Legislation

ICO FINES: WHEN IS AN APPEAL APPEALING?

The decision to appeal a regulatory finding is never taken lightly. By the time a regulator has completed its investigation and notified a company of its intention to fine, the company will have invested significant time and money in responding to the regulatory investigation. As such, there is a real temptation to accept the fine and the accompanying statement from the regulator and move on.

However, in the case of recent regulatory findings, fines and intentions to fine issued by the UK’s Information Commissioner’s Office (the “ICO”) against British Airways, Marriott and Dixons Carphone, all three  companies have appealed or indicated an intention to appeal despite the significant difference in the levels of the fines/intentions to fine. In our view, this is related to the spectre of an emerging class action litigation culture in the UK that increases the stakes for any company facing negative regulatory findings.

In this UK-focused blog we explore the potential motivation behind these decisions to appeal, why we expect to see more companies taking this approach in the future, and the steps to be taken in order to appeal decisions by the ICO and we also consider whether the companies that have failed to appeal and are now facing class actions made the right decision when they elected not to appeal.

READ MORE

The CCPA Is in Effect and It Is Not Too Late to Get Started in 2020

Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE

California Governor Signs CCPA and Breach Notification Statute Amendments into Law

With the January 1, 2020 effective date of the California Consumer Privacy Act (the “CCPA”) rapidly approaching, all eyes have been on the California legislature’s consideration of a robust suite of amendments that would clarify ambiguities and address discrepancies underlying the prominent privacy statute. On October 11, 2019, six CCPA amendments were signed into law by the California Governor, as well as an amendment to the state’s breach notification statute. The rest of the CCPA amendments have either failed or will have to wait until next year for further consideration.

READ MORE

Up for Interpretation: Proposed CCPA AG Regulations Open for Public Comment

On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE

Orrick Webinar: Last-Minute Amendments – Changes to California’s New Privacy Law Ahead of the Effective Date

Webinar | October 30, 2019

Download Powerpoint Presentation

Please join Heather Sussman, Emily Tabatabai, and Nick Farnsworth for the Cyber, Privacy & Data Innovation practice’s webinar “Last-Minute Amendments- Changes to California’s New Privacy Law Ahead of the Effective Date.”

READ MORE

Orrick Webinar: Defining “Reasonable” Security Under California’s New Privacy Law

Webinar | September 26, 2019

Download Powerpoint Presentation

Please join Michelle Visser and Nicole Gelsomini for the Cyber, Privacy & Data Innovation practice’s webinar “Defining ‘Reasonable’ Security Under California’s New Privacy Law.” READ MORE

Orrick Webinar: Spotlight on Fintech – How the New California and Nevada Privacy Laws Will Impact Data in Fintech

Webinar | July 30.2019

Download Powerpoint Presentation

Please join Heather Sussman, Barrie VanBrackle and David Curtis for the Cyber, Privacy & Data Innovation practice’s webinar “Spotlight on Fintech – How the New California and Nevada Privacy Laws Will Impact Data in Fintech.”

READ MORE

New law decreases the number of companies required to designate a Data Protection Officer in Germany

On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”).  Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.

READ MORE

State Legislatures Continue to Update Breach Notification Laws

While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term. READ MORE