Megan Kayo

Subscribe to Megan Kayo's Posts

Given Broad Definitions, the Law Could Apply to Businesses That Do Not Consider Themselves Data Brokers

While amending the California Consumer Privacy Act of 2018 (CCPA) last term, the California legislature also passed a CCPA-related privacy bill that applies to “data brokers.” Assembly Bill 1202 (AB 1202) requires businesses that qualify as data brokers to register, pay a fee, and provide certain information to the California attorney general. Because AB 1202 relies on the CCPA’s broad definitions of “sell” and “personal information,” many businesses that might not otherwise consider themselves to be data brokers may fall within the data broker definition.
Continue Reading Data Brokers Must Register with California Attorney General by January 31

Provides Detailed Specifications Both for Information Security Program and Third-Party Assessments

On June 12, 2019, the Federal Trade Commission (FTC) announced it had reached a proposed settlement with LightYear Dealer Technologies, LLC (doing business as “DealerBuilt”) over allegations that the automobile software provider’s inadequate data security practices had resulted in a data breach in 2016.1

This consent order deserves a close read because the FTC has imposed data security obligations on DealerBuilt that go further than any previous settlement, and the FTC is likely to seek to impose these requirements in future settlements.2 Specifically, the FTC has mandated DealerBuilt to implement an information security program with more detailed specifications than appear in earlier settlements. These modifications are consistent with the FTC’s recent proposed amendments to the Safeguards Rule (a rule that guides FTC implementation of the Gramm-Leach-Bliley Act (GLBA)).3 The FTC has also imposed more specific requirements with regards to third-party security assessments.
Continue Reading FTC Data Security Settlement with Auto Dealer Software Provider Goes Further than Ever Before