p.m. ET on October 24, 2019.
Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”). This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020. California Governor Gavin Newsom has until October 13 to sign the bills into law. Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.
- Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries. However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used. Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
- Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances. This language generally creates an exemption for personal information about business customers. The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted. The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
- Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute. Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household. Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available. Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
- Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address. AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address. If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests. Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
- Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.
R (on the application of Edward Bridges) v The Chief Constable of South Wales  EWHC 2341 (Admin)
In Bridges, an application for judicial review, the UK High Court (Lord Justice Haddon-Cave and Mr. Justice Swift) considered the lawfulness of policing operations conducted by the South Wales Police force (“SWP”) which utilised Automated Facial Recognition (“AFR”) technology. The Court rejected Mr Bridges’ allegations that the SWP’s conduct was unlawful as contrary to the European Convention on Human Rights (“ECHR”), Article 8, the Data Protection Acts 1998 and 2018 (“DPA 98 and 18”), and the Equality Act 2010. In this blog post we consider several key aspects of the case.
On September 10, 2019, 51 members of the Business Roundtable sent a letter to congressional leaders advocating principles for a national consumer data privacy law. The Business Roundtable’s Framework for Consumer Privacy Legislation offers a guide for potential federal legislation that would harmonize existing privacy regulations and preempt existing state and local data privacy laws. The Framework seeks to balance enhanced consumer protections with innovation and competition.
Update, September 19, 2019: Further to the reports on its scheme for calculating fines, which prompted requests on the supervisory to publish it, the Datenschutzkonferenz has clarified that fines in individual cases are calculated on the basis of Art. 83(2) GDPR, and that the model is only used on a complimentary basis. Furthermore, the model has not yet been finally approved. It is still only a draft, which has been shared with other European supervisory authorities in the framework of the harmonization procedure required by Art. 70 (1) lit k) GDPR, but which will need to be further developed. The DSK will discuss the model again at its next meeting on November 3 and 4, 2019, and will then also decide whether to publish it.
* * *
In June, the conference of the German Data Protection Authorities (Datenschutzkonferenz) approved a concept for the calculation of GDPR fines by a majority of 16, with only one abstention (Minutes of the meeting, cf. TOP 16 – in German). According to the Minutes, the concept was also presented at a meeting of the European Data Protection Board and was regarded as more transparent than others (apparently, the CNIL’s) by its members. The German concept was not published, but it was reportedly already applied by a number of DPAs. Now, the press obtained information about the scheme of the calculation:
In a first step, the fine is calculated in daily rates derived from the worldwide company turnover of the previous year. The daily rate is multiplied by a factor which depends on the seriousness of the breach and is determined by the application of a scoring system. The sum is then reduced or increased depending on the degree of fault and on whether there have been any previous breaches. Three or more previous breaches can lead to a surcharge of 300 per cent. Mitigating factors will also be taken into account, e.g. a swift response to a breach to protect the affected data subjects, and a company’s willingness to cooperate with the Data Protection Authority.
On Friday, September 6, 2019, our Government Contracts practice posted an article on Inside Government Contracts about the U.S. Department of Defense’s recent release of its draft Cybersecurity Maturity Model Certification (“CMMC”) for public comment.
The CMMC was created in response to growing concerns by Congress and within the U.S. Department of Defense over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base and its supply chains. The CMMC establishes a new security framework for defense contractors to become certified as cybersecurity compliant at varying levels of cybersecurity maturity, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes).
The full article can be read here.
On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”). These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other companies over the past year for similar violations related to false certification claims.
Per the FTC’s announcement, the settlement agreements prohibit the five companies “from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization” and also require the companies to comply with FTC reporting requirements. The fifth company must also apply Privacy Shield protections to personal information it collected while certified to the Privacy Shield, or return or delete the information.
Yesterday, the Federal Trade Commission (“FTC”) and the New York Attorney General’s office (“NYAG”) settled allegations against Google LLC and its subsidiary YouTube, LLC claiming violations of the Children’s Online Privacy Protection Act and its implementing rule (together, “COPPA”). The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to the NYAG for a total penalty almost 30 times higher than the largest COPPA penalty previously imposed.
Overview of the Complaint and Order
The joint FTC-NYAG complaint alleged that Google and YouTube collected personal information from children under 13 online and used that information to deliver online behavioral advertising, without first providing notice or obtaining verifiable parental consent as required by COPPA. More specifically, the complaint alleged that Google and YouTube had actual knowledge that certain YouTube channels were child-directed but nevertheless collected persistent identifiers in the form of cookie and advertising identifiers to serve behavioral advertising to viewers of those channels.
In addition to requiring the $170 million total civil penalty and enjoining future COPPA violations, the settlement order requires “fencing-in” relief—which is relief in the form of injunctive provisions that go beyond what is required under existing law. The order requires that YouTube and Google establish a system on YouTube that requires channel owners to self-designate whether the content they upload is child-directed. For videos designated as child-directed, YouTube will not collect persistent identifiers for behavioral advertising. The order further requires that Google and YouTube implement a training program for employees about the system and about COPPA’s requirements overall. Finally, it imposes compliance reporting and recordkeeping requirements.
The settlement is notable both for what it does—and doesn’t—establish: Continue Reading
On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR.
The case concerned an electricity company that relied on consent obtained by another company to advertise its products and services to the claimant. The claimant’s consent had been obtained in connection with his participation in a sweepstakes contest. In order for the claimant to participate in the contest, he had to consent to receive advertising from partners of the sweepstakes company, including the electricity company. The claimant was provided with a list of the eight companies with whom his data would be shared for advertising purposes.
The court was asked to decide on the validity of the consent under the GDPR, and, in particular, whether the consent met the GDPR requirements of a “freely given” and “specific” consent.
In line with previous case law, the court decided that bundling consent for advertising with the participation in a sweepstakes contest does not prevent it from being “freely given”. According to the court, “freely given” consent is a consent that is given without “coercion” or “pressure”. The court decided that enticing a customer with a promise of a discount or the participation in a sweepstakes contest in exchange for the consent to process his data for advertising does not amount to such coercion or pressure. According to the court, “a consumer may and should decide himself or herself if the participation in the sweepstakes is worth his or her data”.
The court also decided that the consent satisfied the GDPR’s specificity requirement because the sweepstakes company had indicated that the defendant would use the data for marketing and advertising in relation to “gas and electricity”. The court highlighted that had the types of products or services not been indicated, then the consent could not have been considered “specific”.
The decision is in line with the Opinion of the Advocate General in the Planet 49 case – still pending before the Court of Justice of the European Union (see our blog post here). In this case, users had to consent to being contacted by commercial partners of a lottery organizer in order to participate in the lottery. The Advocate General was of the opinion that this is not a prohibited bundling of consent per Art. 7(4) of the GDPR.
Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws. Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account. Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified. These changes are summarized in additional detail below. Continue Reading