With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.
Continue Reading State Privacy Laws Have the Potential to Haunt Industry

The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law.  In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services following breaches involving Social Security numbers.  The amendments, which will enter into force on April 11, 2019, are discussed in greater detail below.
Continue Reading Massachusetts Amends Data Breach Notification Law to Require Free Credit Monitoring

In a recent decision, the Supreme Judicial Court of Massachusetts (“SJC”) broadly interpreted a statute that governs the personal information that may be collected by a merchant during a credit card transaction.  The decision, Tyler v. Michaels Stores, Inc., SJC-1145 (Mass. March 11, 2013), was issued in response to three questions that had been certified to the SJC by a federal district judge in Boston, in connection with a lawsuit alleging violation of Mass. Gen. Laws, ch. 93, §105(a), the Massachusetts analogue to California’s Song-Beverly Act. 

Section 105(a) provides that “[n]o business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”  “Personal identification information,” in turn, “shall include, but shall not be limited to, a credit card holder’s address or telephone number.”  Violations of Section 105(a) are treated as “unfair and deceptive trade practices” under Mass. Gen. Laws. ch. 93A, §§ 2, 9, which provides “injured” persons a private right of action against any entity that commits an unfair or deceptive trade practice.

The plaintiff in Tyler alleged that Michaels Stores violated §105(a) by requesting her ZIP code during a credit card transaction at one Michaels Stores retail location.  The district court agreed that the plaintiff had sufficiently pled a violation of that statute, but nonetheless dismissed the complaint because she had failed to allege a cognizable injury stemming from the violation, which is required to bring an action under Massachusetts’s unfair and deceptive trade practices statute.  The court explained that the purpose of §105(a) was to prevent identify fraud, and suggested a plaintiff would need to allege that fraud had occurred because of the alleged violation of §105(a).   


Continue Reading Massachusetts Supreme Judicial Court Issues Broad Ruling on Point-of-Sale Data Collection

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took