Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Timothy Tobin

Posts by Timothy Tobin
Posted in Consumer Privacy

California Privacy Rights Act to Appear on November 2020 Ballot

It’s official. The California Privacy Rights Act has received enough valid signatures to appear on the November 2020 ballot. And if polling from late last year remains accurate, California voters are likely to approve it. If voters approve the initiative, the CPRA would significantly expand the CCPA, establish the California Privacy Protection Agency, remove the CCPA’s cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements. The substantive provisions of the CPRA would take effect January 1, 2023.

Posted in Consumer Privacy

California AG Submits CCPA Regulations for Approval – Requests Expedited Review Ahead of July 1 Enforcement Deadline

On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.

Posted in Consumer Privacy

California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative

The California Privacy Rights Act is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The CPRA would significantly amend the CCPA. Included in this blog post is a summary of key additions and modifications to the CCPA’s existing obligations.

Posted in Cybersecurity & Data Breaches

New York Department of Financial Services Released New Guidance Addressing COVID-19 Related Cybersecurity Risks

Continuing its focus on COVID-19’s impact on its regulated entities, on April 13, the New York Department of Financial Services released new cybersecurity guidance in response to the COVID-19 pandemic. The guidance highlights the heightened cybersecurity risks from the current crisis and NYDFS’ expectations that its regulated entities address those risks as large portions of their workforce have shifted to remote working arrangements.

Posted in Consumer Privacy, News & Events

Second Modified CCPA Draft Regulations Released—Comments Due March 27

On March 11, The California Attorney General released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020. The second set of modifications contain a small number of impactful changes, which we summarize in this post.

Posted in Consumer Privacy

Modified CCPA Regulations Released—Comments Due February 25 (Updated)

On Friday, February 7, 2020, the California Attorney General released notice of changes to the California Consumer Privacy Act draft regulations. Initial draft regulations were published for public comment on October 11, 2019. Public comments on these modified draft CCPA regulations will be accepted by the CA AG until Monday, February 24, 2020, at 5 pm PST.

Posted in Consumer Privacy

California’s Data Broker Registration Deadline Looming

Alongside its flurry of CCPA amendments last term, the California legislature passed Assembly Bill 1202, the nation’s second “data broker” registration law. AB 1202 requires “data brokers” to register with and pay an annual fee to the California Attorney General. AB 1202 uses the CCPA’s definitions for key terms, so even businesses that are not traditional data brokers may need to register.

Posted in Consumer Privacy

Washington State to Try Again for a Comprehensive Privacy Law

Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.

Posted in Consumer Privacy

IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA

On October 22, the Interactive Advertising Bureau, a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create service provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019.

Posted in Consumer Privacy

California AG Releases Proposed CCPA Regulations

On October 10, California Attorney General Xavier Becerra released proposed regulations to implement certain provisions of the California Consumer Privacy Act. The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized within this post.

Posted in Consumer Privacy

The Results Are in: Modest Changes to CCPA Await the Governor’s Signature

Since the California Consumer Privacy Act’s hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements.

Posted in Consumer Privacy

Reminder that the FTC is Providing an Opportunity to Comment on COPPA Rule by October 23

The Federal Trade Commission is requesting public comments on the Children’s Online Privacy Protection Rule. In particular, the FTC is seeking feedback on the effectiveness of its 2013 amendments to the COPPA Rule and on whether additional changes are needed. Comments are due October 23, 2019. The FTC will also be hosting a COPPA workshop on October 7, 2019.

Posted in Consumer Privacy

New Nevada Privacy Law With “Sale” Opt-Out Right Will Take Effect Before the CCPA

Nevada has a new privacy law. On May 29, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220) into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. The act, which amends an existing online privacy notice law, is significantly narrower than the California Consumer Privacy Act (CCPA).

Posted in Cybersecurity & Data Breaches

Cybersecurity Standards for the Insurance Sector – A New Patchwork Quilt in the US?

In the past two years, multiple state bills that have been introduced in the US to provide for cybersecurity requirements and standards to the insurance sector, with recent legislative activity taking place in particular within the States of Ohio, South Carolina, and Michigan. The entering into effect of multiple state laws in this area may present challenges for insurance providers operating in states where such cybersecurity requirements are provided for.

Posted in Financial Privacy

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

The Federal Trade Commission issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade.

Posted in Consumer Privacy

FTC Obtains Record COPPA Settlement

On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.

Posted in Consumer Privacy

California DoJ Sets March 8 Deadline for CCPA Pre-Rulemaking Comments

The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline. Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking.

Posted in Consumer Privacy

Illinois Supreme Court Says Infringement of Rights Under Biometric Act Is Sufficient for a Claim, Even Absent Additional Harm

The Illinois Supreme Court ruled on January 25 in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) even without alleging “injury or damage beyond infringement of the rights afforded them under the law.”  The court decided the issue solely as a matter of statutory construction under Illinois law.  This decision will have a major impact on a number of pending BIPA lawsuits and is likely to result in increased BIPA litigation given the availability of statutory damages and attorneys’ fees under the law.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The Interplay Between the CCPA and Financial Institutions

The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”).  It does not exempt financial institutions altogether from its requirements where a financial information is processing information not subject to these regimes.  In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.

This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The Impact of the CCPA on Data-Driven Marketing and Business Models

In the digital age, data is everything. “Big Data” feeds countless business processes and offerings. Businesses rely on data to enhance revenue and drive efficiency, whether by better understanding the needs of existing customers, reaching new ones in previously unimagined ways, or obtaining valuable insights to guide a wide array of decisions. Data also drives developments in artificial intelligence, automation, and the Internet of Things. Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. This entry in Hogan Lovells’ ongoing series on the CCPA will focus on implications for data-driven businesses–the rapidly increasing number of businesses that rely heavily on consumer data, whether for marketing, gaining marketplace insights, internal research, or use as a core commodity.

Posted in Consumer Privacy

FTC Release Staff Recap of Informational Injury Workshop

The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop.  Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered.  The paper noted that several important points emerged from the workshop.

Posted in Employment Privacy

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.

Posted in Consumer Privacy

California Passes First-Of-Its-Kind Law Focused on Internet of Things Cybersecurity

Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”

Posted in Cybersecurity & Data Breaches

New Obligations Under the NYDFS Cybersecurity Regulation Came Online in September

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation came into effect March 1, 2017. Various provisions under the regulations have been implemented on a staggered implementation timeline since that date. As of September 4, 2018, covered entities are required to be in compliance with additional requirements. As you finalize your organization’s preparations for compliance, we have highlighted key aspects of these obligations that came into effect in September.