At the end of April, the U.S. District Court in New Mexico dismissed most, but not all, of the New Mexico Attorney General’s claims against a group of Ad Networks and Google for violations of the federal Children’s Online Privacy Protection Act (“COPPA”) and New Mexico’s Unfair Practices Act (“UPA”). Although the decision was a major win for the Ad Network defendants in the case, companies involved in mobile gaming apps should still proceed with caution when collecting information from children. 

COPPA prohibits websites, online services directed to children, “or any operator that has actual knowledge that it is collecting personal information from a child” from collecting personal information from a child in a manner that violates FTC regulations. 15 U.S.C. § 6502(a)(1). The FTC’s COPPA Rule states that unless there is an exception, an operator must provide notice and obtain “verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children.” 16 C.F.R. §§ 312.3(b), 312.4(a). App developers whose content is directed to children are held strictly liable if personal information is collected from children using their apps in a manner that violates the FTC’s COPPA Rule requiring notice and verifiable parental consent. Ad networks, however, must have “actual knowledge” that the apps in which their software development kits (“SDKs”) are embedded are directed to children in order to be held liable. 

The New Mexico Attorney General brought claims against mobile game app developer Tiny Lab Productions (“Tiny Lab”), a group of Ad Networks who sold their SDKs to Tiny Lab for use in its gaming apps, Google’s ad network Google/AdMob, and Google LLC as the operator of the Google Play Store based on allegations that ad network SDKs installed as Tiny Lab game app components collected children’s personal information and tracked children’s online behavior to profile the children for targeted advertising in violation of COPPA and the UPA. Upon motions to dismiss, the court dismissed all claims against the Ad Network Defendants, but only granted Google’s separate motion to dismiss in part. In doing so, the court provided the following guidance: 

A court may reasonably infer that a party has actual knowledge that an app is directed to children from the taking of affirmative steps to review the qualities of apps to determine if they are child-directed, but the automated exchange of data between an SDK and its server, without more, is not enough to infer actual knowledge. 

• Actual knowledge can be inferred when a party conducts a qualitative review of an app to determine if the app is child-directed. 
  • Google conducted multiple reviews of Tiny Lab apps, investigating the qualities of apps—both when the app was submitted to its “Designated for Families” program and when researchers flagged Tiny Lab’s apps as potentially listed to mixed audiences instead of to children. These actions, in conjunction with the presence of several factors identified in the COPPA Rule that the app is directed to children, indicated actual knowledge. 
• But the automated exchange of information between SDKs and their servers, without more, is insufficient to establish actual knowledge of the collection of personal information from children. 
  • Because the service of an ad is automated and instantaneous, the court found the complaint did not demonstrate that the Ad Networks had actual knowledge of the identity of the Tiny Lab app user to whom the ad was served. The court specifically emphasized the lack of human decision making involved in the ad service process. 
  • Even if automated transmission could be sufficient evidence of actual knowledge, information such as the app developer name and name of the app are not enough to provide even constructive notice to the Ad Network of the child-directed nature of an app, much less actual knowledge.
• But proceed with caution: While the most common functions of Ad Network SDKs are automated, other parts of the business operations may give a company greater insight, and therefore greater knowledge into the user base for a specific app. It is unlikely that a court would turn a blind eye to any factual allegations of broader knowledge and uphold any bright line rule that SDKs do not obtain that same level of knowledge about an app’s users. The court suggests that while automated receipt of information about an app cannot generate actual knowledge, familiarity with the actual application and knowledge about factors the FTC considers could give rise to actual knowledge. 

Arguments that persistent identifiers and other data alleged to be collected fall within the “operations exception” to COPPA missed the mark.

• The court was not persuaded that data alleged to be collected (persistent identifiers, GPS, and other personal information) falls within the internal operations exception to COPPA as necessary to facilitate contextual advertising. Instead, the court predicted that, if proven, allegations of the collection of this type of information from Tiny Lab users would require parental consent. 

Attempting to contract one’s way out of COPPA compliance through TOS representations does not negate independent duties under COPPA.

• The court rejected Google’s arguments that it could rely on contractual promises of app developers to obtain parental notice and consent when required by COPPA. In doing so, the court made clear that contractual language to comply with COPPA does not negate any independent duties. 

