Posted in California Privacy, CCPA, Consumer PrivacyJoining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020. Continue Reading
Posted in CCPAThe California attorney general has released draft regulations for CCPA, giving companies further guidance on a variety of topics. The regulations are in draft, and comments are due to the attorney general’s office by December 6, 2019. The AGs office will also be holding a series of hearings across the state, on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco), and 5 (Fresno). Among the many items that companies will be examining in more detail in the coming days, the regulations provide details about how to verify consumers and the need for website accessibility in the provision of notices. The proposal also calls on companies to acknowledge access and deletion requests within 10 days of receipt of such a request. Continue Reading
Posted in Communication Privacy, Consumer Privacy, TCPAAs we reported in our sister blog, “One ‘Chirp, Buzz, Or Blink’ Is Not Enough To Sue Under the TCPA”, a recent court decision makes it more difficult for plaintiffs to establish standing under the Telephone Consumer Protection Act. In its decision, the Eleventh Circuit ruled that a single text message from an attorney to his former client did not amount to sufficient harm to sue in federal court. The Court concluded that the allegations regarding the single text message were not enough to state a concrete injury-in-fact necessary for federal jurisdiction. The Eleventh Circuit’s ruling appears to conflict with a previous Ninth Circuit decision regarding the same issue. Continue Reading
Posted in CCPA, Consumer PrivacyOne of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted. Continue Reading
Posted in EU Privacy, GDPRUnder GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested. Continue Reading
Posted in Communication Privacy, Consumer Privacy, TCPAThe Sixth Circuit is the latest court to weigh in on the definition of ATDS under TCPA. The TCPA defines ATDS as equipment that has the capacity “to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.” Generally, the TCPA prohibits calls and text messages to cell phones using an ATDS without prior express consent. Continue Reading
Posted in Data Breach, Data Security, Healthcare PrivacyEffective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements. Continue Reading
Posted in California, CCPA, Consumer Privacy, Employee PrivacyOne of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021. Continue Reading
Posted in Data Breach, Data SecurityIllinois has updated its breach notice law to require, effective January 1, 2020, notice to the Illinois Attorney General of a data breach involving more than 500 Illinois residents. Continue Reading
Posted in Consumer Privacy, Data BreachAs we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019. Continue Reading
