Thursday, October 5, 2023
1:00 p.m. – 2:00 p.m. ET
12:00 p.m. – 1:00 p.m. CT
11:00 a.m. – 12:00 p.m. MT
10:00 a.m. – 11:00 a.m. PT
Seyfarth is pleased to offer this Masterclass, hosted by Lexology, which is designed to familiarize in-house counsel and privacy professionals, in and
This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.
On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.
Continue Reading SEC Publishes Public Company Cybersecurity Disclosure Final Rule
On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.
For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.
Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.
What is interesting about the new DPF is how it may impact a company’s decision to choose between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.
Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?
The California Superior Court in Sacramento decided to give businesses in California an early present for the 4th of July. The regulations promulgated by the California Privacy Protection Agency (“CPPA”) back in March will not be enforceable on July 1, 2023. The new enforcement date will be March 29, 2024.
This is a result of the Court finding (account to access required) that it was the intent of the voters to require a 12-month “grace period” for businesses to build out their CCPA compliance programs. As a bit of background, and as we mentioned in our article back in April that you can find here, the California Chamber of Commerce (“the Chamber”) filed suit against the CPPA in March of this year seeking a delay in enforcement. The suit argued that the CCPA regulations passed by the CPPA should only be enforceable only after 12 months from the final promulgation of all the required regulations set out in Proposition 24 and sought injunctive relief to delay CPPA’s enforcement. The Chamber lawsuit was filed the day after the CPPA finalized their regulations across 12 of the 15 areas of the CCPA which rulemaking is required under Proposition 24.
2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.
The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.
With the passage of Senate Bill 262, Florida has become the latest state who has woken up to the political capital that a state privacy law can provide. And while we see a lot of the “usual suspects” which populate other state privacy laws (e.g. notice, consumer rights, collection and use restrictions, etc.) – which we have posted on frequently – Florida didn’t just look to privacy with SB 262. It also addressed two other issues which seem to be on the mind of Governor DeSantis – government censorship of online social media platforms, and protection of a minor’s personal information.
Continue Reading Florida’s SB 262 – What Florida Thinks of Privacy (and more)
On Tuesday, June 13 at 1:00 p.m. Eastern, Seyfarth attorneys Kristine Argentine, John Tomaszewski, and Paul Yovanic will present at the Association of National Advertisers webinar, “Emerging Issues Surrounding Privacy Class Actions and Compliance in 2023.”
The webinar will address the recent surge in consumer class actions, compliance considerations, and recent developments
Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.
Is there Really Anything New?
While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).
Continue Reading Two New State Privacy Laws – But What is Really New?
The My Health My Data Act (“Act”) was approved by the Washington State House on April 17, 2023. The Act is now with Governor Jay Inslee for signature and is expected to be signed into law in its current form, which is broad enough to warrant anyone with any activity in Washington to consider its scope and implications for operations. Because the Act will be enforceable through a private right of action, it has the potential to create substantial legal exposure for violations.
The Act creates new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “Consumer Health Data” (“CHD”). It expressly aims to “close the gap between consumer knowledge and industry practice” by expanding obligations related to processing of CHD to entities not covered by HIPAA. However, it is significantly broader in potential scope, including, in part, due to the gaping definition of CHD (which expressly includes data that identifies past, present, or future physical or mental health status, for example, “bodily functions” and “precise location information that could reasonably indicate an attempt to receive health services or supplies”). The Act will impact a range of business, including advertisers, mobile app providers like health and wellness trackers, wearable device manufacturers and, of course, healthcare and wellness industry companies and their data processors handling non-HIPAA-regulated CHD. Notably, the Act expressly addresses abortion/reproductive health services and gender-affirming care services (including by making it unlawful for any person to use a “geofence” (or virtual boundary) around a facility that provides health care services) for the purposes of identifying or tracking consumers seeking such services; collecting CHD from consumers; or sending them notifications, messages, or advertisements related to their CHD or health care services. This restriction applies regardless of consent or opt-in.
It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.
Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.
First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).
Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.”