Today, Orrick announced the launch of our automated CCPA Readiness Assessment Tool which helps businesses globally determine whether they are covered by the California Consumer Privacy Act (CCPA) and, if yes, their readiness to comply with the new law that is revolutionizing the United States privacy landscape. This free tool is available to all organizations and takes 10-30 minutes to complete. It segments the CCPA into five workable themes and guides users through a series of dynamic questions relating to each theme. Upon completion of the questionnaire, the tool provides a free and comprehensive readiness assessment tailored to the business’s unique positioning and individual needs.
The Bavarian Data Protection Authority (“BDPA”) took the “safer internet day” in February 2019 as an opportunity to conduct privacy checks on website operators. The focus was on “cybersecurity” (in particular, password security) and “tracking” and the outcome is rather disillusioning, according to the BDPA. The BDPA stated that necessary security measures were not implemented and none of the cookie banners obtained valid consent. The BDPA announced it would conduct further checks via written procedures or even by on-site inspections to validate the quick check results and assess whether further actions must be taken. In those cases where the BDPA is not competent, the BDPA will consider reaching out to competent lead supervisory authorities where necessary so that they can provide their insights. READ MORE
In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated. READ MORE
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future. READ MORE
A recent decision from the Supreme Court of Illinois heightens the risks faced by companies collecting biometric information by holding that an individual who is the subject of a violation of Illinois’ Biometric Information Privacy Act—but who suffered no separate harm from the violation—is an “aggrieved party” with a cause of action under the statute. Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. Jan. 25, 2019). This decision will only further embolden plaintiffs’ lawyers to bring biometric privacy suits, and the risk to companies collecting biometric information will likely increase as newly enacted and proposed legislation comes into effect. In this post, we discuss what happened, what is on the horizon, and some steps to consider. READ MORE
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
Rivera v. Google, a recent federal court decision from the Northern District of Illinois, highlights how challenges to Article III standing are a versatile and useful tool for corporate defendants in privacy and cybersecurity litigation. At the same time, the litigation underscores the significant legal risk faced by entities that collect biometric information and the consequent need to proactively assess and mitigate that risk. READ MORE
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE