On March 20, the FCC released a Declaratory Ruling confirming that the pandemic caused by the novel coronavirus qualifies as an emergency under the Telephone Consumer Protection Act. As a result, hospitals, health care providers, health officials, and other government officials may use automated calls and text messages to communicate information about COVID-19 when “necessary to protect the health and safety of citizens,” without violating the TCPA.
Across the world, large retail stores and small businesses alike are shutting their doors. International flights and sporting events, conferences and concerts (and everything in between) are being cancelled. With all of the cancellations, postponements, and alternative arrangements that are required as a result of this global crisis, plus the special desire of all retail, travel, and other consumer-facing businesses to stay in touch with their customers, many organisations face the critical challenge of getting to grips with the legal rules that apply to those unsolicited communications and interactions.
On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.
Slowly but surely, the U.S. Courts of Appeal increasingly agree on how to interpret the definition of “automatic telephone dialing system” in the Telephone Consumer Protection Act. On February 19, 2020, a unanimous Seventh Circuit panel refused to revise a putative class action in Gadelhak v. AT&T Services, Inc. after concluding that the dialing system used by AT&T did not qualify as an autodialer. Like the Eleventh Circuit in Glasser v. Hilton Grand Vacations Company, LLC and Third Circuit in Dominguez v. Yahoo, Inc., the Seventh Circuit held that an “autodialer” must use “a random or sequential number generator” to either store or produce numbers. Because the system used by AT&T simply pulled numbers from a database, the court found that the system was not an autodialer and the texts did not violate the TCPA.
On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.
Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202, the nation’s second “data broker” registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General. AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.
Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
On November 14, 2019, the Hogan Lovells Privacy and Cybersecurity team provided an important CCPA update. The webinar recording and slides are now available on our blog.
On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to firstname.lastname@example.org, by November 5, 2019.
On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.
Since the California Consumer Privacy Act’s hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.
The Federal Trade Commission is requesting public comments on the Children’s Online Privacy Protection Rule. In particular, the FTC is seeking feedback on the effectiveness of its 2013 amendments to the COPPA Rule and on whether additional changes are needed. Comments are due October 23, 2019. The FTC will also be hosting a COPPA workshop on October 7, 2019.
The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.
On June 20, 2019, the Supreme Court released its long-awaited decision in PDR v. Carlton & Harris Chiropractic. The Court was expected to provide greater clarity about the extent to which litigants can challenge the Federal Communications Commission’s Telephone Consumer Protection Act interpretations in private litigation. Instead of deciding that issue, however, the Court vacated the Fourth Circuit’s ruling and remanded the case for further development. How the Fourth Circuit rules on remand may ultimately provide more insight on how much deference is owed to the FCC’s TCPA interpretations.
This year’s TMT Horizons includes 22 short articles—including five articles focusing on data protection issues—contributed by our lawyers around the globe, focusing on the trends and issues our clients are facing. These articles reflect the fact that the intersection between the inherent dynamism of the sector and the increasing challenges to unchecked globalization will dominate the next chapter for TMT.
Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA).
Following the one-year anniversary of the coming into effect of the GDPR, Hogan Lovells’ Privacy and Cybersecurity practice has prepared summaries of key GDPR-related developments of the past 12 months. The summaries cover regulatory guidance, enforcement actions, court proceedings, and various reports and materials.
While eyes focus on the privacy legislative debate now underway in the United States, the development of a new Privacy Framework by the influential National Institute for Standards and Technology (“NIST”) is also worthy of attention. On May 13-14, 2019, NIST hosted its second workshop on the recently released discussion draft of its “Privacy Framework: An Enterprise Risk Management Tool” (“Privacy Framework”). The workshop brought together stakeholders to provide feedback on the draft and suggest areas for revision. NIST had previously hosted a workshop in October 2018 to kick off the development of the Privacy Framework and had presented its thinking at other fora such as the Brookings Institution.
On May 1, 2019, the National Institute of Standards and Technology (NIST) announced a Request for Information (RFI) in the Federal Register regarding ongoing efforts to develop technical standards for artificial intelligence (AI) technologies and the identification of priority areas for federal involvement in AI standards-related activities. Responses to the RFI are due by May 31, 2019.
A number of legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to the California Senate for consideration.
The consumer industry is evolving at lightning speed, and the way consumer businesses operate is shifting. In this year’s edition of Consumer Horizons, the Hogan Lovells global Consumer team identifies trends that will impact food and beverages companies, fashion and luxury goods producers, retailers, consumer electronics manufacturers, and other consumer businesses throughout 2019. Members of Hogan Lovells’ Privacy and Cybersecurity team contributed to Consumer Horizons 2019 to highlight some key privacy and data protection issues that businesses in the consumer industry should take note of.
The California legislature is considering significant amendments to the California Consumer Privacy Act ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA rights.
In June of 2018, California passed the California Consumer Privacy Act, which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective January of 2020 and may impact companies in the education sector, including the larger education technology companies. While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020.
On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.