Free apps do not fall within UPA’s scope of unfair or deceptive trade practices claims.

• Users of free apps have not purchased, leased, rented, or borrowed anything in connection with their use of the apps. These users therefore cannot meet this element of a UPA claim, even if use of an app involves a license of technology. Unfair and deceptive trade practice claims do not encompass claimants who did not actually purchase anything.

Whether the conduct at issue establishes an intrusion upon seclusion claim is a question for the jury. 

• The court pointed to precedent from the Northern District of California and allowed Plaintiffs to proceed on claims that collection of persistent identifiers constitutes highly offensive conduct, noting the context-specific nature of the privacy inquiry and that social norms on privacy are not static.

The post ‘Tiny’ COPPA Case Provides Broad Guidance appeared first on Law across the wire and into the cloud.

In a decision that reduces some risk associated with webscraping, the United States District Court for the District of Columbia ruled that violating a website’s terms of service cannot alone be the basis for a finding that the conduct is “unauthorized,” under the Computer Fraud and Abuse Act (“CFAA”). Christian W. Sandvig, et al. v. William P. Barr, 2020 WL 1494065 (D.D.C. 2020) (attached). Although the Sandvig decision is not binding upon courts outside of the District of Columbia, it provides other courts a useful point of reference as they consider how the CFAA might apply to webscraping.

Background

The Sandvig decision results from the 2016 filing of a pre-enforcement constitutional challenge by several academics who intended to conduct research by accessing and using various recruiting websites through fake accounts. Specifically, the plaintiffs planned to use fictitious profiles to study whether the proprietary algorithms of these sites resulted in discriminatory biases. However, creation and use of fake accounts or profiles violated the sites’ terms of service. Accordingly, the plaintiffs alleged that their intended use of the websites would subject them to prosecution under the CFAA, which criminalizes obtaining information from a “protected computer” by means of “intentionally access[ing] a computer without authorization or exceed[ing] authorized access. . .” 18 U.S.C. § 1030(a)(2).

Although the plaintiffs made several constitutional claims, all but one were dismissed by the Court in 2018. As a result, the Court’s recent decision addressed only the plaintiffs’ remaining claim that the CFAA’s Access Provision is overbroad and chills First Amendment rights to freedom of speech. Ultimately, the Court dismissed the claim, finding it was moot because plaintiffs’ proposed research activities would not actually violate the CFAA.

The Court’s Interpretation of the CFAA’s Access Provision

In reaching its decision, the court adopted the Ninth Circuit Court of Appeals’ characterization of the internet as consisting of two “realms”—those portions of websites that are public and those that are private (i.e., where permission is required for access). Id. at 17-18 (citing hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019)). The Court then continued to evaluate whether contractual restrictions, like website terms of service, create a sufficient barrier or “permission requirement” to trigger criminal liability under the CFAA if they are ignored or bypassed. The Court concluded that they do not, finding that: (i) a user commits unauthorized access only when the user bypasses a password, login credential, payment requirement, or other form of “authentication gate;” and (ii) violating public websites’ terms of service does not constitute “exceed[ing] authorized access” under the CFAA. The Court found that because the plaintiffs planned to create accounts with each website and pay the applicable subscription fees charged by such websites, the fact that the accounts violated the websites’ terms of service (i.e., by using fake or fictitious names) would not make the plaintiffs’ access and use of the websites unauthorized or outside the scope of authority under the CFAA.

The court identified three primary factors that led to its finding. First, the Court asserted that websites’ terms of service provide users inadequate notice for purposes of criminal liability, because they often are “long, dense, and subject to change” and not communicated in a prominent form (such as a link at the bottom of a website). Sandvig at 20. Second, the Court reasoned that enabling private website owners to define the scope of criminal liability through their terms of service would be problematic as it would “risk[] turning each website into its own criminal jurisdiction and each webmaster into his own legislature.” Id. at 21. Finally, the Court explained that certain common law principles favored the Court’s narrow reading of the CFAA.

Again, this decision reduces some risk of webscraping information from behind a login page, but it does not obviate all webscraping risk or address potential civil exposure for commercial claims or any securities considerations. 

The post DC Court Ruling Reduces Webscraping Risk appeared first on Law across the wire and into the cloud.

