Sunday, February 9, 2020

First Take: Summary of Revisions to the CCPA Regulations

On Friday afternoon, and without advanced notice, the California Department of Justice released changes to the California Consumer Privacy Act (CCPA) regulations that will affect how companies all over the world attempt to comply with the CCPA.


Before describing the changes, let's remember how we got here.  The CCPA began as a ballot initiative funded by a wealthy real estate developer.  The ballot measure was so popular that it was certain to pass in the 2018 election, so the California legislature struck a deal with the proponents to make it a statute immediately (which made it easier for the legislature to amend).  It was amended once in 2018 and several times in September 2019.

The law became effective on January 1, 2020. When the CCPA was enacted back in June 2018, it delegated certain rulemaking responsibility to the California Department of Justice, led by the Attorney General.  After fifteen long months--and painfully close to the CCPA's effective date of January 1, 2020 the Attorney General released proposed regulations on October 10, 2019.  Because the Attorney General waited so long to publish regulations, the statute says that the California Department of Justice cannot begin enforcing the law until six months following its effective date--July 1, 2020.  The Attorney General has said, however, that companies are expected to comply on January 1, 2020, and enforcement actions after July 1 might relate to activities taken between January 1, 2020 and July 1, 2020.

CCPA Opt out button image from CCPA Regs
The new, standard CCPA opt-out button
When the regulations we first released on October 10, 2020, there was a public comment period, and many interested people, companies, and groups commented on the proposal.  Many pointed out that the regulations created new burdens not found in the statute, failed to clarify many ambiguities in the statute, and introduced new ambiguities.  The Attorney General, however, said in December that there would be no major changes to the regulations, despite the voluminous comments and criticisms. 

In response to the comment letters, and to clarify certain ambiguities in the regulations, the Department of Justice revised the regulations on Friday, February 7, 2020.  Despite the Attorney General's statement, hardly a paragraph of the original regulations is left intact; all 32 pages of the revisions show significant changes.

The Changes

Many of the changes are merely clarifying edits and do not signal substantive policy changes.  While it will take time to digest and understand the effects of the changes, my quick, initial summary of the more salient changes are listed below:

