It’s official. The California Privacy Rights Act has received enough valid signatures to appear on the November 2020 ballot. And if polling from late last year remains accurate, California voters are likely to approve it. If voters approve the initiative, the CPRA would significantly expand the CCPA, establish the California Privacy Protection Agency, remove the CCPA’s cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements. The substantive provisions of the CPRA would take effect January 1, 2023.
Category Archives: Consumer Privacy
Subscribe to Consumer Privacy RSS FeedCalifornia AG Submits CCPA Regulations for Approval – Requests Expedited Review Ahead of July 1 Enforcement Deadline
On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.
California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative
The California Privacy Rights Act is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The CPRA would significantly amend the CCPA. Included in this blog post is a summary of key additions and modifications to the CCPA’s existing obligations.
Hogan Lovells Launches Global Privacy Guide to Support Businesses with COVID-19 Exit Plans
As the world focuses its efforts on the right strategy to beat the coronavirus and make normal life safe again, businesses are devising and implementing a variety of measures to deal with the COVID-19 crisis which rely on the collection, use and dissemination of personal data. To assist with this challenge and ensure that privacy and cybersecurity aspects are appropriately addressed, Hogan Lovells has released today a detailed guide providing legal analysis and practical recommendations. The guide is made available in this post.
CCPA Regulations Still Not Final as Enforcement Deadline Approaches; CPRA Appears to Move Forward
Businesses spent the latter months of 2019 working hard to prepare for the January 1, 2020 implementation of the California Consumer Privacy Act. Months later, those businesses still are uncertain of their full range of potential compliance obligations because the California Attorney General’s CCPA implementing regulations are still not final. As businesses refine their CCPA compliance programs, they should also be aware that privacy rules in California could again change before the end of this year if the California Privacy Rights Act ballot initiative is approved by voters. Both the regulations and the CPRA are subject to complicated administrative processes that could affect their adoption and implementation, as described in this post.
Now Available: Biometric Data — Power, Promise and Privacy Challenges (Panel Discussion Materials)
On February 26, Hogan Lovells participated in a panel discussion about the privacy and security concerns with biometric data at the RSA Conference. The recording and slideshow are now available on our blog.
EDPB’s New Guidelines – Clinical Trials in the EU and COVID-19
We currently live in a world where the rapid spread of COVID-19 has provoked the urge to initiate the search for an effective vaccine or medicines to fight against it. In this context, the EDPB has recently published its Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak with the clear objective of ensuring that patients’ and trial subjects’ privacy is not disregarded while clinical trials are carried out.
Second Circuit Panel Sides With Ninth Circuit on What Qualifies as an Autodialer
A recent decision by the U.S. Court of Appeals for the Second Circuit in Duran v. La Boom Disco, Inc. has interrupted the emerging consensus around the definition of “autodialer” in the Telephone Consumer Protection Act. On April 7, 2020, a Second Circuit panel joined a Ninth Circuit panel in adopting a broad reading of the statutory definition of “automatic telephone dialing system,” commonly referred to as an autodialer. The Duran decision also rejected the reasoning in opinions issued by panels in the Seventh and Eleventh Circuits earlier this year, which deepens the split between the Courts of Appeals and increases the pressure on the Federal Communications Commission, Congress, and even the U.S. Supreme Court to provide clarity on what constitutes an autodialer under the TCPA.
COVID-19 and IT Service Provider Contracts: A Checklist for Force Majeure Events
COVID-19 has impacted organizations’ relationships with their IT service providers, who often play an important role in securing their data and systems. Under current conditions, some service providers may face challenges in performing this work. Potential non-performance has significant consequences for service providers and their clients alike. To prepare for these challenges, entities that have contracts with service providers—and service providers themselves—should carefully review their existing agreements and any force majeure-type provisions in particular. This post includes our COVID-19 service provider risk mitigation checklist.
