We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
California continues to be a first mover in privacy in the United States, enacting the US’s toughest and most comprehensive privacy legislation on Thursday, June 28, 2018. Unlike existing state and federal privacy legislation that has generally focused on specific sectors or privacy issues, the California Consumer Privacy Act of 2018 (AB 375), applies broadly to businesses that collect personal information about California consumers and aims to create significant new consumer privacy rights. In doing so, it creates significant new obligations for businesses.
Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor. Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.
Maryland Attorney General Doug Gansler, current President of the National Association of Attorneys General (NAAG), has made “Privacy in the Digital Age” his presidential initiative for 2013. As part of the presidential initiative, NAAG will host a number of privacy-focused events throughout the year, including a three-day conference this April. On Monday, January 28th, […]
A new amendment to California’s security breach notification statute establishes specific content requirements for data breach notifications and imposes a new Attorney General notification requirement for breaches affecting more than 500 California residents.