A recent District Court decision has called into question the enforceability of mandatory arbitration clauses against third parties that use a product or service but do not themselves agree to arbitrate. On April 9th, Judge Richard Jones from the U.S. District Court for the Western District of Washington denied Amazon’s motion to compel arbitration in a class action suit brought by the children of Alexa-enabled device owners—despite the existence of a valid contractual agreement between their parents and Amazon.

The case centers around a claim that Amazon’s devices record and permanently store children’s confidential communications, in violation of state law. Amazon sought to compel arbitration because Amazon’s Conditions of Use and the Alexa Terms of Use—both of which a user must agree to when setting up the device—include mandatory arbitration provisions. Amazon argued that although the children were not signatories to any contractual agreements with Amazon, they were still subject to the terms based on principles of equitable estoppel. In support of their claim, Amazon argued that the children used and benefited from the Alexa-enabled devices, and that their rights were derived directly from their Parent’s rights as account holders. 

Finding none of Amazon’s arguments to be persuasive, the District Court adopted the Magistrate Judge’s recommendation and held that the children could not be subject to the arbitration provision. The key question, according to the Court, was whether both parties agreed to arbitrate based on state law principles of contract interpretation. Under Washington state law, non-signatories are generally not bound by arbitration clauses, subject to very limited exceptions—none of which the Court found applied to the children. The Court rejected Amazon’s argument that the arbitration provision should apply to anyone that “directly benefits” from the contract. In doing so, the Court found that at most the children received an “indirect benefit” from their parents’ agreements with Amazon. 

Although it remains to be seen whether other courts will adopt this approach—and whether this line of reasoning will extend to third parties other than children—the holding could have significant implications for the tech industry, as many products, particularly “smart” home devices, are purchased by a single person but used by multiple family members. Judge Jones did provide a roadmap for companies seeking to avoid this issue in the future, writing that “if Amazon wanted to include a provision in the agreement requiring the parents to consent to arbitration on behalf of their minor children, it could have done so.” Companies might want to heed Judge Jones’s advice and insert language unequivocally stating that the signatory is assenting to arbitration on behalf of all other users, or that the signatory is the only authorized user of the product or service.

The post Alexa, Do My Kids Have to Arbitrate? appeared first on Law across the wire and into the cloud.

Download PDF | View the full press release on zwillgen.com

ZwillGen is pleased to announce that two veteran attorneys of its California and New York offices have been newly appointed Shareholders of the Firm. In addition, ZwillGen has added one new attorney in Washington, DC to support its growing International Law Enforcement practice and one new attorney in New York to bolster its privacy capabilities, including privacy due diligence for acquisitions, mergers, and investment transactions.

Anna Hsia has been voted in as a Partner of ZwillGen Law LLP in San Francisco and Mason Weisz has been voted in as a Shareholder in ZwillGen PLLC’s New York office.

“Anna and Mason have become invaluable parts of the Firm and we will be looking to them as leaders to further develop our capabilities on both coasts outside of the Washington, DC office,” said Marc Zwillinger, ZwillGen’s Founder and Managing Member.

Additionally, Liz DeYoung, a former federal prosecutor at the Department of Justice, Criminal Division, Office of International Affairs, has been brought on in Washington, DC to assist the Firm’s growing Law Enforcement practice, especially with regard to working with International Law Enforcement and Cloud Act requests. Also, former Cleary Gottlieb Steen & Hamilton LLP attorney Jane Rosen has joined the Firm’s New York office to assist on privacy-related matters, including evaluating privacy due diligence as it relates to a wide spectrum of transactions ranging from acquisitions to investments.

About the Attorneys

Anna Hsia – Anna counsels clients on product development and privacy issues, and litigates complex business disputes. Her broad clientele includes Bay Area companies in the gig economy, online gaming, cloud computing, advertising, and biotechnology space. Anna has also served as the head of the Firm’s West Coast operations.
View Anna’s Bio >

Mason Weisz – Mason focuses on a wide variety of privacy, security, and Internet issues, with emphasis on helping companies that are subject to both US and European law, including in relation to the California Consumer Privacy Act and EU General Data Protection Regulation. For the past several years, he has led ZwillGen’s international efforts. A former web designer, he has extensive experience with the technology that drives digital media and e-commerce.
View Mason’s Bio >