FCC Confirms that Certain COVID-19 Communications Fall Within the TCPA’s “Emergency Purposes” Exception
On March 20, the FCC released a Declaratory Ruling confirming that the pandemic caused by the novel coronavirus qualifies as an emergency under the Telephone Consumer Protection Act. As a result, hospitals, health care providers, health officials, and other government officials may use automated calls and text messages to communicate information about COVID-19 when “necessary to protect the health and safety of citizens,” without violating the TCPA.
Getting Customer Communications Right in Times of Coronavirus
Across the world, large retail stores and small businesses alike are shutting their doors. International flights and sporting events, conferences and concerts (and everything in between) are being cancelled. With all of the cancellations, postponements, and alternative arrangements that are required as a result of this global crisis, plus the special desire of all retail, travel, and other consumer-facing businesses to stay in touch with their customers, many organisations face the critical challenge of getting to grips with the legal rules that apply to those unsolicited communications and interactions.
Second Modified CCPA Draft Regulations Released—Comments Due March 27
On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.
Seventh Circuit Joins Third and Eleventh Circuits in “Autodialer” Circuit Split
Slowly but surely, the U.S. Courts of Appeal increasingly agree on how to interpret the definition of “automatic telephone dialing system” in the Telephone Consumer Protection Act. On February 19, 2020, a unanimous Seventh Circuit panel refused to revise a putative class action in Gadelhak v. AT&T Services, Inc. after concluding that the dialing system used by AT&T did not qualify as an autodialer. Like the Eleventh Circuit in Glasser v. Hilton Grand Vacations Company, LLC and Third Circuit in Dominguez v. Yahoo, Inc., the Seventh Circuit held that an “autodialer” must use “a random or sequential number generator” to either store or produce numbers. Because the system used by AT&T simply pulled numbers from a database, the court found that the system was not an autodialer and the texts did not violate the TCPA.
Modified CCPA Regulations Released—Comments Due February 25 (Updated)
On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.
California’s Data Broker Registration Deadline Looming
Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202, the nation’s second “data broker” registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General. AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.
Washington State to Try Again for a Comprehensive Privacy Law
Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
Now Available: CCPA Update (Webinar Materials)
On November 14, 2019, the Hogan Lovells Privacy and Cybersecurity team provided an important CCPA update. The webinar recording and slides are now available on our blog.
IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA
On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019.
California AG Releases Proposed CCPA Regulations
On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.
The Results Are in: Modest Changes to CCPA Await the Governor’s Signature
Since the California Consumer Privacy Act’s hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.
Reminder that the FTC is Providing an Opportunity to Comment on COPPA Rule by October 23
The Federal Trade Commission is requesting public comments on the Children’s Online Privacy Protection Rule. In particular, the FTC is seeking feedback on the effectiveness of its 2013 amendments to the COPPA Rule and on whether additional changes are needed. Comments are due October 23, 2019. The FTC will also be hosting a COPPA workshop on October 7, 2019.
Ill-Suited: Private Rights of Action and Privacy Claims
The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.
U.S. Supreme Court Sidesteps Important TCPA Deference Issues
On June 20, 2019, the Supreme Court released its long-awaited decision in PDR v. Carlton & Harris Chiropractic. The Court was expected to provide greater clarity about the extent to which litigants can challenge the Federal Communications Commission’s Telephone Consumer Protection Act interpretations in private litigation. Instead of deciding that issue, however, the Court vacated the Fourth Circuit’s ruling and remanded the case for further development. How the Fourth Circuit rules on remand may ultimately provide more insight on how much deference is owed to the FCC’s TCPA interpretations.
TMT Horizons 2019
This year’s TMT Horizons includes 22 short articles—including five articles focusing on data protection issues—contributed by our lawyers around the globe, focusing on the trends and issues our clients are facing. These articles reflect the fact that the intersection between the inherent dynamism of the sector and the increasing challenges to unchecked globalization will dominate the next chapter for TMT.