On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law.  In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust and meaningful national consumer privacy bill to provide uniform privacy protections for all Americans.”  The coalition said that a “comprehensive federal privacy law that establishes a single technology and industry-neutral framework for our economy” is necessary because “consumers’ privacy protections should not vary state by state.”  The coalition noted that “a uniform federal framework” would “provide certainty for businesses and consumers alike.”

The coalition’s letter was likely spurred by congressional hearings on data privacy and the growing number of states considering data privacy legislation following the European Union’s implementation of the GDPR.  California Maine, Nevada, and Vermont recently enacted laws governing collection, use, or sharing of consumer data, and similar legislation is pending in Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, Texas, and Washington.  Privacy bills introduced in Louisiana, Maryland, Mississippi, Montana, New Mexico, and North Dakota failed to pass but could be reintroduced in upcoming legislative sessions.

To keep abreast of developments and for compliance webinars, sign up at the links below.

Consumer Class Defense Blog

The Global Privacy Watch

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

Cross-Posted from Carpe Datum Law Blog

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer privacy interest groups and plaintiff-oriented trial lawyers, who were banking on even more lucrative individual consumer violation claims after January 1, 2020.

The original proposed amendment would have expanded the private cause of action to any violation of the CCPA, and eliminated the 30-day cure period for alleged violations. California Attorney General Xavier Becerra had earlier expressed his support of Senate Bill 561, reportedly in order to relieve the enforcement burden of the Attorney General’s office (and despite the fact that the CCPA sets up a fund to finance enforcement activity by the Attorney General). The original proposed bill and its potential impact were discussed in an earlier post on this site.

Businesses should celebrate this development as a more reasoned and balanced approach to individual rights under the CCPA with the goal of appropriate and fair governmental enforcement. Organizations and businesses dealing with California residents should be on the lookout for the California Attorney General’s enforcement rules announcement this Fall.

In prior posts, we’ve commented on the California Consumer Privacy Act (“CCPA”), likening it, and its Texas ‘flavored’ variant(s), to ‘elephants in the room’. Here, we’ve opted to expand our coverage and talk about what we’re seeing other states do (or, let’s expand the elephant metaphor to: elephants, elephants everywhere.)

It seems that all of a sudden, consumer privacy is THE hot topic and everyone’s jumping on the CCPA bandwagon! Consumers have woken up to what is happening with their personal information and are demanding government protective action! These are sensationalist statements, to be true, but are they accurate statements? Well, as is usually the case it is a bit more nuanced and it is important to set some things straight. Continue Reading 2019: Is This The Year of Consumer Privacy (or, Elephants, Elephants Everywhere)

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.

Further, subject to certain ‘pipeline’ exceptions (i.e. merely processing PII to transmit it across a network), it only applies to collection of PII over the Internet or any other digital network, or through a computing device that is associated with or reasonably linked to a specific end user. Under the TXPPA, no processing is authorized without explicit permission received from the individual from whom the information pertains (or the processing is required by law). Already, this last statement makes compliance pretty challenging. A literal interpretation is that to process PII, a business will need either explicit permission or legal basis.

Additionally, a business may only process PII if it is relevant to accomplish the purposes for which it is to be processed; the purposes are specifically disclosed by the business in the notice, made prior to the collection, and processing is only to the extent necessary to achieve a purpose. Finally, processing is only authorized if it does not violate state or federal law, doesn’t infringe on another’s rights or privileges under the US Constitution, and the business follows the procedures should automated processing be used.

Contrary to the TXCPA (and more in line with the CCPA), the TXPPA requires an impacted business to establish and maintain a “comprehensive data security program that contains… safeguards for personal identifying information.” The TXPPA is light on specifics and does not provide for a private cause of action or class action for the breach of the duty to safeguard personal information.

While all of this seems to present a bit of a challenge to businesses, the TXPPA does establish a safe haven of sorts quite similar to the TXCPA. Unfortunately, it does not apply to violations made by a service provider. The safe harbor is limited to a third party (not service providers – they are different) violation of their processing authority, provided the business has no actual knowledge or reasonable belief that the third party intends to violate the TXPPA. It doesn’t cover a violation of the initial business’ processing authority. So, if a business has a service provider the makes a mistake, the business would still be on the hook for the service provide’s actions.

