Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE
Emily advises clients on an array of privacy and data management matters, helping clients navigate the complex web of privacy laws, rules, regulations and best practices governing the collection, use, transfer and disclosure of data and personal information. Emily works closely with client business teams and in-house counsel to assess and manage privacy risks, design and deploy compliance programs and implement privacy-by-design approaches to address key compliance objectives while supporting each client’s data innovation strategies and the development and use of cutting-edge digital technologies. She frequently guides child- and student-directed service providers through the complexities of compliance with the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), California’s Student Online Personal Information Protection Act (SOPIPA) and similar state student privacy laws and advises companies across the industry spectrum as they work towards compliance with the California Consumer Privacy Act (CCPA). She also represents clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including under Section 5 of the Federal Trade Commission Act (FTC Act), COPPA, the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), the California Online Privacy Protection Act (CalOPPA) and others.
To make the CCPA more accessible, Emily developed Orrick's CCPA Readiness Assessment Tool. The tool provides companies an opportunity to test their compliance with the CCPA and similar laws as a first step to constructing their strategic compliance roadmap.
Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms, advertising substantiation, new media and social media integration, and SMS text messaging and telemarketing, including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA), the Restore Online Shoppers’ Confidence Act (ROSCA) and state and federal consumer protection statutes.
Emily is a Certified Information Privacy Professional in both U.S. and European privacy law (CIPP/US and CIPP/E) and member of the International Association of Privacy Professionals (IAPP) Publications Advisory Board. She is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech. She was featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA 2018, 2019, and 2020 and Chambers Global – USA 2020. Clients tell Chambers,“she's been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and ed-tech matters, Chambers reports that clients regard her as “vey knowledgeable and truly and expert in this space,” with some saying, “On the student data side, she is unmatched.”
Posts by: Emily Tabatabai
Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular. READ MORE
In an increasing trend, the Federal Trade Commission (FTC) joined other federal regulators seeking to hold individuals – not just companies – liable in enforcement proceedings. The most recent target was San Francisco-based UrthBox, Inc. and its principal, Behnam Behrouzi. Specifically, Urthbox and Behrouzi agreed to settle FTC allegations that UrthBox engaged in unfair or deceptive acts or practices by: (1) failing to adequately disclose key terms of its “free trial” automatic renewal programs, and (2) misrepresenting that customer reviews were independent when, in fact, UrthBox provided customers with free products and other incentives to post positive reviews online.
Today, Orrick announced the launch of our automated CCPA Readiness Assessment Tool which helps businesses globally determine whether they are covered by the California Consumer Privacy Act (CCPA) and, if yes, their readiness to comply with the new law that is revolutionizing the United States privacy landscape. This free tool is available to all organizations and takes 10-30 minutes to complete. It segments the CCPA into five workable themes and guides users through a series of dynamic questions relating to each theme. Upon completion of the questionnaire, the tool provides a free and comprehensive readiness assessment tailored to the business’s unique positioning and individual needs.
In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated. READ MORE
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE
The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE