On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here).  The changes are effective immediately. The modifications largely focus on (1) changes impacting those companies that “sell” information, and (2) the verification process for rights requests made by authorized agents.
Continue Reading Changes to CCPA Regulations are Approved and in Effect

The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues.  A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.

Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts 

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Continue Reading Virginia is for…Privacy: Comprehensive Law Passed, Effective January 2023

Many states require insurance providers that do business in their states to complete annual certifications of compliance.  As examples, the deadline in New Hampshire is coming up on March 1.  The deadline in Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina was February 15.  (The deadline under new laws in Michigan and Virginia will be February 15 as well, starting in 2022 and 2023, respectively.)  The deadline in New York is April 15. 
Continue Reading Insurance Cybersecurity Certifications: A State Roundup

The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared.  In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies. Namely, third parties who provided marketing and analytics services to the app.
Continue Reading FTC Settles with Fertility Tracking App For Alleged Deceptive Data Sharing Practices

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.
Continue Reading Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

As we reach the end of January 2021, it is becoming increasingly clear that this will be a busy year in the areas of privacy and data security. Following up on our posts discussing some of the important trends from last year, the Sheppard Mullin Privacy and Cyber Security team has put together a comprehensive resource containing all of our posts from last year.  From a focus on artificial intelligence, to international data flow and vendor transfer concerns, to ongoing enforcement of a patchwork of laws, we anticipate many of the issues facing companies in 2020 will not go away this year.

Continue Reading 2020 Privacy Year In Review

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement

The FCC recently adopted new rules that will limit the volume of calls that can be made to residential phones under certain TCPA consent exceptions. The new rules affect non-telemarketing calls that use an artificial or prerecorded voice. For years, companies have been able to make unlimited numbers of these calls to residential lines without the need for prior express consent if the exceptions applied. Beginning later in 2021, companies will need to follow volume limits for the following types of exempted calls, unless they have obtained prior express consent to make more calls. The new limits will apply to calls that fall into one of these consent exceptions:
Continue Reading FCC Sets Volume Limits For Some Prerecorded Calls to Home Phones