Cross-Posted from Carpe Datum Law Blog

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer privacy interest groups and plaintiff-oriented trial lawyers, who were banking on even more lucrative individual consumer violation claims after January 1, 2020.

The original proposed amendment would have expanded the private cause of action to any violation of the CCPA, and eliminated the 30-day cure period for alleged violations. California Attorney General Xavier Becerra had earlier expressed his support of Senate Bill 561, reportedly in order to relieve the enforcement burden of the Attorney General’s office (and despite the fact that the CCPA sets up a fund to finance enforcement activity by the Attorney General). The original proposed bill and its potential impact were discussed in an earlier post on this site.

Businesses should celebrate this development as a more reasoned and balanced approach to individual rights under the CCPA with the goal of appropriate and fair governmental enforcement. Organizations and businesses dealing with California residents should be on the lookout for the California Attorney General’s enforcement rules announcement this Fall.

In prior posts, we’ve commented on the California Consumer Privacy Act (“CCPA”), likening it, and its Texas ‘flavored’ variant(s), to ‘elephants in the room’. Here, we’ve opted to expand our coverage and talk about what we’re seeing other states do (or, let’s expand the elephant metaphor to: elephants, elephants everywhere.)

It seems that all of a sudden, consumer privacy is THE hot topic and everyone’s jumping on the CCPA bandwagon! Consumers have woken up to what is happening with their personal information and are demanding government protective action! These are sensationalist statements, to be true, but are they accurate statements? Well, as is usually the case it is a bit more nuanced and it is important to set some things straight. Continue Reading 2019: Is This The Year of Consumer Privacy (or, Elephants, Elephants Everywhere)

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.

Further, subject to certain ‘pipeline’ exceptions (i.e. merely processing PII to transmit it across a network), it only applies to collection of PII over the Internet or any other digital network, or through a computing device that is associated with or reasonably linked to a specific end user. Under the TXPPA, no processing is authorized without explicit permission received from the individual from whom the information pertains (or the processing is required by law). Already, this last statement makes compliance pretty challenging. A literal interpretation is that to process PII, a business will need either explicit permission or legal basis.

Additionally, a business may only process PII if it is relevant to accomplish the purposes for which it is to be processed; the purposes are specifically disclosed by the business in the notice, made prior to the collection, and processing is only to the extent necessary to achieve a purpose. Finally, processing is only authorized if it does not violate state or federal law, doesn’t infringe on another’s rights or privileges under the US Constitution, and the business follows the procedures should automated processing be used.

Contrary to the TXCPA (and more in line with the CCPA), the TXPPA requires an impacted business to establish and maintain a “comprehensive data security program that contains… safeguards for personal identifying information.” The TXPPA is light on specifics and does not provide for a private cause of action or class action for the breach of the duty to safeguard personal information.

While all of this seems to present a bit of a challenge to businesses, the TXPPA does establish a safe haven of sorts quite similar to the TXCPA. Unfortunately, it does not apply to violations made by a service provider. The safe harbor is limited to a third party (not service providers – they are different) violation of their processing authority, provided the business has no actual knowledge or reasonable belief that the third party intends to violate the TXPPA. It doesn’t cover a violation of the initial business’ processing authority. So, if a business has a service provider the makes a mistake, the business would still be on the hook for the service provide’s actions.

Finally, the TXPPA provides that the Texas Attorney General may bring an action against a business or third party for violations and recover civil penalties in an amount not more than $10,000 per violation, not to exceed a total of $1 million.

The Texas Attorney General, just like his California counterpart, is delegated enforcement authority under this Texas bill and must adopt rules necessary to implement, administer, and enforce it.  Unlike the CCPA, the TXPPA does not mandate public stakeholder input in drafting those rules. What does that mean? It’s vital to not only watch and participate (if possible) in the Texas regulatory drafting process in the appropriate timeframe, but also monitor and review the CCPA rules the California Attorney General drafts, due in several months. This, along with the reasonable expectation that the Texas Attorney General will follow basic privacy principles present in every other privacy system out there, provide the strongest indicators as to what Texas rules may look like.

It should be noted, that both Texas bills have the usual carve outs to attempt to avoid a Federal preemption claim. Processing that is subject to HIPAA, GLB, FCRA, or FERPA is exempted from the scope of the TXPPA. However, those are fairly narrow exceptions.

Like we asked in Part 1 – is writing about the Texas Privacy Protection Act premature? In a word, no. As of this writing, there have been privacy impacting bills introduced in 31 state legislatures and this doesn’t include attention at the federal level. Most of these state bills are influenced by the CCPA, distinguished importantly by the degree of that influence. Given the attention garnered by security and privacy issues the last two years and more importantly, legislative responses to those issues, one thing is virtually certain: there will be privacy regulation for Texas businesses to comply with and it will very likely share elements found in the CCPA. Monitoring developments on the front end is imperative given the nature of the subject matter, but equally important is to begin thinking strategically about how business compliance can be balanced with business operations – something which can benefit from sound legal counsel.

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act. Continue Reading And Texas Joins the Privacy Fray – Part 1 (or, the Elephant in the room just got a LOT bigger…)

Seyfarth has released the results of its fourth annual Real Estate Market Sentiment Survey, which polled commercial real estate executives around the country from all sectors. Of interest to our readers, this year’s survey revealed that 69% of respondents are concerned about a cyberattack hitting their business in 2019, a significant increase compared to last year (46%).

View the full survey results

Cybersecurity isn’t just for technology companies anymore. More and more, we are seeing other critical infrastructure participants becoming targets of cybersecurity attacks. Transportation, construction, and other real property-heavy industries are starting to catch the eye of sophisticated hacking teams – both criminal as well as nation-state sponsored groups.

There are two different threat models in the real estate market: the builder and the manager. Continue Reading Cyberattacks a Growing Concern for Commercial Real Estate Executives

California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now

Welcome to the California Consumer Privacy Act (CCPA) […as if we didn’t have enough to worry about with the GDPR!].

The bracketed, italicized text, albeit a bit cynical, is with little doubt, how many of us initially reacted to the news of a new data protection law, hailed as the standard in consumer privacy protection, in California. And while the effective date is supposed to be January of 2020, January of 2019 isn’t too early to starting getting ready for the new law.

To dispel the rumors, the CCPA is not “GDPR-lite.” Where it comes on the heels of the GDPR’s May 2018 enforcement date, it isn’t a mirror image of the GDPR, or even a “watered down” variant of it. Drafters of the CCPA did indeed look to the GDPR as a basis for some of data protection concepts, but they focused on existing California privacy laws as well.

Continue Reading The CA Consumer Privacy Act: The NEW Elephant in the Room

In September of this year, with SB 327, California stepped into the vanguard of information age law by passing a cybersecurity regulation on the Internet of Things. SB 327 has added new sections to Cal. Civil Code §1798. Specifically, §1798.91 et seq. While this seems to be a good thing, the larger question is what does it do, and how far does it reach?

Continue Reading California’s IoT Security Law – Everyone Needs Cybersecurity Now

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

These certainly sound like concepts that could be referenced as The Right to Access; The Right to Be Forgotten; and Data Portability.

Business requirements include:

  • Meaningful notifications to consumers at the point of contact where Personal Information is collected;
  • Updated online privacy notices to include the types of Personal Information collected, the purpose of collection, and rights information;
  • Implementation of Data Security measures to protect Personal Information;
  • Providing training to employees handling Personal Information or involved in consumer inquiries;
  • The inclusion of provisions in contracts with third parties with whom Personal Information is shared to include data privacy protections and restrictions on disclosure; and
  • The inclusion of a “do not sell my personal information” option on public facing interfaces and websites that collect personal information. Companies must take measures to not discriminate against users who opt out, but at the same time they can offer price incentives to those who chose to opt in.

The Act takes effect on January 1, 2020.  It has the same approximate 2 year “runway” period that GDPR provided in 2016 (leading up to May 25, 2018) for companies to gear up their compliance.  This law has potentially widespread impact, but some of the mechanisms of its application remain unclear, due in some degree to some of its broadly worded language.  In this way, it is also similar to the GDPR.

The challenge with implementation for large companies is the same as every other State level data privacy law – it is often virtually impossible to reliably identify who the “California” consumers are.  Thereby making it by practical necessity a global requirement for all publicly facing systems and applications for all users.