  • The disclosure of the categories of sources of personal information will be more specific than the three categories originally described. Several additional examples are provided: advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks.  Businesses will need to revise their public-facing privacy policy statements and disclosures in response.
  • New provisions addressing employee data are included. The term "employment-related information" is added.  Disclosures can be hyperlinked. 
  • More specific instructions for handling household requests are included.  Companies will need to revise their procedures to address this. 
  • The definition of "personal information" is to be interpreted slightly less broadly than some have thought.  For example, even though the statutory definition includes IP addresses, all IP addresses will not be considered personal information.  A consumer's IP address is only considered personal information if it can be linked to the consumer or household. 
  • The WCAG 2.1 (not 2.0!) accessibility standards are incorporated by reference. 
  • The "notice at collection" may be oral.
  • Non-intuitive collection via a mobile device will require a "just-in-time" notice, such as a pop-up window.
  • Businesses may use personal information for additional purposes if they are not "materially different" from the purposes previously disclosed.  This gives businesses a little more flexibility to adjust to new use cases than the previous language.
  • It appears that purposes need not be disclosed for each category of personal information, as originally required.  (Many companies may not need to describe purposes in the granular detail found in privacy policy statements published on January 1.)
  • Companies that collect consumer personal information only indirectly can avoid the notice of collection if they register as data brokers with the California Attorney General. All of the implications of this change are unclear to me at this point, but this could be very significant.
  • Mobile apps can use hyperlinks to privacy policy statements. 
  • A description of the process for authorized agents to demonstrate authority is no longer required to be included in the notice of opt-out rights.
  • The privacy policy statement URL is no longer required to be included in the notice of opt-out rights. 
  • Businesses do not need to commit to never sell personal information in the future in order to avoid opt-out notices, as was perhaps implied by the initial regulatory language.
  • A simple opt-out graphic is included for use in lieu of the hyperlink text for the opt-out mechanism.
  • Businesses must disclose the value of the consumer's data, explain how the financial incentive is related to the value of the consumer's data, when giving a notice of financial incentive.  Businesses will need to revise these notices to comply with the change.  This likely means loyalty and discount program terms and conditions need to include a dollar value for consumer data.  There are also new examples relating specifically to loyalty programs.
  •  Categories of sources of information, purposes for collection, and categories of third parties are no longer required to be disclosed separately for each category of personal information.  (The complex matrices and other highly-granular disclosures that some businesses have already released in response to the proposed regulations now seem unnecessary.  Those companies may want to make more general statements going forward.)
  • The requirement to affirmatively state whether data has been sold in the prior 12 months is removed.
  • The categories of third parties to whom personal information is sold must be disclosed separately for each category of personal information.  
  • Verification processes must be disclosed generally, not specifically, in the notice at collection.
  • The right to opt-out disclosure must state whether or not the company sells personal information.
  • Online-only, direct-to-consumer businesses can limit consumer requests to email; all others must offer two or more options.  The webform is no longer mandatory if a business has a website. 
  • The requirement to accept consumer requests to know and requests to delete via an additional method based on how the business interacts with consumers is now recommended but not mandatory.  
  • Confirmation must be sent within 10 business days, not calendar days.
  • If a business cannot verify identity within 45 days of receiving a request, the business may deny the request.
  • Businesses need not search for personal information if four criteria are met (this will be rare).
  • Business may not disclose certain biometric data in response to a request to know.
  • A response to a request for categories of personal information must include additional information.
  • If identity cannot be verified, a business must ask if the consumer wishes to opt out of the sale of their personal information (for which verification is not required).
  • A business does not have to describe how it deleted the consumer's data pursuant to a deletion request, but must state whether or not it has done so.
  • The revisions say that a business may tell a consumer that it is retaining a record of a deletion request "to ensure the personal information remains deleted from the business's records."  (While re-introduction of data through automated data syncs and dumps is a legitimate concerns, I worry that such a statement could lead a consumer to think that a business has a duty to avoid collecting the consumer's data in the future, or to periodically purge the data in the future.)
  • If prohibited from fulfilling a deletion request by law, the business must now explain the legal conflict. (!)
  • Several changes to the constraints placed on service providers are present, including the ability of service providers to use personal information to improve their own services.  (This was important, especially for AI providers.)
  • It must be "easy" to opt-out and involve "minimal steps." 
  • Additional expectations are set regarding the honoring of browsers' privacy settings and the "opt out" signal.  It is still unclear how this will work in the real world.
  • An authorized agent must have written authority that is signed by the consumer, and the business can require the consumer to confirm directly to the business that the authorized agent has permisison to do so.
  • Statistical disclosure is due on July 1 of each calendar year, for businesses that meet the threshold requirements for reporting.  (I believe July 1, 2021 will be the first reporting deadline.)
  • Household requests require verification of all household members.  (This seems likely to cause most businesses to treat household requests as multiple individual requests, for practical operational purposes.)
  • Verification cannot involve a fee payable by the consumer, even if payable to a third party.  Businesses cannot require notarization for verification unless the business pays for the notarization.  (Some businesses will need to revise their verification processes.)
  • Requests must be denied unless verified in accordance with the regulations (businesses seem to have no discretion). 
  • Authorized agents must use reasonable security procedures and cannot use a consumer's data for additional purposes.
  • Businesses must establish a method to verify that a parent acting on behalf of a child under 13 is the parent (or guradian).
  • If the value of consumer data cannot be calculated or does not relate to the value of a financial incentive, the financial incentive cannot be forfeited in response to a request to delete (unless the incentive is required by federal law).  The value of consumer data can be calculated based on the value to all individuals, not just the business's consumers.  The "typical consumer" concept is removed.
Again, this is just a quick summary after an initial reading of the revisions.  As I (and others) continue to scrutinize the revisions, better understandings and additional insights are likely to emerge, so please stay tuned.

What's Next?

