Photo of Dana B. Rosenfeld

Email
(202) 342-8588
Bio

Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.

Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.

Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda.
Continue Reading

California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison.
Continue Reading

On June 28, 2018, Governor Brown signed into law the “California Consumer Privacy Act of 2018.” The legislation was a compromise to avoid a ballot initiative that was more closely modeled after the European Union’s General Data Protection Regulation (GDPR). This Act is scheduled to go into effect on January 1, 2020.

The Act enumerates a number of rights for consumers regarding the privacy of their personal information. Some rights, such as the right to be forgotten or the right to request information disclosure, are reminiscent of those seen in the GDPR, while others, such as the right to opt out of the sale of a consumer’s personal information, are specific to the new law.

Along with identifying consumer rights, the law also imposes requirements on businesses, including those that collect or have collected consumers’ personal information, to make specific disclosures about their personal information practices and to respond to consumer requests. Importantly, the definition of “personal information” is broadly defined to include common information, such as a name or email address, as well as more specific information, such as biometric information and geolocation data, although publicly available information is not included.
Continue Reading

Under the GDPR, processors must have a lawful basis for processing any data of an EU data subject. Consent is one of six lawful bases[1] under the GDPR, and in this installment of GDPR SIDEBAR, we’ll cover best practices that can help achieve an acceptable level of compliance with GDPR consent requirements.

Valid consent under the GDPR must be: (1) freely given; (2) specific; and (3) informed. And a consumer must make a clear, affirmative action to consent. This means pre-populated check boxes aren’t going to count as valid consent for GDPR purposes. Here are a few tips for meeting GDPR’s consent requirements:

  • Make sure consent is specific. Identify what type of processing the data subject is consenting to, so that the data subject understands exactly what data is collected and how it is used. Example 1 provides a consent mechanism for each specific type of communication (text message, email, etc.). This makes it clear to the data subject what she is signing up for when she consents to processing.

  • Make sure consent is unbundled. Provide a separate consent mechanism for each type of processing the data is expected to be used for. Do not bury consent in an agreement for terms and conditions or a general privacy policy. Example 2 offers unbundled options for separately consenting to marketing messages and the website’s terms and conditions.


Continue Reading

On May 29, Colorado Governor John Hickenlooper signed into law HB18-1128 to strengthen data breach notification requirements for companies and government entities collecting and maintaining personal information from Colorado residents.

Effective September 1, covered entities will be required to notify individuals within 30 days of discovery of a security breach, unless the entity is notified that such a disclosure will impede a criminal investigation. Existing law requires notification to be made “in the most expedient time possible, and without unreasonable delay.” Republican state representative and bill co-sponsor Cole Wist stated the term “reasonable” was “too subjective and loose,” and could prevent consumers from acting quickly to prevent identity theft.  This makes the new law one of the strictest data breach notification laws in the country.  The following identifies pertinent changes to existing law.

Mandatory Information Security Procedures or Programs

Businesses must implement “reasonable” information security procedures or programs to protect the personal data they have – including data that has been shared with third parties – from unauthorized access, use, modification, disclosure, or destruction. Businesses that maintain paper or electronic documents containing customer personal information must develop a written policy for the destruction of such documents once they are no longer needed.
Continue Reading

Less than one week after replacing the now defunct Article 29 Working Party (WP29), the European Data Protection Board (EDPB) has adopted new guidelines on the EU General Data Protection Regulation (GDPR) and issued a statement on the ePrivacy Regulation revision.

What is the European Data Protection Board? How is It Different from the Article

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country.
Continue Reading

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]


Continue Reading

Earlier this week, the FTC settled its case with BLU Products, Inc., a cell phone company the FTC claimed misled consumers about its privacy and data security practices. According to the agency, the company represented that it did not collect unnecessary personal information and that it imposed specific data security procedures to protect consumers’ personal information. But the FTC claimed not so fast, alleging that BLU allowed one of its partners, an advertising software company, to collect sensitive consumer information such as text message contents and call logs with full telephone numbers. The FTC also alleged that BLU failed to implement the security features it represented to consumers, allowing the company’s devices to be subject to security vulnerabilities that could allow third parties to gain full access to the devices.

In settling the case, BLU agreed not to misrepresent its data collection or data security practices. The order also requires BLU to clearly and conspicuously disclose: (1) all of the “covered information” that the company collects, uses, or shares; (2) any third parties that will receive this “covered information”; and (3) all purposes for collecting, using, or sharing such information. This disclosure must be separate from the company’s privacy policy or terms of use and the company must obtain the consumer’s affirmative express consent to the collection, use, and sharing of such information. “Covered Information” is defined as geolocation information, text message content, audio conversations, photographs, or video communications from or about a consumer or their device.
Continue Reading

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and