Washington and Oklahoma Privacy Bills Have Officially Died; Florida’s Privacy Bill is Significantly Amended

NewspaperAs the trend of state laws granting more privacy and greater control over personal information continues in the US, the fate of privacy bills in Washington State, Oklahoma and Florida serve as a reminder that as with any other issue, political compromise is still a necessity in order for legislation to progress. This is an update on our prior post published on April 5th, analyzing the chances that privacy bills introduced in Washington, Oklahoma, Florida and Connecticut will be enacted. Continue Reading

DFS Enters Into $1.5 Million Consent Order With Residential Mortgage Company In Wake of Data Breach

Correction to the original article: First American Title Insurance Company is not associated or involved with the March 3, 2021 consent decree between Residential Mortgage and New York Department of Financial Services.

In early March, the New York State Department of Financial Services (“DFS”) entered into a consent order requiring Residential Mortgage Company to pay $1.5 million for failing to comply with Cybersecurity Regulation, Part 500 of Title 23 of the New York Code.  The steep financial penalty in the consent order is a stark reminder for companies subject to Part 500 to prioritize their compliance.

In February 2017, New York enacted a law that requires financial companies to implement and report detailed framework aimed at protecting consumer data privacy.  Part 500 of Title 23 of the New York Code applies to any organization regulated by DFS.   This regulation largely impacts financial, banking, and insurance industries in the United States.  Entities that violate this law can incur penalties up to $250,000 for each day the violation occurs or one percent of total banking assets.

Companies subject to Part 500 have been awaiting the results of this matter because it is a matter of first impression.  On March 03, 2021, DFS reached its first full resolution under Part 500 with Residential Mortgage Services.  DFS and Residential Mortgage Services agreed to resolve this matter without further proceedings.  As a result, Residential Mortgage must pay a civil monetary penalty of $1.5 million within ten days of executing the consent order.  In making this determination, DFS assessed the extent to which Residential Mortgage cooperated with DFS in its investigation, Residential Mortgage’s financial resources and good faith in responding to this investigation, the gravity of the violation and the public interest.  In imposing this steep financial penalty, DFS sent a very clear message to other companies subject to Part 500: comply, comply, and comply.  In addition, DFS imposed a number of remedial measures on Residential Mortgage aimed at preventing future incidents by ensuring its cybersecurity systems and customer data are secure.  These measures include a cyber-security incident response plan, a cybersecurity risk assessment within 90 days of the order, and training and monitoring programs within 90 days of the order.

Oklahoma’s Privacy Bill Stalls, Washington Privacy Act’s Watered Down PRoA May Cause Its Demise

Data PrivacyAfter advancing steadily in their respective legislatures the first few months of 2021, the Oklahoma Computer Data Privacy Act has seemingly died, and the Washington Privacy Act may run into similar roadblocks it faced in prior years.

After passing the Oklahoma House in early March, the Oklahoma bill grinded to a halt the first week of April after Oklahoma Senate Majority Leader refused to allow the bill to have a hearing, as confirmed in tweets and in a press conference by one of the bill’s sponsors, Rep. Collin Walke. The bill, which would have required businesses to obtain consumers’ consent for any collection of data and included an opt-in requirement for sale of personal information, garnered bi-partisan support in the House but faced significant industry opposition and was opposed by Republicans in the Oklahoma State Senate. Our team’s prior update on the Oklahoma bill can be found here. Continue Reading

Will Oklahoma Be the Next State to Enact a Comprehensive Privacy Bill?

A new privacy bill is gaining steam in the Oklahoma legislature.

On March 4, the Oklahoma Computer Data Privacy Act (HB 1602) passed the state House of Representatives by a vote of 85-11.  If enacted in its current form, the bill would take effect on January 1, 2023, at the same as the California Privacy Rights Act and the Virginia Consumer Data Protection Act. Continue Reading

Lydia de la Torre Appointed to Inaugural Board for the California Privacy Protection Agency

We congratulate our friend and colleague Lydia de la Torre on her appointment to the inaugural board for the California Privacy Protection Agency.  “Californians deserve to have their data protected and the individuals appointed today will bring their expertise in technology, privacy and consumer rights to advance that goal,” said Governor Newsom. “These appointees [including Lydia] represent a new day in online consumer protection and business accountability.”