The revisions to the regulation trigger an additional 15 day public comment period, which ends on February 24.  Following the comment period, the Department of Justice will submit the final text to the California Office of Administrative Law, which has 30 business days to review the regulations before they will go into effect.  In other words, the earliest date that the regulations could become effective is early April.  The latest date I can imagine them becoming effective is July 1, when the Department of Justice begins bringing enforcement actions against companies for violations.

If you would like to read the revised regulations for yourself, you can find them here. The notice is here.

Thursday, January 2, 2020

Was 2019 the “Year of Privacy” in the U.S.? (Or Will It Be 2020?)

What a year it has been! As one year closes and another begins, let us take a moment to reflect on the significance of 2019. It may not be an exaggeration to say that 2019 brought some of the most important changes in privacy and data security law that most of us have seen in our professional careers.

Yet, with all the momentum toward heightened consumer data protection, there remain conspicuous absences: Congress again considered, and again failed to deliver, a comprehensive privacy and data security bill. The North Carolina General Assembly declined to meaningfully revise the State’s core privacy and cybersecurity statute (the Identity Theft Protection Act or ITPA); House Bill 904, the most recent incarnation of Representative Jason Saine’s and Attorney General Josh Stein’s bipartisan update to the ITPA, languishes in the General Assembly. The General Assembly did, however, approve some modest updates to the data security laws affecting North Carolina government entities, in HB 217/SL 2019-200, giving the State Chief Information Officer greater oversight of State agencies’ cybersecurity controls.

Other states were more successful in modernizing privacy and data security laws in 2019. Forty-three states (and Puerto Rico) considered more than 300 proposed changes to privacy and cybersecurity laws in 2019, ultimately enacting 31 statutes. Although they cannot all be described in detail in this post, most have at least one of the following aims:

  • requiring government agencies or businesses to implement training or specific types of security policies and practices;
  • creating task forces or commissions;
  • restructuring government for improved security;
  • studying the use of blockchain for cybersecurity;
  • providing for the security of utilities and critical infrastructure;
  • exempting cybersecurity operations information from public records laws;
  • addressing the security of connected devices (the Internet of Things);
  • regulating cybersecurity within the insurance industry;
  • providing funding for improved security measures; and
  • cybersecurity threats to elections.1

One state law, of course, stands out from among all others. Throughout 2019, the California Consumer Privacy Act (CCPA) dominated the headlines (as well as the thoughts, dreams and nightmares of privacy and data security lawyers). The CCPA is driving a fundamental shift in the way we think about data protection in the United States, forcing companies to carefully contemplate the personal data they collect, hold, use, and share. Though it lacks the aggressive extraterritorial reach of Europe’s General Data Protection Regulation, the CCPA will apply to many companies throughout the United States and around the world, including many North Carolina-based businesses. Though enacted in 2018, the CCPA was amended, and proposed regulations were released, in late 2019; and with a January 1, 2020 effective date, most practitioners were intensely focused on the CCPA throughout 2019.

Even as 2020 arrives, companies are still wrestling with many patent and latent ambiguities in the CCPA and its proposed regulations. In fact, many have argued that the California Attorney General’s proposed regulations added to the ambiguities rather than reducing them. The regulations are expected to become final very soon, and the Attorney General stated publicly, that the final regs are not expected to differ substantially from the proposed regs—in other words, the final regulations are unlikely to offer new answers.

Because the California Attorney General’s proposed regulations were released so late, and were not made official by the statutory effective date of January 1, the Attorney General is delaying enforcement of the regulations by six months—until July 1. However, his office intends to take action on violations of the statute that occur between January 1 and July 1, and plaintiffs could bring claims under CCPA beginning January 1. Accordingly, most companies would prefer to achieve compliance sooner rather than later. That may be easier said than done. Even companies that have been actively pursuing compliance since 2018 were forced to pivot due to the various amendments passed in September 2019 (and the failure of some amendments to pass) and the new requirements imposed by the proposed regulations released in October 2019, putting them far behind schedule. According to a survey conducted by the International Association of Privacy Professionals in April 2019, one-quarter of companies were targeting compliance by July 1 (the enforcement date), rather than January 1 (the effective date); in a subsequent survey this summer, the number had grown to one-third. My suspicion is that a majority of companies subject to the CCPA are now targeting a July 1 compliance date, in light of the many new and different requirements and uncertainties arising from the amendments and regulations.

