*This article was first published by Bloomberg Law in August 2019
Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”
Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.
*This article first appeared in Law360 on July 8, 2019
In September of 2018, California passed a significant new consumer privacy law, the California Consumer Privacy Act, which is the first U.S. law to regulate how businesses with a presence in California collect, share, and use consumer data. The CCPA not only imposes significant compliance obligations on companies conducting business with California residents but also incentivizes class action litigation through both the CCPA’s private right of action and California’s Unfair Competition law.
On June 20, in PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., the U.S. Supreme Court vacated a decision of the U.S. Court of Appeals for the Fourth Circuit that had been adverse to the interests of our client, PDR Network. Both the majority and concurring opinions in PDR Network raise interesting issues for lower courts to ponder as they consider how much to defer to agency decision making.
In a very significant FOIA decision for business, Food Mktg. Inst. v. Argus Leader Media, decided on June 24, 2019, the Supreme Court reversed 45 years of understanding that Exemption 4 only protects confidential business information whose disclosure by the government would cause “substantial competitive harm.”
Relying on the plain meaning of words in the statute – rather than what the Court majority characterized as muddled legislative history – the Court found that the D.C. Circuit had engrafted a condition on the Exemption that is not supported by the text. Rather, so long as the commercial or financial information obtained by the government is “private” or “secret” – the plain and ordinary meaning of “confidential” – it may be withheld from disclosure under FOIA.
Sidley has consolidated its materials and resources on the CCPA, including an amendment tracker, on the new Sidley CCPA Monitor.
Explore the law and Sidley insights, available now.
The 25th of May, 2019 marked a year since the EU General Data Protection Regulation (“GDPR”) came into force. For most in privacy, involvement with the GDPR has been ongoing for well over this year, but on the first anniversary of the GDPR we take an opportunity to look back and reflect on where we are now in relation to some key areas of interest including enforcement action, privacy litigation, breach notification and developing guidance from the European Data Protection Board (“EDPB”).
*This article first appeared in Law360 on May 15, 2019.
The California Consumer Privacy Act, known as the CCPA, is a new law set to go into effect on Jan. 1, 2020. The CCPA is the first U.S. law that will require businesses with an online presence in California to focus on user data and it regulates how businesses collect, share and use such data. One of the most significant risks to online business providers in California is that the CCPA provides for a private right of action for California consumers.
Terms and conditions generally specify the rules governing the use of a website or mobile application. Since every website is different, custom-drafted terms and conditions are necessary to protect a particular business. Well-crafted terms and conditions might address issues such as payment, taxes, refunds, gift certificates, accounts, disclaimers, user behavior on your site, warranties and limitations on liability.
On January 25, 2019, the Illinois Supreme Court unanimously held that a plaintiff does not need to allege any actual injury or damages to successfully state a claim under the Illinois Biometric Information Privacy Act (BIPA). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) (a copy of the opinion is available here). A violation of the statute by itself is sufficient to state a claim, even if no breach or misuse of the biometric information or identifier has occurred. Because BIPA includes stiff liquidated damages for violations, the court’s ruling is likely to lead to renewed interest by the plaintiffs’ bar in class action suits alleging BIPA violations. (more…)
The fifth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common, significant new data protection legislation is coming into effect, and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. (more…)