Privacy and Information Security

Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company

On August 11, the FTC finally launched its “commercial surveillance and data security” rulemaking after many months of hype and speculation about the FTC’s ability to address consumer privacy through its “Mag-Moss” rulemaking authority. It did so by releasing (by 3/2 vote) an Advanced Notice of Proposed Rulemaking (ANPR) – the first step in a Mag-Moss rulemaking – and holding a press conference featuring Chair Khan, Commissioners Slaughter and Bedoya, and senior FTC staff.

People familiar with the many hurdles in Mag-Moss were watching to see whether the ANPR would be broad and far-reaching (thus guaranteeing a lengthy, complex process) or more narrowly tailored. The answer? The ANPR is remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions about factual and legal issues of all kinds, and raising issues that reach beyond the FTC’s legal authority. Indeed, in reading the ANPR, we couldn’t help but wonder whether this is a serious effort to develop a rule or simply a show of activity to address over-hyped expectations. (See more on this topic below.)

Not surprisingly, Commissioners Phillips and Wilson issued strong dissents. Among other things, they raised concerns about agency overreach and the potential to derail the bipartisan privacy bill currently pending in Congress (the ADPPA). Here are more details and takeaways from the FTC’s announcement:
Continue Reading The FTC’s Privacy Rulemaking: Broad and Far-Reaching, but Unlikely to Lead to a Rule Anytime Soon

How To Protect Employee/HR Data and Comply with Data Privacy Laws
Wednesday, July 20

As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor

With the clock now running on the comment period for the California Privacy Protection Agency’s (CPPA) Draft Regulations to implement the CPRA – comments are due on August 23 – one of the items on many businesses’ CPRA preparation to-do lists is to address new (and the expansion of existing) consumer rights. The Draft Regulations published by the CPPA lay out how the CPPA is likely to define these obligations. This post takes a deeper look at what’s in the CPPA’s proposal – as well as what’s missing.

A couple of overarching points are worth keeping in mind.  First, implementing the CPRA’s consumer rights provides an occasion to review and update data maps so that they accurately capture how personal information flows both through their organizations and to service providers, contractors, and/or third parties.  Second, preparing for CPRA consumer requests should go hand-in-hand with reviewing the systems and procedures that are in place to honor consumers’ requests.
Continue Reading Preparing for Expanded Consumer Rights Requests Under the CPRA

Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)

Even as states continue to pass comprehensive privacy laws, Attorneys General remain active enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space.  Just last week, 46 State AGs signed on to a settlement, which took the form of an Assurance of Voluntary Compliance, with international cruise corporation Carnival

For those not following every detail regarding the progress of the “three corners” federal privacy bill, here’s a summary of where things stand.

In brief, on June 23, the House E&C Consumer Protection Subcommittee held a markup during which it considered a substitute version of the bill (HR 8152), approved it by voice

As discussed in State Attorneys General 101, State Attorneys General are the primary enforcers of consumer protection laws within their state and hold sweeping powers to protect the public they serve by launching investigations and litigation alone or in multi-state actions involving numerous states and territories across the country.

On June 14, the House E&C Subcommittee on Consumer Protection and Commerce held a hearing to consider issues and concerns raised by the “three corners” privacy “discussion draft” released to the public June 3. As we blogged last week, the American Data Privacy and Protection Act (ADPPA) is an historic bipartisan compromise among three key committee leaders in the House and Senate (Sen. Wicker and Reps. Pallone and McMorris Rodgers). So far, it lacks the backing of the fourth, Senator Cantwell.

The hearing came together quickly, reflecting the limited time and challenges in this election year to pass a bill of this significance. The 3+ hour event showcased myriad issues and concerns that the witnesses and other stakeholders have raised with respect to the draft. Still, Subcommittee leaders pledged to keep working on the bill and expressed optimism that they might be able to pass comprehensive federal privacy legislation this year. As of this writing, we understand that there will be subcommittee markup next Thursday and a full-committee markup sometime after the July 4th recess.
Continue Reading Readout on House Privacy Hearing: Wide Attendance, Lots of Issues, Full Steam Ahead

The spotlights of the consumer privacy world are once again on California after the new California Privacy Protection Agency made a surprise Friday night release of its draft California Privacy Rights Act (CPRA) regulations on May 27, 2002.

In this webinar in association with Mondaq, Robert Cunningham and Rod Ghaemmaghami provided observations on the