After months of wrangling, the California legislature has finally passed a set of significant amendments to the California Consumer Privacy Act (CCPA), a sweeping data privacy and security law commonly referred to as “California’s GDPR” (Europe’s General Data Protection Regulation). Employee personal information and personal information obtained in business-to-business (B2B) interactions are now mostly out of scope. Personal information in credit reports and other data covered by the Fair Credit Reporting Act is also largely exempt. Only personal information that is “reasonably” capable of being associated with a consumer or household is subject to the act. And aggregate or deidentified information definitively does not qualify as CCPA personal information.
This article first appeared on Thomson Reuters Regulatory Intelligence.
The summer of 2018 may be regarded as a pivotal time in the history of data privacy laws. The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 (and comes into effect on January 1, 2020), and a draft of India’s Personal Data Protection Bill (India DP Bill) was released in July 2018 (and is now under review by India’s government).
These developments, and more generally, the recent proliferation of data privacy laws around the world (notably, in Australia, China, Brazil, Hong Kong, and Singapore) represent a compliance challenge for many multinational organizations.
The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information. On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies. Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents. Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.
With less than three months to go before amendments to California’s far reaching data privacy law need to be signed into law, the CCPA landscape may be changing yet again, as several amendments debated in the state Senate Judiciary Committee on July 9th underwent significant modifications. Eight proposed CCPA amendments were on the committee’s agenda, and several were hotly debated in an hours-long session that extended late into the night. In the end, two of the bills had substantive modifications, another was stalled, one was defeated, and the rest made it out of the committee, with limited changes. Here we summarize the highlights.
In a very significant FOIA decision for business, Food Mktg. Inst. v. Argus Leader Media, decided on June 24, 2019, the Supreme Court reversed 45 years of understanding that Exemption 4 only protects confidential business information whose disclosure by the government would cause “substantial competitive harm.”
Relying on the plain meaning of words in the statute – rather than what the Court majority characterized as muddled legislative history – the Court found that the D.C. Circuit had engrafted a condition on the Exemption that is not supported by the text. Rather, so long as the commercial or financial information obtained by the government is “private” or “secret” – the plain and ordinary meaning of “confidential” – it may be withheld from disclosure under FOIA.
When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation. And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe. After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. (more…)
*This article first appeared in the Hill.com on November 19, 2018
With the House having now flipped, policy consensus in Congress is not likely to get any easier. But there is one subject around which countries, companies, consumers and, yes, even Congress is increasingly converging. That issue is privacy. The new privacy zeitgeist follows years of data breaches as well as new concerns about invisible data collection, political micro-targeting and manipulation, the proliferation of internet-connected devices, and a potential lack of transparency in the decisions that machines increasingly make about us.
Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)
As one of the epicenters of the Information Age and largest state in the Nation, California’s regulatory decisions can have an outsize impact on the data economy. Recently, the State has tried to use this pride of place to stamp its imprint on two important public debates. First, on September 30, 2018, Governor Brown signed into law the California Internet Consumer Protection and Net Neutrality Act of 2018 (Senate Bill 822), which seeks to impose, as a matter of state law, net neutrality regulation even more restrictive than the federal regime the Federal Communications Commission (FCC) repealed earlier this year. Second, earlier this year, California enacted (and then subsequently amended) the California Consumer Privacy of 2018, the broadest privacy law in the United States. As laid out below, these enactments have sparked legal and policy debates over whether California should be able to set rules that could become de facto national standards or whether federal rules do or should preempt California’s efforts. (more…)