Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: Consumer Privacy

Subscribe to Consumer Privacy RSS Feed
Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information. This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.

Posted in Consumer Privacy

California DoJ Sets March 8 Deadline for CCPA Pre-Rulemaking Comments

The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline. Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking.

Posted in Consumer Privacy

Illinois Supreme Court Says Infringement of Rights Under Biometric Act Is Sufficient for a Claim, Even Absent Additional Harm

The Illinois Supreme Court ruled on January 25 in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) even without alleging “injury or damage beyond infringement of the rights afforded them under the law.”  The court decided the issue solely as a matter of statutory construction under Illinois law.  This decision will have a major impact on a number of pending BIPA lawsuits and is likely to result in increased BIPA litigation given the availability of statutory damages and attorneys’ fees under the law.

Posted in Consumer Privacy

California Department of Justice to Hold Six Public Forums on the CCPA

The California Attorney General Xavier Becerra and the California Department of Justice will hold six public forums about the California Consumer Privacy Act (CCPA) that are open to all members of the public. These public forums are being held pursuant to Section 1798.185 of the CCPA, which requires the Attorney General to “solicit broad public participation and adopt regulations to further the purposes” of the CCPA.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s Anti-Discrimination Clause

One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service.  Compliance would be challenging even if the provision were articulated clearly, but as we have discussed in this blog series, the accelerated drafting process and passage of the CCPA earlier this year left little time for public comment and responsive amendments.  As a result, the law includes a series of ambiguities that complicate compliance, and nowhere is that more apparent than in the anti-discrimination provision.

This entry in Hogan Lovells’ ongoing series on the CCPA focuses on the law’s anti-discrimination clause, its ambiguities and potentially contradictory provisions, and impact on businesses.

Posted in Consumer Privacy

Digital Media Company Agrees to $4.95 Million COPPA Penalty in Settlement with NYAG

On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The Interplay Between the CCPA and Financial Institutions

The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”).  It does not exempt financial institutions altogether from its requirements where a financial information is processing information not subject to these regimes.  In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.

This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The Impact of the CCPA on Data-Driven Marketing and Business Models

In the digital age, data is everything. “Big Data” feeds countless business processes and offerings. Businesses rely on data to enhance revenue and drive efficiency, whether by better understanding the needs of existing customers, reaching new ones in previously unimagined ways, or obtaining valuable insights to guide a wide array of decisions. Data also drives developments in artificial intelligence, automation, and the Internet of Things. Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. This entry in Hogan Lovells’ ongoing series on the CCPA will focus on implications for data-driven businesses–the rapidly increasing number of businesses that rely heavily on consumer data, whether for marketing, gaining marketplace insights, internal research, or use as a core commodity.

Posted in Consumer Privacy

FTC Release Staff Recap of Informational Injury Workshop

The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop.  Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered.  The paper noted that several important points emerged from the workshop.

Posted in Consumer Privacy

The Internet of Things Webinar Series: Overcoming IoT Litigation Challenges

Hogan Lovells hosted the most recent installment in its Internet of Things Webinar (IoT) Series. Christine Gateau in Paris and Michelle Kisloff in Washington DC, discussed current regulatory actions and cutting-edge IoT litigation debates in the U.S. and Europe, as well as litigation risks to keep in mind when designing IoT products. In this post, we provide a link to the recorded webinar and slide deck.

Posted in Consumer Privacy

California Passes First-Of-Its-Kind Law Focused on Internet of Things Cybersecurity

Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”

Posted in Consumer Privacy

FTC’s Privacy Shield Enforcement Actions Show Broader Enforcement Lens

On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016 and it also introduced a couple of new FTC models of Privacy Shield enforcement.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPA

As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – Consumer Litigation and the CCPA: What to Expect

This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA). The CCPA creates a limited private right of action for suits arising out of data breaches.  At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute.  Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.

Posted in Consumer Privacy

National Science Foundation Seeks Comments on Artificial Intelligence, Continuing Policy Makers’ Focus on AI

The National Science Foundation is seeking public comment on US policy for artificial intelligence, according to the Federal Register Notice of Request for Information (RFI) filed in September 26, 2018.  Specifically, the RFI requests input from the public as to whether the National Artificial Intelligence Research and Development Strategic Plan (AI Strategic Plan) should be updated or improved.  Comments to the RFI are due to the National Science Foundation by October 26, 2018.

Posted in Consumer Privacy

NTIA Seeks Comment on New, Outcome-Based Privacy Approach

The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on a new consumer privacy approach that is designed to focus on outcomes instead of prescriptive mandates. The RFC presents an important opportunity for organizations to provide legal and policy input to the administration, and comments are due October 26.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Data Mapping and the CCPA

The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Key Terms in the CCPA

Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act. We thus focus here on discussing some of the CCPA’s key definitional terms.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Introduction to Hogan Lovells’ Blog Series

We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.

Posted in Consumer Privacy

Now Available: California Consumer Privacy Act: What you need to know now webinar recording and slides

On July 24, members of the Hogan Lovells global privacy team presented a webinar on the new California Consumer Privacy Act, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. In this post, we provide links to the recorded webinar and slide deck.

Posted in Consumer Privacy

California Enacts Sweeping New Comprehensive Privacy Legislation

California continues to be a first mover in privacy in the United States, enacting the US’s toughest and most comprehensive privacy legislation on Thursday, June 28, 2018. Unlike existing state and federal privacy legislation that has generally focused on specific sectors or privacy issues, the California Consumer Privacy Act of 2018 (AB 375), applies broadly to businesses that collect personal information about California consumers and aims to create significant new consumer privacy rights. In doing so, it creates significant new obligations for businesses.

Posted in Consumer Privacy, Privacy & Security Litigation

U.S. Supreme Court Holds that Historical Cell Site Location Data Is Subject to a Reasonable Expectation of Privacy

In a landmark 5-4 decision, the United States Supreme Court held that the government conducts a search under the Fourth Amendment and therefore, absent exigent circumstances, needs a warrant supported by probable cause when obtaining cell-site location information (i.e., records of the cell towers to which mobile devices connect). The majority reached that conclusion based on the determination that such location records are subject to a reasonable expectation of privacy that continues to apply even though the location records are disclosed to the cell phone user’s wireless carrier, a third party.

Posted in Consumer Privacy

California Consumer Privacy Bill Fast-Tracked to Replace November Ballot Initiative

On June 22, California lawmakers announced Assembly Bill 375, a broad-based consumer privacy bill that is intended to serve as an alternative to the California Consumer Privacy Act, a far-reaching consumer privacy initiative that is on track to be on the California ballot this November. The chief sponsor of the CCPA, Alastair Mactaggart, has stated that he will withdraw the initiative from the ballot if AB 375 is passed this week.