The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses

As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace.  This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted. Continue Reading

Amendments to CA AB-1281: Addition by Subtraction?

Digital Facial RecognitionIn a surprising turn of events, the California State Senate significantly amended California Assembly Bill 1281 (“AB-1281”) late last week.  AB-1281 initially proposed enhanced protections for the use of facial recognition technologies, which have now been removed.  The amended AB-1281 now focuses on extending by one year the B2B and employee exemptions provided for under the California Consumer Privacy Act (“CCPA”), previously discussed here. Those exemptions currently become inoperative on January 1, 2021; if AB-1281 is enacted, they would become inoperative on January 1, 2022.  Note, however, that if the California Privacy Rights Act (read our recent analysis here) passes on the upcoming November 3rd  ballot, these exemptions will be extended for an additional year, and will become inoperative on January 1, 2023. Continue Reading

CCPA Enforcement Begins Today

CCPA-California-Consumer-Privacy-ActAs of today, July 1, 2020, the California Attorney General (“AG”) will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”), which went into effect on January 1, 2020.  Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation.  The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information; indeed, a significant amount of CCPA class action litigation has already been filed.  See our prior posts for a detailed analysis of the CCPA and its requirements. In connection with the commencement of CCPA enforcement activity, California AG Xavier Becerra issued the following statement:

Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says “Do Not Sell My Personal Information.” Click on it. Remember, it’s your data. You now get to control how it’s used or sold.

The AG has the authority to bring enforcement actions that cover business activities going back to the CCPA’s effective date.  The AG has denied repeated requests from California businesses to delay enforcement due to challenges in complying brought on by the COVID-19 pandemic.

This despite the fact that the AG’s proposed regulations clarifying certain CCPA obligations are not yet final.  On June 1, 2020, the AG filed the regulations with the Office of Administrative Law (“OAL”) and requested an expedited review to make them effective on July 1, 2020.  As of the time of this writing, the OAL had not yet given its final approval to the proposed regulations. The OAL has 30 working days (plus an additional 60 calendar days pursuant to an Executive Order currently in place) to review and approve the proposed regulations, then file them with the California Secretary of State.  This could mean that the regulations will not take effect until October 1, 2020. For more details, see our prior post.

As we await a potential wave of AG enforcement and the finalization of the CCPA regulations, the state of California’s privacy laws remains fluid. On June 24, 2020, the California Secretary of State confirmed that the California Privacy Rights Act (“CPRA”) has officially obtained enough signatures to appear on the November 2020 ballot.  If approved by California voters, the CPRA will significantly expand the requirements of the CCPA and create a new Privacy Protection Agency in California to enforce California’s privacy laws. See our prior post for more details.

However, given that the AG is now enforcing the CCPA, businesses need to take action as quickly as possible to update privacy notices, implement processes to comply with individual rights requests, ensure that contracts are in place with service providers, and address other applicable CCPA requirements.

For more information, please contacat the author or your usual Squire Patton Boggs contact.

Court Order Means CPRA Likely to Make November Ballot

In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020. Continue Reading

Data Breach: Is Your Forensic Report Privileged?

Laptop Data TransferA financial institution has asked a Virginia federal court to overturn a magistrate judge’s order to disclose its forensic report, detailing its 2019 data breach.  If your company experiences a data breach, it is imperative to immediately retain outside counsel who understands the nuances of cybersecurity events and attorney work product privileges.  Here we provide the following practical takeaways: Continue Reading

Complimentary Webinar: Privacy and Employee Surveys in Germany

Maintaining a positive and productive work environment helps retain valued employees and aids in recruiting new talent, ultimately saving costs and providing an advantage over competitors. To monitor employee satisfaction organizations are increasingly turning to conducting workplace surveys.

On June 16, 2020 at 4:00p CEST  Annette Demmel and Tarek Hajj-Khalil of our Data Privacy & Cybersecurity team will discuss what companies should consider when implementing and conducting employee surveys in order to be in line with applicable data protection laws, in particular the GDPR.

They will explain the different legal bases for acquiring employee feedback; which information has to be given to the employees prior or during a survey; what needs to be taken into account when survey results are being evaluated; as well as how to avoid unnecessary risks in this context.

Additional information and registration is available here.

1.0 hour CLE available for CA, NJ and NY

1.0 hour CPE (IAPP).

California Attorney General Submits Final Proposed Regulations and Accompanying Materials

CCPA-California-Consumer-Privacy-ActAfter months of waiting, on June 1, 2020, the California Office of the Attorney General (“AG”) unveiled the final proposed California Consumer Privacy Act (“CCPA”) regulations, which are unchanged from the last version circulated in early March 2020 (summarized here).  The AG also published extensive materials, including more than 500 pages of responses to public comments, that provide a wealth of (non-binding) guidance on tricky issues.  Finally, the AG requested the Office of Administrative Law to expedite its review to make the regulations effective July 1, 2020, but it is unclear whether that will occur. Continue Reading

EU and National Guidance and Approaches to Contact Tracing Apps

In considering methods to relax the COVID-19 lockdown measures and revive the economy, while at the same time containing the spread of the virus, the EU and national EU governments have been actively pursuing the development and use of contact tracing apps.

To be effective, any contact tracing app would require the majority of the population to use it. Of course, there are reservations about the overall benefit of such an app as a means of responding to the COVID-19 crisis (among others because it may lead to false positives or negatives, the technology may be unable to distinguish between people in crowded places, as well as because of the possible abuse of the data). Continue Reading