As dramatic as 2019 has been for privacy and data security law, 2020 may be even more eventful. We can be fairly certain that plaintiffs will bring actions under CCPA and other laws; the Federal Trade Commission, state Attorneys General, and other domestic authorities will bring enforcement actions; states and municipalities will continue to enact divergent data protection laws, further complicating the domestic legal landscape; and foreign nations will continue to adopt data protection laws, largely drawing upon common principles found in the GDPR and its predecessors. On top of all of this, the creator of the CCPA, Alastair Mactaggart, is already advancing a so-called “CCPA 2.0” to tighten the requirements and strengthen enforcement. It is an exciting (and sometimes frightening) time to be a privacy and data security lawyer. I look forward to navigating these uncharted waters along with you in 2020! 

[This blog post is re-posted from the North Carolina Bar Association.]

Monday, December 30, 2019

European Privacy: Complexity and High Stakes

European Union FlagEurope has the world's strongest data protection laws, and highest potential sanctions for non-compliance (€20MM or 4% of global revenue, not to mention criminal penalties!), so it makes sense for privacy professionals with global responsibility to become well-versed in European data protection law.  After working intensely in 2017 and 2018 to help my colleagues in Europe establish a GDPR program for one of the world's largest consumer-facing companies, and having remained actively involved in European data protection matters since, I finally felt I had the knowledge and experience to pursue certification in European data protection from the International Association of Privacy Professionals.  Today, I received that certification. 

According to the IAPP, which is the world's premier (and largest) data protection certification organization, a CIPP/E designation means one has "the comprehensive...knowledge, perspective and understanding to ensure compliance and data protection success in Europe." To demonstrate mastery of the field, all applicants must pass a rigorous exam which covers all of the topics listed here, including European legal frameworks, institutions, history, treaties, private sector laws, public sector laws, national laws, norms and standards, and best practices.

If you have an interest in obtaining the CIPP/E designation, I'd be happy to talk with you about it, and specifically how I studied for the examination.

Going forward, I might be posting more content to this blog relating to European data protection (I've been writing and speaking about it since 2015), if the posts receive enough traffic to indicate interest.

(P.S.- Special thanks to my friend and brilliant Italian lawyer Fabio Svizzero for the many hours spent explaining the nuances of EU data protection law and customs!)

Wednesday, October 23, 2019

New York SHEILD Act becomes effective (in part) today

Back in July, the State of New York adopted the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which operates as an amendment to New York's existing data breach notification statute.  Certain parts of the SHEILD Act become effective today:
  • The breach notification provisions formerly applied only to those conducting business in New York.  Now, like many other state breach notification laws, the statute applies to any person or business that owns or licenses private information of a New York resident.
  • A security breach will now include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, which is intended to include most ransomware.  ("Acquisition" of data is no longer required.)
  • "Private information" will now include biometric information, as well as a username/email address in combination with a password or security questions and answers, and account numbers  (including credit/debit card numbers) even without a password or code if the account could be accessed without a code.
In addition, beginning March 21, 2020, New York will join other states in requiring companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information.

Friday, October 11, 2019

Proposed Regulations Implementing the California Consumer Privacy Act

Image of laptop displaying eyeball and text California California's Attorney General released proposed regulations implementing the California Consumer Privacy Act yesterday (10/10), and at first glance, I'm disappointed.  I'm still digesting them, and will probably post more later, but you can read them for yourself here.  The AG's press release is here.  The AG's "Fact Sheet" is here.

The draft regulations are out for public comment until December 6. Make your voice heard! The Attorney General will consider  comments and may revise the regulations in response. Any revision will trigger an additional 15 day public comment period.  Following the comment period(s), the AG will submit the final text to the Office of Administrative Law, which has 30 business days to review the regulations before they will go into effect.  In other words, the regulations will not be final before the January 1 compliance deadline. 