We recommend that most companies prioritize and stage their compliance today, focusing on GDPR in the short term, but  a California (or potentially necessary practical nationwide) compliance strategy should be included in late 2018 and 2019 IT and Privacy compliance plans.

Since its enactment a decade ago, the Illinois Biometric Information Privacy Act (BIPA) has seen a recent spike in attention from employees and consumers alike. This is due, in large part, to the technological advancements that businesses use to service consumers and keep track of employee time.

What Is The BIPA?

Intending to protect consumers, Illinois was the first state to enact a statute to regulate use of biometric information. The BIPA regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. The statute defines biometric identifiers to include a retina or iris scan, fingerprint, or scan of hand or face geometry. Furthermore, the statute defines biometric information as any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Any person aggrieved by a violation of the act may sue to recover actual or statutory damages or other appropriate relief. A prevailing party may also recover attorneys’ fees and costs.

Since September of 2017, there have been more than thirty-five class action BIPA lawsuits with no particular industry being targeted. More commonly sued industries include healthcare facilities, manufacturing and hospitality.

The drastic increase in litigation is largely contributable to employers’ attempt to prevent “buddy punching,” a term that references situations where employees punch in for a co-worker where biometric data is not required to clock in or out. For example, in Howe v. Speedway LLC, the class alleges that defendants violated the BIPA by implementing a finger-operated clock system without informing employees about the company’s policy of use, storage and ultimate destruction of the fingerprint data. Businesses engaging in technological innovation have also come under attack from consumers. In Morris v. Wow Bao LLC, the class alleges that Wow Bao unlawfully used customers’ facial biometrics to verify purchases at self-order kiosks.

Recent Precedent

In Rivera v. Google Inc.,the District Court for the Northern District of Illinois explained that a “biometric identifier” is a “set of biometric measurements” while “biometric information” is the “conversion of those measurements into a different, useable form.” The court reasoned that “[t]he affirmative definition of “biometric information” does important work for the Privacy Act; without it, private entities could evade (or at least arguably could evade) the Act’s restrictions by converting a person’s biometric identifier into some other piece of information, like mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier.” Thus, a company could be liable for the storage of biometric information, in any form, including an unreadable algorithm.

More recently, in Rosenbach v. Six Flagsthe Illinois Appellate Court, Second District, confirmed that the BIPA is not a strict liability statute that permits recovery for mere violation. Instead, consumers must prove actual harm to sue for a BIPA violation. The court reasoned that the BIPA provides a right of action to persons “aggrieved” by a statutory violation, and an aggrieved person is one who has suffered an actual injury, adverse action, or harm. Vague allegations of harm to privacy are insufficient. The court opined that, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the BIPA, the legislature could have omitted the word “aggrieved” and stated that every violation was actionable. The court’s holding that actual harm is required is consistent with the holdings of federal district courts on this issue.

Damages and Uncertainty

Plaintiffs and their counsel are attracted to the BIPA because it provides for significant statutory damages as well as attorneys’ fees and costs. The BIPA allows plaintiffs to seek $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, plus attorneys’ fees and costs.

To date, all claims have been filed as negligence claims, and, thus, it is unclear what a plaintiff must show to establish an intentional violation. Similarly, the law is unsettled on whether the statutory damages are awarded per claim or per violation. A per violation rule would exponentially increase a defendant’s potential liability. For example, some plaintiffs are currently seeking $1,000 or $5,000 for each swipe of a fingerprint to clock in or out.

How To Protect Your Business

To avoid a costly mistake when retaining biometric data, businesses should:

  1. provide employees or consumers with a detailed written policy that includes why and how the data will be collected, stored, retained, used, and destroyed;
  2. require a signed consent before collecting the data;
  3. implement a security protocol to protect the data; and
  4. place an appropriate provision in vendor contracts (e.g., for data storage) to require vendors to adhere to the law and report any data breaches.

Consent can be obtained in different ways. For example, employers may condition employment upon an individual’s consent to a data retention policy, and companies can require consumers to accept a click-through consent before accessing a company’s website or application.

For questions or additional information, please contact Esther Slater McDonald at emcdonald@seyfarth.com or Paul Yovanic Jr. at pyovanic@seyfarth.com.