On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed

The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data.  So what is a “contractor?”  And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”

As it turns out, the answer is surprising.  Contractors are nearly identical to service providers, with just two differences:  contractors are not data processors; and contractors must make a contractual certification in CCPA contracts.  Moreover, contractors are not even new entities, and were already described in existing California privacy law.

Origins of “Contractors” in CCPA

To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA).  Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions.  Altogether, there are three potential data flows described in the CCPA:  business to third party, business to service provider, and business to a person who is not a third party.  We describe each in turn:

  • Business to Third Party:  First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure).  The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.

As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.

  • Business to Service Provider:  Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out.  The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.

Service providers provide technical, professional, and other business support to the business.  For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.

  • Business to a Person Who Is Not a Third Party:  Finally, there is a rarely discussed third option in the CCPA.  The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party.  This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms:  (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.

This third option is significant to avoid the “sale” of personal information.  If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA.  In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.

As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party.   Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.”  No sale occurs.

Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.

Here’s a summary of the entities that may receive personal data under the CCPA:
Continue Reading CPRA Update: What is a “Contractor?”

Privacy Compliance Tech-Tools and StrategiesWith AdTech (tracking individuals and their online or in app behaviors to build a profile of them to better serve and more effectively target them) and MarTech (strategies and technologies to generate demand, attention, and sales for a product) now the most celebrated or perhaps infamous areas in privacy today, being a privacy lawyer has

Next month, the Supreme Court starts its new term, one that has particular significance for practitioners litigating before and against the FTC.  In In our first ever video blog, partner John Villafranco discusses the two consolidated cases that will be heard this term, Federal Trade Commission v. Credit Bureau Center, LLC and AMG Capital Management,

Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation.  Available here.  Not surprisingly, Capital One appealed that order.  On June 25, 2020, District Court Judge Anthony Trenga affirmed the