Liz DeYoung – Liz has more than a decade of combined experience in private and government practice. Liz advises clients regarding demands for user data under ECPA, the CLOUD Act and data localization issues, engagement with law enforcement authorities (both within and outside of the United States), and other matters concerning cross-border access to data. She also provides a range of corporate governance, transactional, and commercial contracting advice to clients.
View Liz’s Bio >

Jane Rosen – Jane’s practice focuses on privacy, data protection, and technology-related issues. As a Certified Information Privacy Professional (CIPP/US), she advises clients on their legal obligations under applicable privacy laws and regulations, as well as strategies for managing compliance and risks. She has a strong background in transactional contexts such as mergers and acquisitions, joint ventures, financings, restructurings, capital markets offerings and various commercial, licensing, and services arrangements.
View Jane’s Bio >

The post ZwillGen Appoints Two New Shareholders and Adds Two New Attorneys appeared first on Law across the wire and into the cloud.

Just as the global health crisis is significantly altering our day-to-day lives, it is altering the nature and practice of litigation. Courts are closing their doors and limiting their dockets. Clients, firms and vendors have been forced to move their operations online or otherwise modify their services. And everyone is re-evaluating how to dedicate what are likely more limited resources. These changes will likely impact the procedural and strategic decisions you will have to make about your cases, including whether and how best to move them forward. 

Some procedural topics you should consider are:

• Courts: Many courts have published guidance on how they are dealing with deadlines and in-person appearances. For additional information, check both the court website and some of the compiled guidance found here and here. Of particular note:
  • The U.S. Supreme Court postponed oral arguments scheduled for the March session, but did not automatically extend filing deadlines under Rule 30.1. The Court did invite parties to request more time where warranted.
  • The Ninth Circuit postponed the March en banc oral arguments. The other oral arguments scheduled in March, April and May are being evaluated on a case-by-case basis.
  • The Northern District of California has continued all jury trials scheduled to begin before May 1, and has directed all civil matters be decided on the papers, unless the assigned judge deems a telephonic or video hearing necessary. 
  • The Southern District of New York has continued all jury trials scheduled to begin before April 27, and left it up to the presiding judge to determine compliance with all other trial-specific deadlines in civil and criminal cases scheduled to begin before April 27. 
  • The District Court for the District of Columbia continued all trials scheduled to begin before May 11, and all other civil, criminal and bankruptcy proceedings scheduled to occur between March 17 and April 17. 
  • The Eastern District of Virginia continued all civil jury matters to a future date and postponed all in-court civil proceedings for two weeks, except for critical and emergency matters. 

• Depositions: Do you have depositions scheduled or that need to be scheduled? Consider whether defending or taking a deposition remotely (via video conference) is feasible or even advantageous. You’ll need to confirm that your court reporter is available to record the deposition remotely. Also consider whether you or your client will be at a strategic disadvantage by using video. Note you will likely have to coordinate the exchange of documents electronically and may have to provide documents to the other side before the deposition.  If you are defending a deposition, how will you prepare your witness?  If you do not want to take or defend depositions remotely, is that grounds for extending the schedule?

• Mediations/ADR: Do you have a mediation or ADR scheduled? Similar to depositions, you should contact your mediator to inquire about video-conferencing options but also consider the strategic implications of moving forward with a mediation in this fashion. And if you do move forward, that may change how you want to structure the mediation. Are presentations of the strengths of your case more or less helpful when the parties are not in the same room?  Can the mediator effectively “go back and forth” between the parties remotely? Also note that if the court has ordered you to engage in ADR, you will likely need to seek leave to extend the deadline for completing this process.

• Discovery: Although most document review and production is conducted electronically, e-discovery vendors may have to adjust their internal procedures around production and contract attorneys for document review. It may also be more difficult to access hard copy documents or files maintained on your client’s servers.  Contact opposing counsel as soon as possible to discuss upcoming discovery deadlines and  consider whether extending the fact discovery deadlines may be appropriate.

Now may also be a time to consider longer-term strategic options:

• Settlement Strategy: Parties are often reluctant to raise settlement if it is not tied to a particular case milestone like class certification or summary judgment. But standard worries about appearing too eager or ceding the upper hand are less of a concern now that all parties recognize that we are entering unchartered territory, from both a litigation and business perspective. Opposing counsel may be reevaluating how to allocate their more limited resources in this new environment. Raising settlement now, before addressing these complicated issues, may be an appealing option for cases in their early stages where neither party has invested a lot in the case yet.  

