On June 1, The California Attorney General submitted the final text of the CCPA regulations to the California Office of Administrative Law for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement.
The California Privacy Rights Act is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The CPRA would significantly amend the CCPA. Included in this blog post is a summary of key additions and modifications to the CCPA’s existing obligations.
Businesses spent the latter months of 2019 working hard to prepare for the January 1, 2020 implementation of the California Consumer Privacy Act. Months later, those businesses still are uncertain of their full range of potential compliance obligations because the California Attorney General’s CCPA implementing regulations are still not final. As businesses refine their CCPA compliance programs, they should also be aware that privacy rules in California could again change before the end of this year if the California Privacy Rights Act ballot initiative is approved by voters. Both the regulations and the CPRA are subject to complicated administrative processes that could affect their adoption and implementation, as described in this post.
Washington State is already shaping up as a center of state privacy legislation for 2020. Last year, SB 5376 gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle, chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The DHS Cyber Hunt and Incident Response Act responds to the recent spate of ransomware attacks against government agencies and private sector organizations. It would require the Department of Homeland Security to form “cyber hunt” and incident response teams that could be called upon to assist federal, state, and local entities to respond to a ransomware or other type of cybersecurity incident or to identify vulnerabilities in their systems that may increase the likelihood and success of a future attack. While continued government attention to the availability of cybersecurity capabilities should be welcomed by the private sector, the extent to which businesses will directly benefit from this legislation is unclear given its focus.
On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.”
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]
The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”). It does not exempt financial institutions altogether from its requirements where a financial information is processing information not subject to these regimes. In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.
This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.
In the digital age, data is everything. “Big Data” feeds countless business processes and offerings. Businesses rely on data to enhance revenue and drive efficiency, whether by better understanding the needs of existing customers, reaching new ones in previously unimagined ways, or obtaining valuable insights to guide a wide array of decisions. Data also drives developments in artificial intelligence, automation, and the Internet of Things. Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. This entry in Hogan Lovells’ ongoing series on the CCPA will focus on implications for data-driven businesses–the rapidly increasing number of businesses that rely heavily on consumer data, whether for marketing, gaining marketplace insights, internal research, or use as a core commodity.
The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.
Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”
On September 4, the Legislative Decree no. 101 of August 10, 2018 for the national implementation of General Data Protection Regulation (EU) 2016/679 was published in the Official Journal. The Decree integrates the provisions of the GDPR, that were previously left to the autonomy of the Member States and will enter into force on September 19, 2018.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
On August 1, a bipartisan group of four senators introduced a bill that would impose specific cybersecurity requirements on providers of Internet of Things devices when doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices. Though the bill’s security requirements would apply only in cases where entities are acting as contractors to the U.S. Government, if enacted, it likely would be influential on IoT vendors operating in the consumer context as well. The bill is largely consistent with an ongoing multistakeholder effort led by the National Telecommunications and Information Administration aimed at developing voluntary security standards for Internet-connected devices.
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and to keep everyone safe requires little justification. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated. In a show of political awareness and legislative dexterity, in November 2015, the UK government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The Bill seeks to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. It is currently being scrutinized by a parliamentary committee and subject to public consultation.
For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of 2015 — and discuss five key provisions that are likely to be at issue as the legislation moves forward.
President Obama today addressed cybersecurity for the second time in as many days in a speech at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Early this morning, the White House announced a February 13 Summit on Cybersecurity and Consumer Protection and released further details on several initiatives to promote cybersecurity information sharing between the private sector and government. The President then convened a meeting with congressional leaders in which he discussed cybersecurity issues. Speaking about his cooperation with House Speaker John Boehner (R-OH) and Senate Majority Leader Mitch McConnell (R-KY), the President noted “I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks.” Today’s developments follow the President’s address to the Federal Trade Commission (FTC) yesterday, in which he announced a legislative proposal on national data breach reporting and emphasized the importance of student and consumer privacy. Together, these events provide a preview of initiatives that the President is expected to highlight during his State of the Union address on January 20.
On April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, which would enable companies to share information about cyber threats while benefiting from certain liability protections. The bill passed despite a White House threat earlier this week to veto the bill. The vote was 288-127, with 196 Republicans and 92 Democrats in […]
The February 21 edition of The Corporate Counsel.Net blog presents an audio interview with Hogan Lovells partner Harriet Pearson in which the following topics are addressed: Why cybersecurity is a hot topic for lawyers now, and not just IT staff. The signficance of recent interactions on this topic between Senator Rockefeller and the CEOs of the […]
On February 12, President Obama signed an Executive Order on “Improving Critical Infrastructure Cybersecurity,” and then referenced the Order and the need for additional congressional action during the State of the Union address on the same day: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate […]
On November 28, Bloomberg BNA is hosting a ninety-minute program on “Cybersecurity: The Corporate Counsel’s Agenda.” The webinar will review the latest cybersecurity developments, existing laws and enforcement initiatives, the post-election cybersecurity legislation landscape, and tips for what in-house counsel should be doing to manage cyber risk. Hogan Lovells partner Harriet Pearson will participate on […]
Widely-reported efforts to craft compromise cybersecurity legislation failed 52-46 in a key Senate vote on August 2 despite bipartisan engagement and the Obama Administration’s vocal support.
On Wednesday, the Senate Commerce Committee held a hearing on consumer privacy and the need for a federal baseline law. On one side — Senators Rockefeller (D-WVA) and Kerry (D-MA), strong proponents of baseline privacy legislation, and on the other was Senator Pat Toomey (R-PA), who questions whethere there is the need at all for legislation and who expressed cocern over compliance costs threatening innovation. On Monday, the Congressional Internet Caucus wil hold a program on pending privacy legislative proposals, moderated by Hogan Lovells Privacy Leader Chris Wolf.
Legislation has been introduced in the U.S. House that would modernize the Telephone Consumer Protection Act and enable businesses to make additional informational calls to wireless telephone numbers. As currently drafted, however, the bill would retain many of the existing restrictions on placing telemarketing calls to wireless telephones.