Privacy and Information Security

On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.

According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential

On August 30th, the California legislature passed a bill to continue the employee and business-to-business (B2B) exemptions contained in the CCPA for another year. Currently, the CCPA provides two limited exemptions for employee and B2B information, whereby this information is excluded from most CCPA requirements. Both of these exemptions become ineffective January 1, 2021. Assembly

The California Office of Administrative Law today approved the CCPA Regulations that the California Attorney General submitted in June, and the regulations are effective immediately. As we discussed here, the now-final regulations, for the most part, substantively match those that the AG released in March, with a few notable changes.

Significantly, the AG

This summer continues to be a busy season at the intersection of data protection and national security. As we reported in July, the Schrems II decision invalidated Privacy Shield on the ground that its national security derogations were too expansive.

Last week, the President seized on concerns about surveillance by the Chinese government as a core rationale for Executive Orders directing the Department of Commerce to prohibit transactions involving TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  For instance, the TikTok Order asserts that the company’s data practices “potentially allow[] China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage;” and the WeChat Order states that WeChat’s data collection “threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.”

The scope of these Orders remains unclear.  Members of Kelley Drye’s Export Control and Sanctions team provide further analysis on Kelley Drye’s Trade and Manufacturing Monitor (see below), and we will continue to monitor how implementation of the Orders could affect companies’ communications and transactions on these popular platforms.

Last Thursday, the President issued two executive orders (“E.O.s”) targeting social media applications TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  The E.O.s direct the Department of Commerce (“DOC”) to prohibit transactions involving the applications.  Companies that deal directly with TikTok or WeChat in the United States and abroad or use their services need to evaluate the scope of those activities and determine if they will be affected by the E.O.s.

The E.O.s were issued pursuant to the national emergency declared in E.O. 13873 regarding information and communication services in the United States that are controlled by persons within the jurisdiction of a “foreign adversary.”  In issuing the E.O.s, the President cited concerns that the Chinese government could gain access to Americans’ personal information collected by the applications, among other policy considerations.  The President has the power to issue the directives under the International Emergency Economic Powers Act (“IEEPA,” 50 U.S.C. 1701 et seq.), which provides the President with the authority to declare national emergencies and implement sweeping trade controls based on national security concerns.

The intended scope of the E.O.s is not clear due to ambiguous language used in Section 1, which contain the E.O.s’ primary prohibitions.  Here is an excerpt of that section from the TikTok order:

Section 1.  (a)  The following actions shall be prohibited beginning 45 days after the date of this order, to the extent permitted under applicable law: any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, in which any such company has any interest, as identified by the Secretary of Commerce (Secretary) under section 1(c) of this order.

[…]

(c)  45 days after the date of this order, the Secretary shall identify the transactions subject to subsection (a) of this section.

There are two plausible readings of that section.  The first is that all transactions involving ByteDance and its subsidiaries will be prohibited within 45 days.  The second, and we believe more appropriate reading, is that all types of transactions specified by DOC will be prohibited.  The inclusion of the last sentence of Section 1(a) and of Section 1(c) suggests that DOC has discretion to impose targeted prohibitions that only apply to certain types of transactions involving the subject companies, rather than all transactions involving ByteDance.  While the ultimate scope of the prohibitions may not be clear until DOC takes action, the term “transactions” is often interpreted broadly, and could include many types of business dealings, not just financial transactions involving the companies.  The White House is reportedly pushing for a broad interpretation of both E.O.s, noting that prohibited transactions could include making the apps available on app stores, purchasing advertising on TikTok, or accepting terms of service to download the applications.

It is also important to note that the TikTok and WeChat E.O.s differ in scope.  The TikTok E.O. authorizes prohibitions on any transaction involving ByteDance and its subsidiaries.  In contrast, the WeChat E.O. is more narrowly constructed to authorize prohibitions on transactions with Tencent Holdings or its subsidiaries that are “related to WeChat.”  The more narrow construction with respect to Tencent may be intended to exclude Tencent’s many U.S. investments unrelated to WeChat from coverage under the E.O.

Much remains unclear about the intended scope and ultimate application of the E.O.s.  Given this regulatory uncertainty, companies with business dealings directly or indirectly involving ByteDance or Tencent should review their engagements closely for potential exposure under the new rules.  In particular, companies that use WeChat services for commercial purposes, including its IT and payment services, will need to evaluate whether they can continue that activity in the United States and abroad.

Please contact our Export Control and Sanctions team with any questions related to these developments.


Continue Reading Data Protection and National Security Concerns Meet in TikTok, WeChat Executive Orders

It has been more than two years since the D.C. Circuit found the Federal Communications Commission’s (the “FCC”) discussion of predictive dialers and other equipment alleged to be an automatic telephone dialing system (“ATDS,” or “autodialer”) to “offer no meaningful guidance” on the question. In the absence of an FCC ruling on the remand, multiple

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked

On July 22, the New York Department of Financial Services (DFS) announced the first enforcement action under its new Cybersecurity Regulation, which requires that businesses registered or licensed by DFS comply with a number of robust cybersecurity requirements. The action involves First American Title Insurance Company and, according to the Statement of Charges and Notice

Kelley Drye Advertising Law Summer Webinar Series This Wednesday, July 22
Selling Online: How to Avoid Flattening the Curve of an Uptick in Website Traffic
Register Here

COVID-19 has increased the already dizzying amount of online sales, making the applicable marketing requirements increasingly important. These rules affect not just how companies advertise and promote products and services online, but also how they

January 1, 2020 was the effective date for the California Consumer Privacy Act (CCPA).  As we reported and summarized in our Q1 2020 CCPA Litigation Round-Up, private litigants wasted no time in filing consumer-related causes of action under the new law.

Here, we provide an update on material developments in that first wave of claims and report on additional private lawsuits commenced in the first half of the year.  We have further categorized the recently-filed cases based on those stemming from a data breach versus not.  In the latter category, the cases are further split based on the underlying alleged violations – last quarter, non-breach based claims related to the disclosures and opt-out mechanisms required by the CCPA as well as the scope of “personal information” covered by the CCPA.

1. Update on Cases Reported in Q1 2020


Continue Reading CCPA Litigation Round-Up: Q2 2020

On July 16, the European Court of Justice (CJEU) issued a highly-anticipated decision evaluating the validity of two popular mechanisms for transferring personal data from the EU to the United States: Privacy Shield and Standard Contractual Clauses (SCCs). The Court struck down Privacy Shield, but upheld the validity of SCCs – although not without providing