• Case Building: Alternatively, a potential “pause” in cases may create an opportunity for case building.  With deadlines getting adjourned, parties may have more time to focus on proactive work such as creating orders of proof and trial plans, or preparing for key depositions that will occur once travel restrictions cease.  This may be less of an appealing option for companies looking to reduce their legal spend in these uncertain times but may pay dividends later for those able to make the investment now.

It is unclear for how long the current crisis will last, and what the long-term impacts will be. Ultimately, staying flexible and thinking long-term is essential as you move forward with the day-to-day of active litigation.

Learn more about other key considerations for your business during the COVID-19 pandemic.

The post Litigation in the Time of COVID-19 appeared first on Law across the wire and into the cloud.

UPDATE: Due to the COVID-19 pandemic, the FTC has extended the deadline to submit comments by sixty days. The original deadline was April 21, 2020. The new deadline is June 22, 2020.

With the rise of influencer marketing, promotional social media content, and endorsed reviews, the Federal Trade Commission (“FTC”) has increased its enforcement and is now looking to expand its guidance related to online endorsements and testimonials. On February 21, 2020, following an earlier press release, the FTC formally requested public comment regarding whether to revise its Endorsement Guides (formally known as the Guides Concerning the Use of Endorsements and Testimonials in Advertising). 

The Endorsement Guides, which were last updated in 2009, provide practical guidance for businesses as they determine when and how to make disclosures in order to comply with Section 5 of the FTC Act in their endorsements and testimonials. Since then, the FTC has published supporting documents to address changing trends in advertising and social media marketing. The Endorsement Guides, FAQs, and other materials dictate that when there is a material connection between an endorser and a business that could affect the weight or credibility of the endorsement, the connection must be clearly and conspicuously disclosed.

Guidance like the FTC’s FAQs on the subject, provide concrete examples illustrating whether and how to make disclosures in the employment context and in blogs, online videos, and other types of “ads”. 

In 2017, the FTC sent warning letters to influencers and brands to alert them of the Endorsement Guides, highlighting particular disclosures that the FTC alleged were not sufficiently clear. Later that year, the FTC brought enforcement actions against businesses who paid influencers for endorsements and the influencers themselves. Enforcement has continued in full force in recent years, and influencers and social media endorsements recently appeared on the FTC’s list of notable issues for 2019 and 2020.

As part of its review process, the FTC is seeking public comment on a series of questions pertaining to the Endorsement Guides, including:

• how effective, necessary, and practical the Guides are and whether they should be updated to reflect changes in technology;
• whether the Guides should address the use of affiliate links by endorsers; 
• whether the 2017 FAQs should be formally incorporated into the Guides;
• whether children are able to understand disclosures and how the disclosures might affect them; and
• whether composite ratings on review platforms that include incentivized reviews are misleading and what disclosures should be made to account for the ways in which reviews are collected and processed by advertisers and review site operators.

Companies that previously established influencer and endorsement compliance programs should pay attention to the FTC comment process and consider updates to their programs and external agreements to reflect any changes the FTC adopts. And for those businesses that engage in celebrity and influencer campaigns, utilize incentivized reviews, conduct social media contests, or operate review platforms but have not yet instituted robust endorsement and review compliance procedures, the FTC’s renewed focus on the Endorsement Guides should provide motivation to establish compliant policies and procedures.

Those who wish to file a comment must do so by April 21, 2020.

We would be happy to work with any of our clients, individually or with others, in drafting comments for submission to the FTC. If interested, please contact Zach@zwillgen.com, who will help coordinate the effort.

Additional Resources:

Official Notice:
Guides Concerning the Use of Endorsements and Testimonials in Advertising
February 21, 2020 | Download PDF

Press Release: FTC Seeks Public Comment on its Endorsement Guides
February 12, 2020

FTC Blog Post: Endorsement Guides: The FTC wants your feedback
February 12, 2020

The post FTC Seeks Public Comment on Approach to Influencers, Endorsements, Testimonials, and Reviews appeared first on Law across the wire and into the cloud.

