On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual gross revenues of $25,000,000; Annually buys, receives, sells or shares “personal information” of 50,000 or...
As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”
New “Privacy Shield” Agreement Seeks to Resurrect a Safe Harbor for EU-U.S. Data Transfers – Can it Succeed?
On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
Class Action Plaintiffs Have Standing Based on Actual Injuries and Costs of Mitigation Following Corporate Hacking, Says Seventh Circuit
The Court of Appeals for the Seventh Circuit recently held that class action plaintiffs alleging injuries due to corporate hacking scandals have standing to pursue those claims in federal court, based on both actual injuries suffered repairing damage done by fraudulent charges, as well as costs of mitigating potential future harm, such as credit monitoring. Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Circ. July 20, 2015). As with other cases that come to the same conclusion, the court placed great emphasis on the fact that the data thieves were specifically targeting personal data, as well as the company’s admission of the breach and offer of a year of credit monitoring to those whose information had been exposed.
Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act
On May 28, 2015, U.S. District Judge Lucy Koh in the Northern District of California certified a class of email users in a privacy action that claims Yahoo Inc. (“Yahoo”) violated the federal Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”) through its practice of scanning and analyzing emails of non-Yahoo Mail subscribers in order to display targeted ads to Yahoo Mail subscribers. In re Yahoo Mail Litigation, No. 13-CV-04980-LHK, (N.D. Cal. 2015). Plaintiffs are non-Yahoo Mail subscribers who sent emails to Yahoo Mail subscribers from non-Yahoo email accounts and allege that Yahoo routinely copies and extracts key words from emails and stores this information for later use. Plaintiffs allege that Yahoo’s practices violate § 2702(a)(1) of the SCA, which prohibits, among other items, divulging the contents of a communication without consent and § 631 of CIPA, which prohibits the recording or reading of any type of communication without the prior consent of all parties.
Twitter’s ubiquitous 140-character-or-less tweets are not, the company argues, sufficiently similar to email or other forms of stored electronic information to warrant lumping them together with the likes of Google, Microsoft, Facebook, Yahoo!, or Apple, all of which have agreed to restrictive limitations on their public reporting of government surveillance. Twitter has sued the U.S. Government in federal court in California to make its point.
Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.
As practitioners are aware, in February 2013, President Obama issued an executive order directing federal agencies to create a set of voluntary cybersecurity standards and procedures for critical parts of the private sector. If followed, these “best practices” are intended to reduce the risk of a cyber attack and its attendant disruption of business.