Finally, the TXPPA provides that the Texas Attorney General may bring an action against a business or third party for violations and recover civil penalties in an amount not more than $10,000 per violation, not to exceed a total of $1 million.

The Texas Attorney General, just like his California counterpart, is delegated enforcement authority under this Texas bill and must adopt rules necessary to implement, administer, and enforce it.  Unlike the CCPA, the TXPPA does not mandate public stakeholder input in drafting those rules. What does that mean? It’s vital to not only watch and participate (if possible) in the Texas regulatory drafting process in the appropriate timeframe, but also monitor and review the CCPA rules the California Attorney General drafts, due in several months. This, along with the reasonable expectation that the Texas Attorney General will follow basic privacy principles present in every other privacy system out there, provide the strongest indicators as to what Texas rules may look like.

It should be noted, that both Texas bills have the usual carve outs to attempt to avoid a Federal preemption claim. Processing that is subject to HIPAA, GLB, FCRA, or FERPA is exempted from the scope of the TXPPA. However, those are fairly narrow exceptions.

Like we asked in Part 1 – is writing about the Texas Privacy Protection Act premature? In a word, no. As of this writing, there have been privacy impacting bills introduced in 31 state legislatures and this doesn’t include attention at the federal level. Most of these state bills are influenced by the CCPA, distinguished importantly by the degree of that influence. Given the attention garnered by security and privacy issues the last two years and more importantly, legislative responses to those issues, one thing is virtually certain: there will be privacy regulation for Texas businesses to comply with and it will very likely share elements found in the CCPA. Monitoring developments on the front end is imperative given the nature of the subject matter, but equally important is to begin thinking strategically about how business compliance can be balanced with business operations – something which can benefit from sound legal counsel.

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act. Continue Reading And Texas Joins the Privacy Fray – Part 1 (or, the Elephant in the room just got a LOT bigger…)

Seyfarth has released the results of its fourth annual Real Estate Market Sentiment Survey, which polled commercial real estate executives around the country from all sectors. Of interest to our readers, this year’s survey revealed that 69% of respondents are concerned about a cyberattack hitting their business in 2019, a significant increase compared to last year (46%).

View the full survey results

Cybersecurity isn’t just for technology companies anymore. More and more, we are seeing other critical infrastructure participants becoming targets of cybersecurity attacks. Transportation, construction, and other real property-heavy industries are starting to catch the eye of sophisticated hacking teams – both criminal as well as nation-state sponsored groups.

There are two different threat models in the real estate market: the builder and the manager. Continue Reading Cyberattacks a Growing Concern for Commercial Real Estate Executives

California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now

Welcome to the California Consumer Privacy Act (CCPA) […as if we didn’t have enough to worry about with the GDPR!].

The bracketed, italicized text, albeit a bit cynical, is with little doubt, how many of us initially reacted to the news of a new data protection law, hailed as the standard in consumer privacy protection, in California. And while the effective date is supposed to be January of 2020, January of 2019 isn’t too early to starting getting ready for the new law.

To dispel the rumors, the CCPA is not “GDPR-lite.” Where it comes on the heels of the GDPR’s May 2018 enforcement date, it isn’t a mirror image of the GDPR, or even a “watered down” variant of it. Drafters of the CCPA did indeed look to the GDPR as a basis for some of data protection concepts, but they focused on existing California privacy laws as well.

Continue Reading The CA Consumer Privacy Act: The NEW Elephant in the Room

In September of this year, with SB 327, California stepped into the vanguard of information age law by passing a cybersecurity regulation on the Internet of Things. SB 327 has added new sections to Cal. Civil Code §1798. Specifically, §1798.91 et seq. While this seems to be a good thing, the larger question is what does it do, and how far does it reach?

Continue Reading California’s IoT Security Law – Everyone Needs Cybersecurity Now