In 2018, California became the first state in the U.S. to equip consumers with new privacy tools and new privacy rights under the California Consumer Privacy Act. On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which created the California Privacy Protection Agency. Enforcement of the CPRA will begin in 2023.  The California Privacy Protection Agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. The board of the CPPA will appoint the agency’s executive director, officers, counsel and employees. The agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA.

“The California Privacy Protection Agency marks a historic new chapter in data privacy by establishing the first agency in the country dedicated to protecting forty million Californians’ fundamental privacy rights,” said Attorney General Becerra. “The CPPA Board will help California residents understand and control their data privacy while holding online businesses accountable.”

“The chance to serve on the Board of the new California Privacy Protection Agency is a great opportunity for Lydia, and one for which she is exceptionally well suited given her diverse background and talents.  She has uniquely balanced an academic and private practice career, and public service is a natural next step for her” said Alan Friel, Deputy Chair of Squire Patton Boggs’ Global Data Privacy & Cybersecurity Practice.  “We could not be happier for her and commend Senator Atkins on the selection of such a qualified individual.  While we are sorry to see Lydia go, her selection continues a long tradition of public service by our attorneys, which our firm fully embraces.”

Modifications to CCPA Regulations Approved and Take Effect

CCPA-California-Consumer-Privacy-ActSecurity & Privacy Bytes and our sister blog, Consumer Privacy World have been covering developments concerning the California Consumer Privacy Act of 2018 (“CCPA”).  As we discussed the end of last year, on December 10, 2020, the California Attorney General proposed some modifications to the regulations implementing the CCPA.  These were published in response to comments received by the AG following publication of the previous set of proposed CCPA modifications on October 12, 2020.  The CCPA regulations went into effect on August 14, 2020 and the additional amendments to the regulations went into effect on March 15, 2021.  For more information on these additional amendments, see this post by Alan Friel and Kristin Bryan.

Florida is the Latest State to Consider Comprehensive Data Privacy Legislation

The Florida state legislature is considering a sweeping data privacy bill introduced by Governor Ron DeSantis in February.  House Bill 969 is the latest state provision to follow in the footsteps of the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act and the Virginia Consumer Data Protection Act, in giving consumers greater control over how their personal information is used while imposing greater restrictions on companies’ use of that data. Continue Reading

Consumers’ “Right to Delete” under US State Privacy Laws

Among the challenges presented by the increasing number of state privacy laws are identifying how consumer rights differ under each of the various laws and operationalizing a workflow for responding to rights requests that ensures compliance with each.  In this post, we will focus on consumers’ “right to delete” under the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”). We note that the EU General Data Protection Regulation (“GDPR”) and laws around the world that are being adopted following the GDPR model also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.

Please see our previous posts here, here and here for a broader discussion of the CCPA, CPRA and VCDPA, respectively, including how certain key terms used below are defined. Continue Reading

Virginia Governor Signs Virginia Consumer Data Protection Act

NewspaperAs expected, today Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (the “Act”) into law, though the Act will not go into effect until January 1, 2023.  As a result, Virginia becomes the second state in the United States to enact a data privacy law that purports to regulate the collection, use, and disclosure of the personal data of its residents generally. See our previous post for a summary and analysis of the Act’s key provisions and a discussion of how the Act differs from similar laws, such as the California Consumer Privacy Act and California Privacy Rights Act.

Russia: Amendments to the Federal Law On Personal Data Takes Effect

Russia’s Federal Law of 27 July 2006 No. 152-FZ on Personal Data (‘the Law on Personal Data’) aims to guarantee protection for individuals’ personal data and apply to organisations that collect, use, or share such data.

On 1 March, 2021 the Federal Law of 30 December 2020 No 519-FZ on Amendments to the Federal Law On Personal Data, which amends the Law on Personal Data, came into effect (except for one section that is due to  come into effect on 1 July, 2021) (“Amendments”).

Continue Reading