Privacy and Information Security

Democrats Release Their Own COVID-19 Privacy LegislationFollowing the Republican-sponsored COVID-19 Consumer Data Protection Act of 2019, Democratic legislators recently introduced the Public Health Emergency Privacy Act. Senators Richard Blumenthal and Mark Warner of Connecticut and Virginia, respectively, and a group of Democratic Representatives, including Jan Schakowsky of Illinois and Anna Eshoo of California, introduced the measure.

While both measures

In light of concerns associated with attempts to use personal data to track the spread of COVID-19, a group of Republican Senators, led by Mississippi Senator Roger Wicker, introduced the COVID-19 Consumer Data Protection Act of 2020 today.

The bill imposes specific requirements on entities seeking to process precise geolocation data, proximity data, persistent

The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal informationThe California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information.  However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.

While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader.  For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII.  Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act.  Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.

This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open.  Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale.  With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.


Continue Reading

California Attorney General (AG) released third draft of proposed CCPA regulationsRecent putative consumer class action cases filed against Ring and Zoom raise allegations under the California Consumer Privacy Act (“CCPA”) and are likely to be the first battlegrounds over the CCPA’s potential hostility to consumer arbitration clauses.  The continued applicability of arbitration agreements is likely to be a significant (and hard-fought) issue with far-reaching implications

FTC Guidance on AI: Don’t Surprise Consumers – Or YourselfFTC Bureau of Consumer Protection Director Andrew Smith this week published some helpful pointers for companies that are developing or using AI to support consumer-facing services.  These pointers are drawn from past FTC enforcement actions, reports, and workshops.  They boil down to one overarching message:  Companies shouldn’t surprise consumers – or themselves – in how

The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.The CCPA grants the California Attorney General (AG) the authority to enforce the CCPA starting on July 1, 2020.  Last month, the AG confirmed no intention to delay that enforcement date due to the COVID-19 pandemic, despite mounting industry pressure.

Even if enforcement begins July 1st, companies must contend with another glaring obstacle:

The California Consumer Privacy Act (CCPA) took effect January 1, 2020.  While the California Attorney General’s enforcement authority is delayed until July 1, private litigants have already started to file direct claims under the CCPA as well as other consumer-related causes of actions predicated on alleged CCPA violations.  Notably, the California Attorney General takes the

Effective March 21, 2020, the New York SHIELD Act imposes data security requirements on most businesses that own or license computerized data that includes the “private information” (defined below) of New York residents. In sum, such businesses must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information.

Data is helping governments, researchers, and companies across the world track the spread of the novel coronavirus, monitor cases and outcomes of COVID-19, and devise ways to halt the virus’s spread.  As part of these efforts, raw data, software tools, data visualizations, and other efforts are providing the public and policymakers with insights into the

Facial Recognition Tech Enforced by Vermont AG Under State Privacy & Data Broker LawsVermont Attorney General Thomas Donovan Jr. has ratcheted up ongoing scrutiny of facial recognition technology.  On March 10, the Vermont AG sued facial recognition technology provider Clearview AI and moved for a preliminary injunction against the company.  Clearview drew wide attention in January following the publication of a New York Times story that detailed how