Although the AG will not begin enforcing the regulations until July 7, 2020, I predict the plaintiffs' bar will be initiating actions soon after January 1. 

Monday, September 16, 2019

Sorting Through the CCPA Amendments

Image of flag of the State of California with brown bear and star
The legislative session of the California Legislature effectively ended on Friday in a flurry of activity. Privacy and data security lawyers have been closely monitoring the many amendments to the California Consumer Privacy Act. Several of those amendments are now dead, a couple failed to pass but are being held over until the next legislative session, and a handful of amendments passed. Here is my quick take (but stay tuned for more in-depth analysis as I have time to delve deeper):

The highlights of the amendments approved by the legislature are as follows:

  • The most important amendment for most organizations, and the one I have been watching most closely, is Assembly Bill 25.  Because the original language of the CCPA defined "consumer" as a "natural person," there was some uncertainty regarding the application of the law to employee data.  AB 25 was originally intended simply to make clear the original intent of the legislature that employees are not considered "consumers" per se (unless and to the extent they actually are consumers).  However, following some lobbying, AB 25 was altered, and now provides only a partial, time-limited exemption for employee (and applicant) data collected solely within the context of that role.  Businesses will need to create the notice described in the CCPA (Sec. 1798.100(b)) and provide it to employees by January 1.  The private right of action relating to data security breaches will apply to employee data, and the law will expire on January 1, 2021, when, one hopes, it will be replaced by a well-thought-out employee privacy law.  In addition, AB 25 made explicit a business's right to require reasonable verification before honoring a consumer request (DSR), and made clear that if a consumer has an online account, the business may require any requests (DSRs) to be submitted through that account.
  • AB 1202 requires annual registration by data brokers (defined, more or less, as a business that collects and sells personal information despite not having a direct relationship with consumer.  The meaning of "direct relationship" remains in question, however. (Can merely clicking on an ad create a direct relationship?)
  • AB 1146 creates exemption for vehicle ownership information which is intended to address warranty and recall concerns. 
  • AB 1564 modifies the required methods for consumer requests (DSRs).  It retains the two earlier methods…a toll free telephone number and a website address, if the business has a website. It adds, however, a provision that says if business is exclusively online, and has a direct relationship with the consumer, the business only has to provide an email address.
  • AB 874 modifies the definition of “personal information” by adding the word “reasonably” in front of “capable of being associated with,” so that theoretical but extremely difficult re-identification methods can be disregarded.  It also corrects an error to make it more clear that "personal information" doesn’t include de-identified or aggregated consumer information.  It also simplifies what is meant by “publicly available.”
  • AB 1335 is a bit of a catch-all technical corrections bill that makes technical corrections regarding how "specific pieces" of information are furnished, the applicability to 16-year-olds, and--importantly--corrects the previously inscrutable phrase "reasonably related to value of the consumer data to the consumer," which appeared to mandate clairvoyance on a massive scale. It clarifies that the data breach liability safe harbor is available if data is encrypted or redacted (rather than both encrypted and redacted...which would have been plain weird), and addresses the sticky issue of business contact information.  Finally, there is a carve-out for activities authorized under the Fair Credit Reporting Act.  
  • Not to be overlooked is AB 1130, which adds biometric data to the state’s data breach notification law (it was already in the CCPA definition). In effect, this creates a private right of action if a data security breach includes biometric information.  
Before becoming law, the amendments must be signed by the Governor of California, who has 30 days to sign them (if he fails, it's called a "pocket veto" and they fade into non-existence).

Amendments That May Rise From The Grave

Two bills which did not pass but which may (apparently) be revived in the next session are AB 846 and AB 1138. The first would have clarified that consumer loyalty programs are permissible. The second would have required parental consent for minors (younger than 18 years old) to use social media.  A consumer loyalty program bill would have been immensely helpful for consumer-facing retailers! *cough*

Dead Amendments

The "dead" amendments include those that would have (i) created an express private right of action for any violation; (ii) required disclosure of the average value of personal information; (iii) removed the “Do Not Sell” link requirement; (iv) required removal of social media information; (v) created an exemption related to government agencies; and (vi) created a carve-out for certain insurance transaction data. (See AB 981, AB 1416, AB 288, AB 873, SB 561, SB 753, AB 950 and AB 1760.)

