Privacy Legislation

Subscribe to Privacy Legislation

In September of this year, with SB 327, California stepped into the vanguard of information age law by passing a cybersecurity regulation on the Internet of Things. SB 327 has added new sections to Cal. Civil Code §1798. Specifically, §1798.91 et seq. While this seems to be a good thing, the larger question is what does it do, and how far does it reach?

What does it Do?

In a nutshell, the law requires the manufacturer of a “connected device” to 1) equip it with reasonable security feature(s) appropriate to a) the nature and function of the device; b) the information it may collect, contain, or transmit; and 2) ensure those security features are designed to protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure.

Recognizing the inherent ambiguity “reasonable security feature(s)” may cause, fortunately the drafters of the law provided some clarification:  If the device is subject to authentication outside a local area network, should it contain either a unique pre-programmed password; or the device requires a user to generate a new means of authentication prior to initial access being granted; then such security feature is reasonable.

Note that this is a “reasonableness test” just for the authentication aspect of the device. The rest of the requirements in Cal. Civil Code §1798.91.04(a) will still mandate reasonable security beyond just the authentication aspects of the device.

How Far does it Reach?

“Connected device” is defined quite broadly. Under the definition, all the IoT devices we have discussed in previous posts should be covered by the law. Additionally, the law makes it apparent that manufacturers are the primary party subject to the requirements. Additionally, it applies to manufacturers located anywhere, even outside of California, if they sell or offer devices for sale in California.

Why does this Matter?

This law will have far reaching effects because the world we live in is a connected world. The Internet of Things is technology that increasingly influences everyone’s life and any business that manufactures devices are increasingly making those devices “connected”.

Until now, no such cybersecurity law existed. The legal landscape for around when OEMs had to incorporate cybersecurity was a veritable wild west. Adoption of this measure now mandates security measures be “baked” into the device before human user intervention. “Reasonable security” is now “table stakes” for anyone selling a smart device in California – which is nearly everyone.

Of course, there is much debate about what “reasonable security” might be. Under SB 327 there is some guidance, but it is still limited. Section 1798.91.04 does provide a floor for authentication requirements with the mandate that either a unique preprogrammed password will be provided OR the user won’t be able to use the device until the password is changed. However, there is still some question as to what the rest of the requirements will need to be to “protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure.” Still,  California has taken the vanguard position in regulating IoT devices specifically. The Federal government and other states have not looked at this question from a “connected device” perspective. Most other laws imposing cybersecurity requirements talk about a “system”, which can include devices, but can also include other controls (e.g. network security, physical security, etc.).

So is this a problem? 

Just a few observations to keep in mind:

  • First, this is a California state specific law. There is no federal law on this issue. This can create preemption and constitutionality questions – adding to the uncertainty of compliance.
  • Second, “reasonable security” outside the authentication protocols of the device are still ambiguous. This leaves businesses with looking at standards like NIST guidelines, which can be overwhelming, or taking the risk they their security is deemed inadequate “after the fact”.
  • Third, SB 327 expressly carves out third-party software from being subject to this title. However, the interconnectivity of such third-party software may well be the source of a security breach – the NIST guidelines recognize this. As such, is it reasonable security to not consider how a device interacts with third-party software? This approach seems to fail to consider how devices (and software) are built today.

Fortunately, SB 327 does not include a private right of action – so the plaintiff’s bar will be limited in what they can do. Unfortunately, city and county attorney’s do have authority to enforce the law. This means that an activist city attorney may well force a device manufacturer into court.

In any event, SB 327 can be seen as the beginning of a trend which sees OEMs responsibilities expand beyond merely making sure their devices are safe, but also making sure the software inside the device is safe.

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

These certainly sound like concepts that could be referenced as The Right to Access; The Right to Be Forgotten; and Data Portability.

Business requirements include:

  • Meaningful notifications to consumers at the point of contact where Personal Information is collected;
  • Updated online privacy notices to include the types of Personal Information collected, the purpose of collection, and rights information;
  • Implementation of Data Security measures to protect Personal Information;
  • Providing training to employees handling Personal Information or involved in consumer inquiries;
  • The inclusion of provisions in contracts with third parties with whom Personal Information is shared to include data privacy protections and restrictions on disclosure; and
  • The inclusion of a “do not sell my personal information” option on public facing interfaces and websites that collect personal information. Companies must take measures to not discriminate against users who opt out, but at the same time they can offer price incentives to those who chose to opt in.

The Act takes effect on January 1, 2020.  It has the same approximate 2 year “runway” period that GDPR provided in 2016 (leading up to May 25, 2018) for companies to gear up their compliance.  This law has potentially widespread impact, but some of the mechanisms of its application remain unclear, due in some degree to some of its broadly worded language.  In this way, it is also similar to the GDPR.

