On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.
The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage. The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.
In an increasing trend, the Federal Trade Commission (FTC) joined other federal regulators seeking to hold individuals – not just companies – liable in enforcement proceedings. The most recent target was San Francisco-based UrthBox, Inc. and its principal, Behnam Behrouzi. Specifically, Urthbox and Behrouzi agreed to settle FTC allegations that UrthBox engaged in unfair or deceptive acts or practices by: (1) failing to adequately disclose key terms of its “free trial” automatic renewal programs, and (2) misrepresenting that customer reviews were independent when, in fact, UrthBox provided customers with free products and other incentives to post positive reviews online.
This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE
The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE
Game-changing Calif. Consumer Privacy Act of 2018 puts statutory breach damages on the table
The recently-enacted California Consumer Privacy Act of 2018 is a game-changer in a number of respects. The Act imports European GDPR-style rights around data ownership, transparency, and control. It also contains features that are new to the American privacy landscape, including “pay-for-privacy” (i.e., financial incentives for the collection, sale, and even deletion of personal information) and “anti-discrimination” (i.e., prohibition of different pricing or service-levels to consumers who exercise privacy rights, unless such differentials are “reasonably related to the value provided to the consumer of the consumer’s data”). Privacy teams will be hard at work assessing and implementing compliance in advance of the January 1, 2020 effective date. READ MORE
In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected. This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target. In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.