California Consumer Privacy Act: Industry, Advocate, and Enforcement Concerns and Legislative Amendments

On September 23, 2018, Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the California Consumer Privacy Act (CCPA or the Act). The controversial privacy law, which is set to take effect in 2020, recently sparked a war of words among industry, privacy advocates, and the California Attorney General, each of whom sent letters to the California legislature urging amendments to the legislation. The California Chamber of Commerce, along with 36 business coalitions (Industry), submitted a letter to California Senator Bill Dodd in August, calling the Act “unworkable,” urging both technical and substantive cleanup of the Act, and introducing 21 proposed amendments. A coalition of 20 consumer privacy advocate groups (Advocates) responded with their own letter, highlighting the negative consequences Industry’s proposed changes would have on consumer rights.

The Industry and Consumer Advocates did not wholly disagree. Both coalitions urge the legislature to make technical fixes, such as clarification that businesses do not have to collect extra information to comply with the Act, as well as clarification of the definition of de-identified information. The California Attorney General also weighed in with comments, requesting specific amendments and additional time to issue regulations. In response to the input from these various stakeholders, the legislature amended the Act on August 31, 2018 and sent it to the Governor’s desk. This article sets forth the principal issues discussed in the letters and the legislature’s response. Continue Reading

Vermont Enacts Groundbreaking Data Broker Regulation

Recently, Vermont became the first state to enact legislation that regulates data brokers who buy and sell personal information. Under the new law, data brokers in Vermont will now have to register with the state, adopt standard security measures, and provide information to the state regarding their data collection practices. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices. Continue Reading

Key Developments in Internet of Things Law

California Signs the First IoT Security Bill into Law, and the FTC Submits Comments to the Consumer Product Safety Commission Regarding the IoT

California’s New IoT Law

On September 28, 2018, California Governor Jerry Brown signed into law a cybersecurity bill governing Internet of Things (IoT) devices, the first law of its kind in the nation. SB 327 requires manufacturers of internet-connected, or “smart” devices, to ensure the devices have “reasonable” security features by January 1, 2020.

The law applies to any “device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition is broad and includes not only smart TVs, smart speakers, and other smart home devices, but also computers (laptops and desktops), connected cars, smartphones, smartwatches, and many other modern electronics.

The law does not contemplate further rulemaking, and it is unclear whether revisions to the law will be sought. Continue Reading

France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo1 and Fidzup2—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.3 The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,4 as it considered that its updated practices now comply with the GDPR.5 The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR. Continue Reading

New Colorado Law Takes Effect That Includes Strict 30-Day Data Breach Notification Requirement

On September 1, 2018, a new Colorado law took effect that, among other things, amends the state’s data breach law to: (1) expand the scope of the categories of “personal information” that trigger notification requirements; (2) require notification to residents and the state attorney general no more than 30 days after determining that a security breach has occurred; and (3) specify what must be included in these notifications.1 In addition, the statute requires entities that maintain, own, or license personal identifying information (PII) to implement and maintain reasonable security practices and procedures to secure PII and impose similar security obligations on third party service providers with which the entity shares PII. Finally, the law amends Colorado’s data disposal law to clarify the appropriate procedure for disposing of documents that contain PII. The passage of the Colorado law serves as a reminder that not only do state data breach notification requirements vary, but state laws also change over time in significant ways. Companies are well-advised to continue monitoring state laws for such changes. Continue Reading

U.S. Supreme Court Requires Warrant for Law Enforcement Requests for Location Information from Third Parties

The U.S. Supreme Court has handed down a major decision, Carpenter v. United States,1 concerning the Fourth Amendment’s application to the rapidly evolving technological landscape. The 5-4 decision dramatically alters the status quo concerning government requests for data about individuals that is collected and held by third parties. Under Carpenter, personal location information maintained by a third party that the government could previously obtain with a subpoena or similar order will now require a warrant meeting the standards of the Fourth Amendment.

By finding that information held by a third party is—in at least some circumstances—protected by the Fourth Amendment, the Supreme Court has upended decades of precedent in an effort to keep the amendment relevant in the digital age. Although portrayed by the court as a narrow decision, like other recent Supreme Court decisions concerning privacy and the Fourth Amendment, Carpenter will likely result in a broad reconsideration of what information law enforcement can properly obtain without a warrant. Companies will now have to carefully consider their statements regarding the sharing of data with law enforcement, and how they will respond to law enforcement agencies’ requests for data without a warrant. Continue Reading

LexBlog