The challenge with implementation for large companies is the same as every other State level data privacy law – it is often virtually impossible to reliably identify who the “California” consumers are.  Thereby making it by practical necessity a global requirement for all publicly facing systems and applications for all users.

We recommend that most companies prioritize and stage their compliance today, focusing on GDPR in the short term, but  a California (or potentially necessary practical nationwide) compliance strategy should be included in late 2018 and 2019 IT and Privacy compliance plans.

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

Cross-posted from Employment Law Lookout.

Seyfarth Synopsis:  A string of recent class action lawsuits regarding businesses’ use of employees’ biometric data should put employers on heightened alert regarding compliance with various state biometric privacy laws.

As biometric technology has become more advanced and affordable, more employers have begun implementing procedures and systems that rely on employees’ biometric data. “Biometrics” are measurements of individual biological patterns or characteristics such as fingerprints, voiceprints, and eye scans that can be used to quickly and easily identify employees.  However, unlike social security numbers or other personal identifiers, biometrics are biologically unique and, generally speaking, immutable.  Thus, unlike a bank account or a social security number, which can be changed if it is stolen, biometric data, when compromised, cannot be changed or replaced, leaving an affected individual without recourse and at a heightened risk for identity theft.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data.  And plaintiffs’ attorneys are taking notice, as the number of class action lawsuits in this area has surged in recent months.

Currently, there are three states that have statutes regulating the collection and storage of biometric data: Illinois, Texas, and Washington.  In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”).  Texas followed suit in 2009, and Washington passed its biometric privacy law in 2017. Continue Reading Hazards Ahead: Uptick in Biometric Privacy Laws Can Put Employers in Hot Seat

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more complicated than what the expectations reflect.

The reason for the retained level of complexity even under the GDPR are what are known as “opening clauses”. These clauses permit a Member State to modify the provisions of the Article in which the clause resides. In effect, the opening clauses permit the Member State to introduce a more restrictive application of the GDPR obligation via local legislation.

These opening clauses are particularly important to note as there are a number of them (around 30% of the directly applicable Articles have opening clauses), and many of them address an already complicated area of data protection law – employment. While there are a number of companies who have a large consumer impact in the EU, there are just as many (if not more) who have workers in the EU, or have clients who have workers in the EU. As a consequence, the implementation of the GDPR doesn’t fully mitigate the patchwork quilt of local law when it comes to labor & employment law. This is both because of the opening clauses in a number of related Articles, as well as the plain text of Article 88.

The lack of consistency in HR-related data protection is particularly concerning with the advances in workforce management, monitoring, and the use of personal devices in the workplace (e.g. Bring Your Own Device, or “BYOD” environments). One of the ways that the regulators have attempted to address this very real issue around inconsistent GDPR obligations is with an update to the 2001 Article 29 Working Party opinion on data protection of employees. The new opinion, published on 23 June 2017, provides an update to the recommendations which were put in place prior to the age of social media and pervasive computing (i.e. Internet of Things).

While not mandatory, the Opinion does operate somewhat as a roadmap to the way regulators in the EU will consider enforcement – both in breach situations, as well as in accountability situations (i.e. when an entity has to “show” how they are compliant). The Opinion is also instructive as much of the analysis revolves around the concept of “proportionality”.

This balancing of the legitimate interests between employees and employers was not a commonly used method of legitimizing processing under Directive 95/46/EC and its local implementing legislation. However, it seems that this is the direction the Working Party is taking.  This may be seen as both a good and bad situation. On one hand, it indicates that the regulators are starting to understand the complexity of the modern workplace, and how rigid bright-line rules won’t really work. On the other hand, it would seem to require a significant amount of analysis by data protection experts (which is subsequently documented) showing the balance of interests doesn’t harm the employee.

In any event, at least in the realm of employment law, the GDPR isn’t going to be quite the panacea that many of us were hoping for. It is still going to be a complex, difficult to manage, area of law for the foreseeable future.

shutterstock_172034426Cross-posted from Carpe Datum Law.

Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).

With the adoption of the Swiss Privacy Shield, transfers of personal data from Switzerland under the Swiss Safe Harbor Framework will no longer be permitted. Organizations currently registered with the Swiss Safe Harbor would need to certify under the Swiss Privacy Shield or implement alternative methods for complying with Swiss data transfer restrictions, such as Standard Contractual Clauses and Binding Corporate Rules. To join the Swiss Safe Harbor, organizations would need to ensure that their privacy policies, notices, statements, and procedures are in compliance with the new framework. The Department of Commerce provides sample language that can be used in an organization’s privacy policy to signify its participation in the Swiss Privacy Shield.

Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.

Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.

While the requirements of the two frameworks are nearly identical, there are a few differences: Continue Reading The Swiss Privacy Shield Opens for Business on April 12

Cross Posted from California Peculiarities Employment Law Blog

Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.

A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.

The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.” Continue Reading Phishing: Data Breach Is “Chalkdust Torture”

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR

It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.

Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?