No Action from Attorney General

California's Attorney General Xavier Becerra is required to promulgate regulations implementing certain aspects of the CCPA, but has not yet issued any proposed rules.  Perhaps he anticipated the amendments and did not want to propose rules until the legislature had adjourned and the CCPA was more or less final (for now).  Although the CCPA becomes effective on January 1, the AG cannot bring any enforcement actions until the earlier of (a) the date on which he promulgates final rules or (b) July 1, 2020.  Once the AG proposes rules, there will be a delay before they become final and enforceable: there must be a 45- day public comment period, and, if comments result in changes, there will be another 15- to 45-day waiting period.  Accordingly, it seems unlikely that the AG will be enforcing the CCPA before July 1.  Note, however, that many commenters speculate there could be retroactive enforcement, and certainly there could be private litigation before the AG's enforcement deadline, so organizations should keep their focus on the January 1 deadline. 

I hope this quick summary is helpful.  Much more will be said about each of these bills in the coming days.  

Tuesday, July 30, 2019

Know A Bit Aboot Canadian Privacy Law, Eh?

Canadian National Flag imageIt's widely acknowledged that data protection law in Canada has long been more robust and strict than here in the United States.

In 2019, the Privacy Commissioner of Canada signaled an intention to interpret Canada's laws even more strictly, and indicated a desire to propose to the Canadian Parliament changes to the Personal Information and Electronic Documents Act and the Privacy Act which would bring Canadian law more into line with Europe's GDPR.  In light of this, and my responsibilities for international privacy compliance, I began studying Canadian federal and provincial data protection law in earnest, and recently became credentialed by the International Association of Privacy Professionals as a Certified Information Privacy Professional in Canadian data protection law and practice (CIPP/C).

According to the IAPP, which is the world's premier (and largest) data protection certification organization, a CIPP/C designation means "you have an understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels."  To demonstrate mastery of the domain, all applicants must pass a rigorous exam which covers all of the topics listed here, including Canadian legal frameworks, private sector law, public sector law, healthcare sector laws, financial sector laws, provincial laws, norms and standards, and best practices.

If you have an interest in obtaining the CIPP/C designation, I'd be happy to talk with you about it, and specifically how I studied for the examination.

Stay tuned, as I may be posting more content to this blog relating to Canadian data protection in the future.

What's in your wallet? Maybe someone else's hand! (How to protect yourself following the Capital One breach)

What Happened?
Image of person with a hand in another person's purse

Capital One, a major credit card issuer headquartered in Virginia has disclosed a data security breach that affected around 100 million individuals in the US and around 6 million in Canada.

The perpetrator sought information relating to individuals who had applied for credit card products between 2005 and 2019, potentially accessing names, addresses, email addresses, phone numbers, dates of birth and self-reported income, as well as 140,000 social security numbers and 80,000 bank account numbers in the US and million social insurance numbers of Canadians. Capital One claims the hacker did not gain access to credit card account numbers, and Capital One believes it has fully remediated the vulnerability that lead to the breach.

What You Can Do To Protect Yourself

If you believe your personal information may be at risk as a result of this incident, you can take some steps to protect yourself. Here are some suggestions:

1. Check your Capital One account online for unauthorized charges. Log in to your account (from a secure connection and trusted device, as always) and search your recent transaction history for any unfamiliar transactions. If you see any unauthorized charges, follow Capital One's process to dispute the validity of those charges immediately.

2. Change your password for your online Capital One account. It's a good idea to periodically change your passwords anyway. Do not re-use a password that you have used (anywhere) before. Ensure your password is long and complex. (Here's what NIST has to say about password length and complexity).

3. Check your credit, if you haven't done so recently. You're entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order your reports online from, the only authorized website for free credit reports, or call 1-877-322-8228. You will need to provide your name, address, social security number, and date of birth to verify your identity. Review the reports to ensure they show only accurate, legitimate lines of open credit (e.g., your mortgage, credit card, etc.).

4. Consider a credit freeze. Placing a security freeze on your credit reports can prevent an identity thief from opening a new account or getting credit in your name. State laws, including North Carolina's state law, allows residents to set up and manage security freezes free of charge, and beginning in September of last year, federal law gives all Americans similar rights. To implement a security freeze, you will need to contact each of the three credit bureaus online:
Be prepared to provide authenticating information, such as:
  • Your Full Name
  • Your Address
  • Your Date of Birth
  • Your Social Security Number
When you put a security freeze in place, the credit bureau will send you confirmation of the freeze along with information on how to remove the freeze, which may include a PIN (Personal Identification Number) or password. The information should be sent to you no later than five business days after placing the freeze. Don't lose your PIN/password! If you want to apply for a new line of credit, you can request that a freeze be lifted for a specified period of time or removed by making the request to the credit bureaus and providing proper identification. The credit bureaus must lift or remove a freeze within one hour if you request by telephone or online.

5. Take advantage of the free credit monitoring and identity protection services that Capital One will soon be offering. (Details to follow soon, we assume. Check Capital One's website.)

Take care of yourselves, and good luck!

Wednesday, April 24, 2019

Washington's privacy bill seems dead, but a data security bill passes

Privacy and data security law are essentially moving targets.  Take for example recent events in the state of Washington.

Last month, I wrote about a bill introduced in the state legislature of Washington that would mimic the California Consumer Privacy Act, but would be even more strict in some cases. 

It has been a rollercoaster ride for the bill's sponsor and supporters.  The bill originally enjoyed overwhelming support in the Senate, but later, after stalling in a House committee, the bill seemed dead; the state's Chief Privacy Officer thought the bill was doomed. 

Just days later, a data security bill was approved by the legislature and presented to the Governor for signature.  (It seems likely that the data security bill is being adopted instead of the privacy bill.)

As amended, the data security bill will:

  • expand the definition of "consumer information" for purposes of triggering the breach notification requirements;
  • address breaches that specifically involve usernames and passwords;
  • provide a 30-day notification timeframe; and
  • add information to be included in breach notifications.

You can read the data security bill here.

Tuesday, March 26, 2019

Utah Expands Privacy Protections For Data Held By Third Parties

Utah state flag

Utah's Governor Gary Herbert is expected to sign a privacy bill in the next few days following unanimous approval in the state's legislature. This bill is particularly interesting (at least to privacy law geeks like you and me) for two reasons:
First, this bill diverges from the general trend. The bill's primary effect is to limit law enforcement's access to electronic data. (The general trend in the United States over the past two decades has been to grant law enforcement greater access to electronic data while gradually restricting data access and sharing in the private sector.) In the United States, law enforcement agencies are generally permitted to access data that is shared with a third party without a warrant, if the third party (not the individual data subject) consents. Many of the large custodians of consumer data routinely grant access to government agencies without demanding a warrant. The U.S. Constitution's 4th Amendment, which prohibits unreasonable searches and seizures, generally has not been applied to information in the custody of a third party.

Second, bills like this could eventually make trans-Atlantic data transfers easier.  One of the primary sources of tension in the context of cross-border personal data transfers is the difference between the U.S. government's relatively easy access to these data repositories without strict procedural protections versus the European Union's General Data Protection Legislation, which calls for strong protections around consumer data. If other states, or the federal government, follow Utah's lead, the U.S. could move closer to becoming a jurisdiction with "adequate" privacy protections, for purposes of the GDPR.
The bill, titled simply "The Electronic Information or Data Privacy Act,"
  • makes clear that the "owner" of data is the individual who transmits electronic information or data;
  • requires, with some exceptions, a search warrant to obtain certain electronic information or data in the custody of a third-party (other than the owner);
  • requires, with some exceptions, notification that electronic information or data was obtained;
  • provides for transmission of electronic information or data to a remote computing service, including restrictions on government entities;
  • excludes from evidence certain electronic information or data obtained without a warrant; 
  • defines and re-defines certain terms; and
  • makes some technical and conforming changes.

You can read the bill's full text for yourself here.