Final Draft CCPA Regulations Submitted, Effective Date Unclear

Julia KadishLiisa ThomasRachel Tarko HudsonCraig CardonBy Julia Kadish, Liisa Thomas, Rachel Tarko Hudson and Craig Cardon on Posted in California, California Privacy, CCPA, Consumer Privacy

On June 1, 2020, the California AG submitted the final text of the proposed CCPA regulations to the Office of Administrative Law (OAL). There were no changes to the final text from the last version released in March, which we previously summarized here. Continue Reading

CISA Issues First Installment of Cyber Essentials

Jonathan E. MeyerBy Jonathan E. Meyer on Posted in Cybersecurity, Data Security

On Friday, May 29, the Cybersecurity and Infrastructure Security Agency (CISA) issued the first in a series of six Cyber Essentials Toolkits.  These toolkits are described as “bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential,” focused on building a company’s cyber readiness. Continue Reading

Seventh Circuit Issues Landmark BIPA Decision

Kari RollinsDavid PoellBy Kari Rollins and David Poell on Posted in Biometrics, Consumer Privacy

The Seventh Circuit has recently ruled that plaintiffs have standing to enforce the Illinois Biometric Information Privacy Act’s informed consent requirements in federal court. As we have written before, , BIPA regulates the collection, use, and retention of a person’s biometric information, e.g., fingerprints, face scans, etc. For years, federal trial courts have been split on whether a violation of BIPA’s informed consent provision is alone sufficient to confer Article III standing. . The decision in Bryant v. Compass Group USA, Inc., — F.3d —-, 2020 WL 2121463 (7th Cir. May 5, 2020) removes that uncertainty and will drastically change the landscape of BIPA litigation going forward. Continue Reading

SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

Kari RollinsDavid PoellJulia KadishBy Kari Rollins, David Poell and Julia Kadish on Posted in Breach, Data Breach

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist. Continue Reading

D.C. Amends Data Breach Notification Law, Adds Security Requirements

Julia KadishBy Julia Kadish on Posted in Data Breach, FTC

At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below. Continue Reading

FTC Provides Direction on AI Technology

Jonathan E. MeyerLiisa ThomasBy Jonathan E. Meyer and Liisa Thomas on Posted in Consumer Privacy, FTC

The FTC recently issued comments on how companies can use artificial intelligence tools without engaging in deceptive or unfair trade practices or running afoul of the Fair Credit Reporting Act. The FTC pointed to enforcement it has brought in this area, and recommended that companies keep in mind four key principles when using AI tools. While much of their advice draws on requirements for those that are subject to the Fair Credit Reporting Act (FCRA), there are lessons that may be useful for many. Continue Reading

Using Health Data in Europe During COVID-19

Snehal DesaiBy Snehal Desai on Posted in COVID-19, EU Privacy, GDPR, Healthcare Privacy

The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic: Continue Reading

Taking Temperatures During COVID-19: A Practical Toolkit

Hayley GrunvaldBrian MurphyLiisa ThomasBy Hayley Grunvald, Brian Murphy and Liisa Thomas on Posted in COVID-19, Employee Privacy

As we move into the second quarter of 2020, governments around the country are analyzing how to best open up their economies. Part of this will include people returning to work, restaurants, retail establishments, and other places of public accommodation. Landlords, business owners, and others want to know how to take steps to reopen safely while government mitigation efforts are being developed to help slow the spread of COVID-19 until a vaccine is developed. And where authorities don’t have specific mitigation efforts, instituting protocols will fall squarely on landlords, business owners, and those who operate places of public accommodation. Continue Reading

Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19

Julia KadishKari RollinsBy Julia Kadish and Kari Rollins on Posted in California, CCPA, Consumer Privacy, COVID-19, Data Protection, New York Privacy

During COVID-19, in certain areas of the law, we have seen significant flexibility from regulators and government agencies in how they are addressing typical approval processes and/or compliance requirements. In the context of privacy and cybersecurity regulations, largely, regulators are emphasizing that personal privacy and data security are important now more than ever. New information is being collected and used in new ways. Certain data security vulnerabilities may be more prevalent in this work-from-home environment. Continue Reading

FTC Settles with Company Over Alleged Deceptive Security Practices

Kari RollinsJulia KadishBy Kari Rollins and Julia Kadish on Posted in Data Security, FTC, Privacy

The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree