Legislation

Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties.

The draft Consumer Data Protection Act is among a growing number of proposals for federal privacy legislation in the United States.  (See our related coverage here and here.)  These federal proposals follow on the EU’s enactment of the General Data Privacy Regulation (“GDPR”), which took effect in May, and the June enactment of the California Consumer Privacy Act (“CCPA”).  The Wyden measure has not yet been introduced in the Senate.

Below we highlight key aspects of the draft legislation.Continue Reading Wyden Releases Draft Privacy Bill Increasing FTC Authority, Providing for Civil Fines and Criminal Penalties

In August 2018, the Government of Australia unveiled a new proposed bill that would grant the county’s national security and law enforcement agencies additional powers when confronting encrypted communications and devices. The text of the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the “Assistance and Access Bill” or the “Bill”) states that the purpose is “to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era.”

The Assistance and Access Bill, if enacted, could affect a wide range of service providers both in and outside of Australia.
Continue Reading Australia Proposes New Encryption Legislation

Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA.

The CCPA applies to for-profit entities that conduct business in California. It has an expansive definition of personal information, and grants California residents a number of new rights, including rights to request access to and deletion of certain data, and to opt-out of the sale of data. For a more detailed summary of the CCPA, please see our previous blog post.

SB 1121 largely preserves the substance of the CCPA, but it contains the following technical edits:
Continue Reading California Legislature Passes Amendments to Expansive Consumer Privacy Law

On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections.  The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.

The CCPA applies to for-profit
Continue Reading California Adopts Expansive Consumer Privacy Law

On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” 
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation

By Alyson Sandler

On April 10, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced new privacy legislation titled the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act.  In a statement published on his website, Senator Markey referred to the legislation as a “privacy bill of rights” and explained that “[t]he avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land.”

The CONSENT Act directs the Federal Trade Commission (FTC) to “establish privacy protections for customers of online edge providers.”  These protections include requiring edge providers to notify customers about the collection and use of “sensitive customer proprietary information,” which the Act defines to include, among other things, financial and health information, the content of communications, and web browsing and application usage history.  Customers must also be notified about the types of sensitive customer proprietary information that the edge provider collects, how the information will be used and shared, and the types of entities the edge provider will share the information with.

The centerpiece of the CONSENT Act is its “opt-in” requirement for edge providers to obtain consent from customers for the use of “sensitive information.”  This differs from the model currently employed by most online companies, under which customers may opt out of data collection.  The Act also prohibits an edge provider from refusing to serve customers who do not consent to the use and sharing of their sensitive proprietary information for commercial purposes.
Continue Reading Senate Democrats Propose CONSENT Act

On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote.  The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures.  Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.
Continue Reading House Passes Cyber Vulnerability Disclosure Reporting Act

Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers.  Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.  The amendments will enter into force on approximately April 14, 2018.
Continue Reading Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification