The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.

Please click here to read the full alert memorandum.

In response to pressure from advocacy group Californians for Consumer Privacy, on June 21, 2018, California lawmakers proposed a new law, the California Consumer Privacy Act of 2018, which would significantly expand consumers’ rights over their data.  The proposed law would apply to entities that do business in California, collect consumers’ personal information or determine the purpose and means of processing such data, and satisfy at least one of the following: (i) have over $25 million in annual gross revenue, (ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (iii) derive 50 percent or more of revenue from the sale of consumer personal information. Continue Reading California Introduces Bill Expanding Consumer Rights Over Data Privacy

In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”).  While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements. Continue Reading CONSENT Act: Proposed Legislation a Sign of Potential U.S. Consent to Greater Privacy Protections?

Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses.[1]  On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers.  The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges.  As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices.  The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight

Earlier this week, the U.S. District Court for the Northern District of California (Hon. James Donato) held in Patel v. Facebook Inc.,[1] that plaintiffs had standing to pursue a putative data privacy class action against Facebook alleging that the company had “collected users’ biometric data secretly and without consent.”[2]  The decision is the latest to weigh in on the injury allegations necessary for standing purposes under the Illinois Biometric Information Privacy Act[3] (“BIPA”), which regulates the collection and storage of biometric information, and provides a private right of action to a “person aggrieved by a violation.”  In finding that standing was met, the Facebook decision arguably applied a lower injury threshold than other courts have interpreted to be the outer boundaries for pleading an Article III injury under BIPA.  Continue Reading Data Privacy Class Action Against Facebook Survives Motion To Dismiss

Earlier this year, U.S. Customs and Border Protection (“CPB”) revealed that, in 2017, it searched the electronic devices of approximately 50 percent more travelers than it had in the previous year. The same day, it announced that it was issuing new search guidelines for the first time since August 2009. Continue Reading New Rules for Searching Electronic Devices at the U.S. Border

In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents.  On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well.  Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required.  Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day.  The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law. Continue Reading South Dakota and Colorado are Latest States to Propose New Data Privacy Laws

On January 18, the Federal Trade Commission (“FTC”) released its Privacy & Data Security Update: 2017, describing its activities in the areas of consumer privacy and data security during the past year.

The report highlights the breadth of the FTC’s enforcement actions, both under Section 5 of the FTC Act, which prohibits unfair or deceptive practices in the marketplace and is the FTC’s primary tool with respect to consumer privacy and data security, and under various sector specific laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (the Safeguards Rule, Privacy Rule and Regulation P), the Children’s Online Privacy Protection Act and the Telemarketing Sales Rule (Do Not Call provisions).  The report also describes the FTC’s efforts to enforce international privacy frameworks, including the FTC’s first three enforcement actions under the EU-U.S. Privacy Shield framework.  Finally, the report highlights the FTC’s efforts in other areas, such as advocacy, consumer education, business guidance and policy development.

The full report can be found here.