A new ballot initiative would create the California Privacy Rights and Enforcement Act (“CPREA”) and would make several changes to the California Consumer Privacy Act (“CCPA”).
Continue Reading New Ballot Initiative Seeks to Redo the CCPA
California Legislature Passes CCPA Amendments and Privacy Bills
Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”). This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020. California Governor Gavin Newsom has until October 13 to sign the bills into law. Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.
- Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries. However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used. Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
- Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances. This language generally creates an exemption for personal information about business customers. The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted. The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
- Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute. Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household. Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available. Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
- Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address. AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address. If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests. Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
- Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.
Continue Reading California Legislature Passes CCPA Amendments and Privacy Bills
FTC and New York Attorney General Reach $170 Million Settlement Against Google and YouTube for Alleged Children’s Privacy Violations
Yesterday, the Federal Trade Commission (“FTC”) and the New York Attorney General’s office (“NYAG”) settled allegations against Google LLC and its subsidiary YouTube, LLC claiming violations of the Children’s Online Privacy Protection Act and its implementing rule (together, “COPPA”). The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to the NYAG for a total penalty almost 30 times higher than the largest COPPA penalty previously imposed.
Overview of the Complaint and Order
The joint FTC-NYAG complaint alleged that Google and YouTube collected personal information from children under 13 online and used that information to deliver online behavioral advertising, without first providing notice or obtaining verifiable parental consent as required by COPPA. More specifically, the complaint alleged that Google and YouTube had actual knowledge that certain YouTube channels were child-directed but nevertheless collected persistent identifiers in the form of cookie and advertising identifiers to serve behavioral advertising to viewers of those channels.
In addition to requiring the $170 million total civil penalty and enjoining future COPPA violations, the settlement order requires “fencing-in” relief—which is relief in the form of injunctive provisions that go beyond what is required under existing law. The order requires that YouTube and Google establish a system on YouTube that requires channel owners to self-designate whether the content they upload is child-directed. For videos designated as child-directed, YouTube will not collect persistent identifiers for behavioral advertising. The order further requires that Google and YouTube implement a training program for employees about the system and about COPPA’s requirements overall. Finally, it imposes compliance reporting and recordkeeping requirements.
The settlement is notable both for what it does—and doesn’t—establish:
Continue Reading FTC and New York Attorney General Reach $170 Million Settlement Against Google and YouTube for Alleged Children’s Privacy Violations
New Research Exposes Perils of Bogus Access Requests Under GDPR, With Implications for CCPA
At the Black Hat conference in Las Vegas last week, a security researcher presented his research on using access rights available under the GDPR for identity theft purposes (slides available here; whitepaper available here). Specifically, the researcher “attempted to steal as much information as possible” about his fiancé
Continue Reading New Research Exposes Perils of Bogus Access Requests Under GDPR, With Implications for CCPA
Legislation Seeks to Regulate Privacy and Security of Wearables and Genetic Testing Kits
Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or conditions, and direct-to-consumer genetic testing services, among other technologies. Specifically, the legislation would direct the HHS Secretary to issue regulations relating to the privacy and security of health-related consumer devices, services, applications, and software. These new regulations will also cover a new category of personal health data that is otherwise not protected health information under HIPAA.
Continue Reading Legislation Seeks to Regulate Privacy and Security of Wearables and Genetic Testing Kits
Nevada’s New Consumer Privacy Law Departs Significantly From The California CCPA
On May 29, 2019, the Governor of Nevada signed into law Senate Bill 220 (“SB 220”), an act relating to Internet privacy and amending Nevada’s existing law requiring websites and online services to post a privacy notice. In short, Nevada’s law will require operators of Internet websites and online services to follow a consumer’s direction not to sell his or her personal data. The Nevada law differs from the California Consumer Privacy Act (“CCPA”) enacted last year in notable ways, and could signal the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.
Unlike the CCPA (which applies to both online and offline business operations), SB 220 applies only to operators of Internet websites and online services, and defines “operators” as people who (1) own or operate an Internet website or online service for commercial purposes; (2) collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and (3) engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution. Such activity includes purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada. SB 220 does not apply to the following entities: an entity that is regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act; a service provider to an operator; or a manufacturer of a motor vehicle or a person who services a motor vehicle who processes covered information that is either (1) retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle, or (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Continue Reading Nevada’s New Consumer Privacy Law Departs Significantly From The California CCPA
California Adopts Expansive Consumer Privacy Law
On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections. The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.
The CCPA applies to for-profit
Continue Reading California Adopts Expansive Consumer Privacy Law
FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech
Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment. In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers. This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.
Continue Reading FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech
FTC Launches Review of Its Email Marketing Rule
Today the FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages. Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out
Continue Reading FTC Launches Review of Its Email Marketing Rule
FTC Staff Publish COPPA Guidance for Businesses
The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).
The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over
Continue Reading FTC Staff Publish COPPA Guidance for Businesses