Key Takeaways from the FTC’s PrivacyCon

What even might actually manage to have more geeks than Comic-Con?


Ok, probably not, but on July 21, 2020 the FTC hosted their fifth annual PrivacyCon event, and for the first time it was entirely online. This event is designed to provide researched information on various important privacy topics. The FTC curates the event content based on submitted materials and moderates each session. This year’s topics were (1) health apps, (2) artificial intelligence, (3) Internet of Things devices, (4) privacy and security of specific technologies such as digital cameras and virtual assistants, (5) international privacy, and (6) miscellaneous privacy and security issues. Continue Reading

NYDFS Files Formal Charges Against Insurance Company for Violations of New York’s Cybersecurity Regulation

Digital ConceptAs predicted in our February 4, 2020 blog post, the New York Department of Financial Services (“DFS”) has filed its first formal charges for violation of the state’s cybersecurity regulation. The charges were filed against an insurance company for allegedly violating several provisions of Part 500 of Title 23 of the New York Codes, Rules, and Regulations. In this case, the DFS alleged five distinct violations, including failure to identify and remediate certain risks, thereby enabling the potential exposure of millions of mortgage-related documents that contained sensitive non-public personal information. Additional details about this enforcement action may be found here.

Webinar – EU Data Transfers Post-Schrems II: What are the Viable Options Going Forward?

Webinar – July 30, 2020 (8:30a PDT, 11:30a EDT, 4:30p BST, 5:30p CEST)

Register Here

The European Union’s highest court has ruled that the EU-US Privacy Shield data transfer mechanism is invalid. The court also ruled that another much-used transfer mechanism – the EU Standard Contractual Clauses (also known as Model Clauses) – is valid in principle but not always in practice, depending on the circumstances of the data transfers in question. Businesses relying on (or switching to) the SCCs will need to carefully consider whether they are able to commit to all of the boilerplate clauses included in the Model Clauses.

Join us on July 30, 2020 for a Roundtable Discussion including our top EU and US data protection experts: Rosa Barcelo (Brussels), Ann LaFrance (US), Mareike Lucht (Germany), Catherine Muyl (France) and Francesca Fellowes (UK) who will discuss the Schrems II judgment and its implications, including:

  • What the judgment says and does not say
  • What alternatives are available
  • Challenges ahead for use of the SCCs and potentially BCRs
  • Practical steps to take now

The session will be moderated by our DC-based privacy pundit, Lauren Kitces.

This program is pending 1.0 hour of CLE in AZ, CA, NJ and NY.

Register Here

CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats

Data Protection ShieldOn 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment.  In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US.  In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.

US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”). Continue Reading

ICO and Australian Information Commissioner Team-up to Investigate Clearview AI, Inc. Facial Recognition Tool and Data Scraping

Digital Facial RecognitionLast week (9th July), the ICO announced that it would join forces with the Office of the Australian Information Commissioner (OAIC) to investigate the use of personal information, including biometric data, by Clearview AI, Inc. (Clearview). Limited information is available so far, but given the focus of the investigation, this is an important step in determining data protection rights and obligations, where information is ‘scraped’ from ‘publicly available’ sources, for the purposes of tackling crime. Continue Reading

The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses

As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace.  This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted. Continue Reading

Amendments to CA AB-1281: Addition by Subtraction?

Digital Facial RecognitionIn a surprising turn of events, the California State Senate significantly amended California Assembly Bill 1281 (“AB-1281”) late last week.  AB-1281 initially proposed enhanced protections for the use of facial recognition technologies, which have now been removed.  The amended AB-1281 now focuses on extending by one year the B2B and employee exemptions provided for under the California Consumer Privacy Act (“CCPA”), previously discussed here. Those exemptions currently become inoperative on January 1, 2021; if AB-1281 is enacted, they would become inoperative on January 1, 2022.  Note, however, that if the California Privacy Rights Act (read our recent analysis here) passes on the upcoming November 3rd  ballot, these exemptions will be extended for an additional year, and will become inoperative on January 1, 2023. Continue Reading

CCPA Enforcement Begins Today

CCPA-California-Consumer-Privacy-ActAs of today, July 1, 2020, the California Attorney General (“AG”) will begin enforcing the California Consumer Privacy Act of 2018 (“CCPA”), which went into effect on January 1, 2020.  Under the CCPA, the AG may recover civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation.  The CCPA also provides for a private right of action for damages resulting from a data breach involving certain defined types of personal information; indeed, a significant amount of CCPA class action litigation has already been filed.  See our prior posts for a detailed analysis of the CCPA and its requirements. In connection with the commencement of CCPA enforcement activity, California AG Xavier Becerra issued the following statement:

Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says “Do Not Sell My Personal Information.” Click on it. Remember, it’s your data. You now get to control how it’s used or sold.

The AG has the authority to bring enforcement actions that cover business activities going back to the CCPA’s effective date.  The AG has denied repeated requests from California businesses to delay enforcement due to challenges in complying brought on by the COVID-19 pandemic.

This despite the fact that the AG’s proposed regulations clarifying certain CCPA obligations are not yet final.  On June 1, 2020, the AG filed the regulations with the Office of Administrative Law (“OAL”) and requested an expedited review to make them effective on July 1, 2020.  As of the time of this writing, the OAL had not yet given its final approval to the proposed regulations. The OAL has 30 working days (plus an additional 60 calendar days pursuant to an Executive Order currently in place) to review and approve the proposed regulations, then file them with the California Secretary of State.  This could mean that the regulations will not take effect until October 1, 2020. For more details, see our prior post.

As we await a potential wave of AG enforcement and the finalization of the CCPA regulations, the state of California’s privacy laws remains fluid. On June 24, 2020, the California Secretary of State confirmed that the California Privacy Rights Act (“CPRA”) has officially obtained enough signatures to appear on the November 2020 ballot.  If approved by California voters, the CPRA will significantly expand the requirements of the CCPA and create a new Privacy Protection Agency in California to enforce California’s privacy laws. See our prior post for more details.

However, given that the AG is now enforcing the CCPA, businesses need to take action as quickly as possible to update privacy notices, implement processes to comply with individual rights requests, ensure that contracts are in place with service providers, and address other applicable CCPA requirements.

For more information, please contacat the author or your usual Squire Patton Boggs contact.

Court Order Means CPRA Likely to Make November Ballot

In a recent blog post we reported that the advocacy group behind CPRA, Californians for Consumer Privacy, was going to court in an effort to prevent their plans to put the California Privacy Rights Act (“CPRA”) to a referendum vote in November from being derailed by a delay in the reporting of signature counts. A Writ of Mandate that was filed by the advocacy group led to a hearing before the Sacramento Superior Court, which took place on Friday, June 19, 2020. Continue Reading