Privacy and Information Security

The replay for our October 13, 2020 Futureproofing Privacy Programs webinar is available here.

Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they

Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an

Please join us for the following upcoming virtual events: 

October 13
Futureproofing Privacy Programs

Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate.

Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data

On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.

According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential

On August 30th, the California legislature passed a bill to continue the employee and business-to-business (B2B) exemptions contained in the CCPA for another year. Currently, the CCPA provides two limited exemptions for employee and B2B information, whereby this information is excluded from most CCPA requirements. Both of these exemptions become ineffective January 1, 2021. Assembly

The California Office of Administrative Law today approved the CCPA Regulations that the California Attorney General submitted in June, and the regulations are effective immediately. As we discussed here, the now-final regulations, for the most part, substantively match those that the AG released in March, with a few notable changes.

Significantly, the AG

This summer continues to be a busy season at the intersection of data protection and national security. As we reported in July, the Schrems II decision invalidated Privacy Shield on the ground that its national security derogations were too expansive.

Last week, the President seized on concerns about surveillance by the Chinese government as a core rationale for Executive Orders directing the Department of Commerce to prohibit transactions involving TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  For instance, the TikTok Order asserts that the company’s data practices “potentially allow[] China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage;” and the WeChat Order states that WeChat’s data collection “threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information.”

The scope of these Orders remains unclear.  Members of Kelley Drye’s Export Control and Sanctions team provide further analysis on Kelley Drye’s Trade and Manufacturing Monitor (see below), and we will continue to monitor how implementation of the Orders could affect companies’ communications and transactions on these popular platforms.

Last Thursday, the President issued two executive orders (“E.O.s”) targeting social media applications TikTok (and its parent company, ByteDance) and WeChat (and its parent company, Tencent Holdings).  The E.O.s direct the Department of Commerce (“DOC”) to prohibit transactions involving the applications.  Companies that deal directly with TikTok or WeChat in the United States and abroad or use their services need to evaluate the scope of those activities and determine if they will be affected by the E.O.s.

The E.O.s were issued pursuant to the national emergency declared in E.O. 13873 regarding information and communication services in the United States that are controlled by persons within the jurisdiction of a “foreign adversary.”  In issuing the E.O.s, the President cited concerns that the Chinese government could gain access to Americans’ personal information collected by the applications, among other policy considerations.  The President has the power to issue the directives under the International Emergency Economic Powers Act (“IEEPA,” 50 U.S.C. 1701 et seq.), which provides the President with the authority to declare national emergencies and implement sweeping trade controls based on national security concerns.

The intended scope of the E.O.s is not clear due to ambiguous language used in Section 1, which contain the E.O.s’ primary prohibitions.  Here is an excerpt of that section from the TikTok order:

Section 1.  (a)  The following actions shall be prohibited beginning 45 days after the date of this order, to the extent permitted under applicable law: any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with ByteDance Ltd. (a.k.a. Zìjié Tiàodòng), Beijing, China, or its subsidiaries, in which any such company has any interest, as identified by the Secretary of Commerce (Secretary) under section 1(c) of this order.

[…]

(c)  45 days after the date of this order, the Secretary shall identify the transactions subject to subsection (a) of this section.

There are two plausible readings of that section.  The first is that all transactions involving ByteDance and its subsidiaries will be prohibited within 45 days.  The second, and we believe more appropriate reading, is that all types of transactions specified by DOC will be prohibited.  The inclusion of the last sentence of Section 1(a) and of Section 1(c) suggests that DOC has discretion to impose targeted prohibitions that only apply to certain types of transactions involving the subject companies, rather than all transactions involving ByteDance.  While the ultimate scope of the prohibitions may not be clear until DOC takes action, the term “transactions” is often interpreted broadly, and could include many types of business dealings, not just financial transactions involving the companies.  The White House is reportedly pushing for a broad interpretation of both E.O.s, noting that prohibited transactions could include making the apps available on app stores, purchasing advertising on TikTok, or accepting terms of service to download the applications.

It is also important to note that the TikTok and WeChat E.O.s differ in scope.  The TikTok E.O. authorizes prohibitions on any transaction involving ByteDance and its subsidiaries.  In contrast, the WeChat E.O. is more narrowly constructed to authorize prohibitions on transactions with Tencent Holdings or its subsidiaries that are “related to WeChat.”  The more narrow construction with respect to Tencent may be intended to exclude Tencent’s many U.S. investments unrelated to WeChat from coverage under the E.O.

Much remains unclear about the intended scope and ultimate application of the E.O.s.  Given this regulatory uncertainty, companies with business dealings directly or indirectly involving ByteDance or Tencent should review their engagements closely for potential exposure under the new rules.  In particular, companies that use WeChat services for commercial purposes, including its IT and payment services, will need to evaluate whether they can continue that activity in the United States and abroad.

Please contact our Export Control and Sanctions team with any questions related to these developments.


Continue Reading Data Protection and National Security Concerns Meet in TikTok, WeChat Executive Orders

It has been more than two years since the D.C. Circuit found the Federal Communications Commission’s (the “FCC”) discussion of predictive dialers and other equipment alleged to be an automatic telephone dialing system (“ATDS,” or “autodialer”) to “offer no meaningful guidance” on the question. In the absence of an FCC ruling on the remand, multiple

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked