To close out Data Privacy Week, California Attorney General Rob Bonta announced a new investigative sweep probing streaming apps’ and devices’ compliance with the California Consumer Privacy Act (CCPA).Continue Reading California AG Turns on CCPA Investigation of Streaming Services
The enforcement division of the California Privacy Protection Agency (CPPA) recently announced it intends to review the privacy practices of connected vehicles. The driving force behind the review is the technologies in connected cars that raise privacy concerns. These include location sharing and smartphone integration. Connected cars often also have cameras and web-based entertainment systems. These cars—and the technologies in them—may monitor people both in the car and outside of it. For many Californians, the car is part of their daily routines. Connected vehicles can effectively becoming a constant data generator.Continue Reading California Regulator Drives Inquiry into Vehicle Data
A plaintiff has her fingerprints forever. But she doesn’t have forever to file a lawsuit for improper retention, deletion, collection, or use of her fingerprints. For years, Illinois courts have been perplexed on what statute of limitations applies to different claims under the Illinois Biometric Information Privacy Act (“BIPA”). That left an unanswered question: how long does a plaintiff have to file a BIPA claim before losing it? The Illinois Supreme Court weighed in last week, siding with the plaintiffs’ bar. In Tims v. Black Horse Carriers, Inc., that Court held that plaintiffs have five years to file any BIPA claim.Continue Reading Illinois High Court Allows Biometric Privacy Claims to Go Back Five Years
California federal Judge William Alsup dismissed various claims against Mint Mobile LLC based on a data breach that exposed personal information of Mint customers. Plaintiff Daniel Fraser alleged that Mint, a mobile virtual network operator using the T-Mobile network infrastructure, was hit with a data breach in June 2021. According to Fraser, the breach resulted in disclosure of his and others’ personal information, including names, addresses, email addresses, phone numbers, account numbers, and passwords.
Continue Reading Mint Gets Data Breach Claims Dismissed
The Supreme Court recently dealt a potential blow to the FTC’s enforcement tool chest. In particular, the decision impacts its ability to seek monetary relief under a theory it has used in a wide variety of cases, included privacy and security ones, that monetary relief constitutes a “permanent injunction” on consumers’ behalf. In AMG Capital Management, LLC v. Federal Trade Commission, the Supreme Court held that while the FTC should be able to obtain injunctive relief to stop unfair practices, that power does not extend to seeking monetary relief for injured consumers.
Continue Reading Supreme Court Decision Impacts How FTC May Pursue Privacy Cases
Governor Gavin Newsom of California vetoed a bill that would have created new limitations on data sharing for direct-to-consumer genetic testing companies.
Continue Reading California Governor Pulls the Plug on Genetic Information Privacy Act
CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.
Continue Reading French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data
The Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards.
Continue Reading Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature
The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent.
Continue Reading UK Issues Fine for Unsolicited Funeral Marketing Emails
Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers
In its recent report (Mobile Security Updates: Understanding the Issues), the FTC expressed concerns with the process for keeping mobile devices updated and secure. Of particular concern for the FTC were inconsistencies in the length of time that support is offered for mobile devices, the frequency of updates and the perceived lapse of time between identifying a vulnerability and effectively installing a patch on consumers’ devices. Further, the FTC was worried that information about device support and update frequency is not always clear to consumers, and is not always maintained by manufacturers.
Continue Reading FTC Expresses Concerns Over Mobile Security Updates