A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

On January 15, 2014, the Federal Trade Commission (FTC) announced that Apple, Inc. had agreed to pay a minimum of $32.5 million in full refunds to consumers to settle allegations that the company was billing customers for purchases that children made from the company’s App Store without parental consent.1 According to the FTC, since at least 2011, thousands of children had unwittingly racked up significant App Store charges without their parents’ knowledge because the company’s billing procedures allowed users to incur unlimited in-app charges for a 15-minute window after downloading new software onto a device.2
Continue Reading Apple Agrees to Refund at Least $32.5 Million to Settle FTC Complaint Alleging That It Charged Kids’ In-App Purchases Without Parental Consent

In December 2013, the United Kingdom’s Information Commissioner’s Office (ICO) issued “Privacy in Mobile Apps–Guidance for App Developers.”1 According to the ICO, the guidance is not only relevant for apps used on mobile devices such as smartphones and tablets, but also for “other devices using similar app technology, for instance living-room devices such as smart TVs or games consoles.”

The guidance is addressed to organizations developing apps for the UK market, regardless of their location. However, it addresses key EU privacy issues and may be useful for any organization developing apps for individuals located in the European Union (EU). In addition, the ICO guidance should be read together with the opinion on mobile apps issued by the Article 29 Working Party (the body of European data protection regulators) in March 2013, a summary of which we have provided here.2 Listed below are the key takeaways and recommendations from the guidance.
Continue Reading UK Information Commissioner’s Office Issues Guidance for App Development

The Federal Trade Commission’s (FTC’s) enforcement actions for claims of compliance with Safe Harbor privacy frameworks by U.S. companies have increased significantly over the past few months. In the first two months of 2014 alone, the FTC announced settlements with 13 U.S. companies over allegations that the companies falsely claimed they held current certifications under the U.S.-EU Safe Harbor Privacy Framework.1 The FTC’s focus has not been limited to the EU framework, as three of the settlements include claims that the companies falsely represented holding current certifications under the U.S.-Swiss Safe Harbor Privacy Framework.
Continue Reading FTC Steps Up Enforcement of Safe Harbor Compliance Claims

On February 20, 2014, two of our Brussels-based attorneys specializing in European privacy and data security—Cédric Burton and Chris Kuner—presented a webcast titled “Update on EU Data Protection Law,” with a particular focus on the U.S.-EU Safe Harbor Framework (Safe Harbor).1 The following article summarizes the session and includes a few key takeaways.
Continue Reading Status of the EU Regulation and the Safe Harbor Framework

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification