Written by Susan Kohn Ross and Timothy Carter As contact tracing ramps up in states across the country, state and local officials are increasingly warning of a rise in fraudulent contract tracers seeking to wrongfully obtain personal and financial information. We have previously written about contact tracing – long considered to be “a central pillar” of traditional infectious disease control – and how it works. In order to … Continue reading Return to Work: Beware of Fraudulent Contact Tracers
Privacy Protection Acts Introduced in Connection with Contact Tracing
Across the globe, governments are harnessing surveillance-camera footage, mobile location data, and consumer purchase records to help track the recent movements of coronavirus patients, monitor those potentially exposed, and establish virus transmission chains. In China, for example, the government has installed surveillance cameras outside and inside quarantined individuals’ homes. A few thousand miles away, Israel’s internal security agency is primed to mine a cache of mobile phone location data, initially collected for counterterrorism operations, in order to pinpoint possible COVID-19 exposure among its citizens. Continue reading “Tracing Concerns”
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes. Continue reading “New Revisions to the CCPA”
In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:
- Have annual gross revenues in excess of $25 million;
- Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50% or more of their annual revenues from selling consumer personal information.
This framework leaves companies to ask some very basic questions before deciding next steps:
- What is our annual gross revenue (not limited to California income)?
- Do we have the personal information of at least 50,000 consumers, households or devices located in California?
- Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
- Even if we do not sell that personal data, do we disclose any portion of it to any third parties?
If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push! Continue reading “California Consumer Privacy Act: Are You Ready? (Part 1)”
In a compromise to avoid a ballot measure, at the very last moment on the very last day, just before the stroke of midnight, on June 29, 2018, the California legislature passed and Governor Brown signed into law the California Consumer Privacy Act of 2018 (the “Act”), which takes effect on January 1, 2020. Many of its provisions are similar to the General Data Protection Regulations (“GDPR”), which took effect in Europe at the end of May, and required companies to institute new internal data privacy regimes. So, while those companies which prepared for the GDPR are well on their way to gaining compliance with this new law, there is still much to be done by them and especially those companies which were not impacted by the GDPR. Continue reading “California Consumer Privacy Act of 2018 – GDPR Lite?”
On May 25, 2018, important European regulations regarding data privacy and protection go into effect that will have a major impact on American companies, many of whom don’t realize they will be subject to compliance with its requirements. The General Data Protection Regulations (the “GDPR”) will have severe penalties for non-compliance (as high as €20 million or 4% of annual worldwide turnover). The GDPR will also have very broad territorial reach applying not only to European entities, but also to entities located outside of Europe (including those in the U.S.) that process the personal data of living European individuals residing in the covered countries, including if the company:
- Offers goods or services to individuals in the covered countries (e.g., e-commerce, capital raising, fund raising, immigration);
- Employs individuals in one or more of the countries;
- Monitors the behavior of individuals in any of these countries; and
- Collects, stores, or processes the personal data of affected individuals on behalf of others.
For these purposes, the European definition of personal data mirrors nicely the American definition of personally identifiable information. Given the severe penalties and broad reach, it is important that each company in the U.S. consider whether the GDPR applies to its operations and, if so, how best to comply. Continue reading “The GDPR is Coming – Are You Ready?”
Just about every survey of General Counsels reveals the same #1 culprit of sleepless nights….. a cybersecurity hack. If you run a business in today’s global environment, it is hard to escape the fundamental reality that it is more than likely a matter of when, not if, you will face a cyber threat. And depending on the nature of your business, that threat can have a wide range of implications. If you are a public company, there is an additional issue to consider… what do you have to disclose to your investors and shareholders?
Being prepared for a hack with a comprehensive written information security plan and an equally robust incident response plan is just one component to be considered if you are a public company. You must also have a plan to meet your reporting and disclosure obligations to a variety of governmental bodies. While measuring your response needs in the wake of a hack, and determining if there are state, federal or international laws and regulations that require reporting, you must also pay close attention to possible disclosure obligations in your SEC filings. Specifically, if you have tripped a disclosure to a state attorney general or your company’s customers, then it is possible you may also have a disclosure obligation to your shareholders. Continue reading “If You SEC Something, Say Something”
Just in the last week, both the European Parliament and the European Data Protection Supervisor (“EDPS”) published findings holding the currently proposed EU-US Privacy Shield to be seriously deficient, and calling for further negotiations to deal with those “holes”.
On May 26, 2016, the European Parliament passed a resolution, see EU Parliament Resolution, basically saying nice try, no cigar! While acknowledging that great strides were made, the Parliament felt that too many gaps remained. Not surprising were the on-going concerns about the broad gathering of private data (i.e., bulk collection) by the U.S. government and what is viewed as the less than clearly defined circumstances in which that data may be used for recognized national security and law enforcement reasons, and what else? Continue reading “Privacy Shield Takes More Hits”