Up for Interpretation: Proposed CCPA AG Regulations Open for Public Comment

On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE

Orrick Webinar: Last-Minute Amendments – Changes to California’s New Privacy Law Ahead of the Effective Date

Please join Heather Sussman, Emily Tabatabai, and Nick Farnsworth for the Cyber, Privacy & Data Innovation practice’s webinar “Last-Minute Amendments- Changes to California’s New Privacy Law Ahead of the Effective Date.”

READ MORE

No Consent, No Cookie! CJEU Issues Far-Reaching Decision on Cookie Consent

In its long-awaited judgment, the European Court of Justice (CJEU) decided the data protection requirements for obtaining consent when using cookies. The court held that “passive” acceptance of cookies through prechecked boxes, or by posting a banner and assuming consent with continued browsing of the website, is not an acceptable form of consent. According to the CJEU, “consent” requires active behavior in the form of interaction with the banner, or some other affirmative action indicating consent. The court held that website operators must ensure this level of consent prior to placing any cookies that require consent for storing or accessing information stored on the user’s device. The court’s decision removes all legal ambiguities on the level of consent required for cookies, and website operators are wise to review their use of cookies as a result.

This alert will analyze the CJEU’s decision, provide a summary of the current regulators’ views and give practical guidance on what website operators should do. READ MORE

Seventh Circuit Rejects FTC Authority to Obtain Equitable Money Relief Under Section 13(b) of the FTC Act

On August 21, 2019, the U.S. Court of Appeals for the Seventh Circuit held in FTC v. Credit Bureau Center, LLC, 2019 WL 3940917 (7th Cir. 2019) that the Federal Trade Commission (“FTC”) lacks authority to obtain monetary relief under Section 13(b) of the FTC Act. The FTC has relied on Section 13(b) to seek money relief in consumer protection enforcement actions, including privacy and cybersecurity matters, and had, prior to the Credit Bureau decision, suggested an intent to do so more frequently in the future. READ MORE

The End of the California Legislative Session: Which CCPA Amendments Passed?

With the January 1, 2020 effective date of the California Consumer Privacy Act (the “CCPA”) rapidly approaching, all eyes have been on the California legislature’s consideration of a robust suite of amendments that would clarify ambiguities and address discrepancies underlying the prominent privacy statute. As the 2019 California legislative session came to a close last Friday, six CCPA amendments were passed and will now be delivered to the Governor, while the rest have either failed or will have to wait until next year for further consideration. The Governor has until October 13th to decide which, if any, of the six bills sent to his desk will be signed into law. READ MORE

Orrick Webinar: Defining “Reasonable” Security Under California’s New Privacy Law

Webinar | September 26, 2019

Download Powerpoint Presentation

Please join Michelle Visser and Nicole Gelsomini for the Cyber, Privacy & Data Innovation practice’s webinar “Defining ‘Reasonable’ Security Under California’s New Privacy Law.” READ MORE

Recent FTC Cybersecurity Settlements Highlight Benefits and Risks of Settling vs. Litigating

Amidst mounting pressure to pursue cybersecurity more aggressively, the Federal Trade Commission (“FTC”), the federal government’s most active enforcer in the space, has recently imposed increasingly stringent cybersecurity requirements in its consent orders. Given that FTC consent orders typically carry 20-year terms and a potential fine of $42,530 (which the FTC may contend applies to each consumer subject to a breach), it is vital for companies faced with an FTC cybersecurity investigation to take every possible step to narrow the scope of relief requested by the FTC. Several recent FTC cybersecurity settlements illustrate an emerging pattern: a company that litigates may secure a better deal than it would have received in an initial settlement, if not defeat the action entirely. But when considering whether to settle or litigate with the FTC, companies must still balance the various legal, business, and reputational risks at stake.

How the decision to settle or litigate can directly affect the relief imposed is evident in the FTC’s 2019 cybersecurity settlements: Unixiz, ClixSense, LightYear, Equifax, and D-Link. READ MORE

Orrick Webinar: Spotlight on EdTech – How the New California and Nevada Privacy Laws Will Impact Data in EdTech

Webinar | August 27, 2019

Download Powerpoint Presentation

Please join Emily Tabatabai and Sulina Gabale for the Cyber, Privacy & Data Innovation practice’s webinar “Spotlight on EdTech – How the New California and Nevada Privacy Laws Will Impact Data in EdTech.”
READ MORE

Orrick Webinar: Spotlight on Fintech – How the New California and Nevada Privacy Laws Will Impact Data in Fintech

Webinar | July 30.2019

Download Powerpoint Presentation

Please join Heather Sussman, Barrie VanBrackle and David Curtis for the Cyber, Privacy & Data Innovation practice’s webinar “Spotlight on Fintech – How the New California and Nevada Privacy Laws Will Impact Data in Fintech.”

READ MORE

New law decreases the number of companies required to designate a Data Protection Officer in Germany

On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”).  Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.

READ MORE