As the individual states struggle to define how best to reopen in a manner that minimizes the renewed spread of the novel coronavirus/COVID-19, the subject of contact tracing has become a major focus. To aid in this effort, Apple and Google announced late last week a joint contact tracing project that would leverage Bluetooth technology to identify and selectively alert individuals who have been in close proximity to someone who tested positive for COVID-19. Once alerted, that user could self-isolate or seek testing. Individuals who are diagnosed with COVID-19 can self-report their diagnosis, and any users who have been in recent contact with that individual will receive a notification. Public health agencies would be responsible for checking and verifying test results provided by users in order to prevent spoofing or fabrication. Continue reading “Contact Tracing: COVID-19”
On March 11, 2020, the California Attorney General (CA AG) issued additional revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA). The CA AG published a redline against the earlier proposed regulations highlighting the latest changes. A copy can be found here. The latest modified draft regulations are subject to a public comment period which ends on March 27, 2020, at 5:00 p.m. (PDT). Information about where to submit comments can be found at the end of this Alert.
In Part 1, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that time frame, but also seek to provide much-needed guidance to industry.
Most of the legislative changes focused on narrowing the definition of personal information, clarified the time frame which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions: Continue reading “California Consumer Privacy Act: Are You Ready? (Part 2)”
In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
Have annual gross revenues in excess of $25 million;
Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
Derive 50% or more of their annual revenues from selling consumer personal information.
This framework leaves companies to ask some very basic questions before deciding next steps:
What is our annual gross revenue (not limited to California income)?
Do we have the personal information of at least 50,000 consumers, households or devices located in California?
Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
Even if we do not sell that personal data, do we disclose any portion of it to any third parties?
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push! Continue reading “California Consumer Privacy Act: Are You Ready? (Part 1)”
In the last week, both the Dept. of Homeland Security and the Food and Drug Administration have issued a consumer alert about the potential hacking risk regarding cardiac devices, specifically because those devices have no encryption on their software. The devices in question are implantable cardiac devices, clinic programmers and home monitors which are used to regulate one’s heartbeat rate – to speed it up or slow it down, as needed. The focus this time is on the Medtronic Conexus Radio Frequency Telemetry Protocol. Given this latest notice, one has to wonder what will be the impact of the California IoT law.
What both federal agencies had to say is short range access allows interference with, generation, modification or interception of communications. There is also the ability to read/write any valid memory location on the implanted device and, therefore, impact its intended functionality. Continue reading “CA IoT Law: Devices at Risk?”