We had long predicted that the CCPA’s introduction of statutory damages associated with certain data breaches would make California a popular venue for data breach class action lawsuits. Sure enough, litigants are now raising such claims in Barnes v. Hanna Andersson, a data breach litigation against children’s apparel company Hanna Andersson (“Hanna”) and its vendor, Salesforce. 

The case arose from a data breach that plaintiffs allege involved theft of payment card numbers and other financial information sufficient to enable the hackers to make fraudulent purchases and steal the identities of those affected. Plaintiffs contend such stolen information also made its way to the dark web, creating a “lifetime risk of identity theft” for the affected individuals. Plaintiffs allege that Hanna and Salesforce negligently and/or carelessly failed to protect customer data by preventing the breach or promptly detecting the breach. Plaintiffs contend that the breach went undetected for months, and was only discovered when law enforcement notified Hanna that it had discovered such financial information on the dark web. 

Similar to other data breach lawsuits, Plaintiff identifies as injuries to the class members (1) lost or diminished value of personal information; (2) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, fraud, or misuse of personal information; and (3) lost opportunity costs in spending time to mitigate consequences of the breach. But Plaintiff also alleged class members were deprived of rights possessed under the CCPA.

The Complaint contains multiple allegations intended to establish that defendants failed to implement reasonable security under the CCPA. For example, Plaintiff pointed to (1) the length of time the data was vulnerable to unauthorized access; (2) Hanna’s posting of a job opening for a “Director of Cyber Security”; (3) warnings from the FBI regarding e-skimming attacks; and (4) well-publicized and widespread attacks on other e-commerce retailers that should have given defendants notice of the risk.

Only time will tell whether Plaintiff can establish that the defendants failed to implement reasonable security. But the case likely marks the beginning of a new trend in data breach litigation, with more fulsome allegations of unreasonable security practices. Given the statutory damages available under the CCPA—which arguably obviates the need to allege injury to survive a motion to dismiss—California will be a hotbed for such litigation. Courts will need to assess a number of novel issues, including whether circumstantial allegations (e.g. the existence of similar attacks) suffice to state a claim for failure to maintain reasonable security, whether the CCPA’s statutory damages are available for breaches occurring before the CCPA’s effective date, and how the CCPA’s 30-day cure period affects the claims, if at all.

The post CCPA’s Statutory Damages Push More Breach Litigation to the Golden State appeared first on Law across the wire and into the cloud.

This post was updated on 2/11/2020 to reflect revisions made by the California Attorney General on 2/10/2020.

The California Attorney General released an update to its proposed California Consumer Privacy Act Regulations, and companies have until 5 pm PT on February 24 to submit comments on this updated draft. Key changes include: 

Definitions

1. Clarifying that to qualify as personal information (“PI”), information must be maintained in a manner such that it could be reasonably linked to a particular consumer or household. For example, IP addresses are not necessarily PI if a business cannot reasonably link them to a particular consumer or household. Therefore, a company that collects only IP addresses that are not tied to any other PI would not qualify as a “business” under the CCPA, or a business that cannot reasonably link IP addresses to a consumer would not need to process access or deletion requests for such data. 999.302(a).

Notice Requirements

2. Confirming that the notice at collection is different than the privacy policy and must be given at or before collection of PI from a consumer but clarifying that this notice can be provided via a link on the business’s introductory page and any page on which PI is collected. 999.305(a)(3).
   
3. Clarifying that for mobile apps, the link to the privacy policy, link to the DNS opt-out page, and the notice at collection should be in the settings menu (in addition to the download page as previously proposed). 999.306(b) and 308(b). 
   
4. Adding a new requirement for “Just-in-Time” notices on mobile for any unexpected use of data. 999.305(a)(4). 
   
5. Removing the requirement that the purpose of uses of PI and the categories of sources have to be listed separately for each category of information collected. This may remove the practical need to include charts in the privacy policy or in response to access requests.  However, it is still the case that for each category of PI collected, businesses must disclose (both in privacy policy and in response to access requests) the categories of third parties to which the information was disclosed or sold. 999.308(c).
   
6. Clarifying that the requirement to obtain explicit consent from consumer if using PI for a previously undisclosed purpose applies only to previously-collected PI (which effectively codifies the FTC’s expectation that businesses obtain consent for material retroactive changes). 999.305(a)(5).
   
7. Removing the requirement for data resellers to ensure that a “notice at collection” or “direct notice” was provided to consumers, provided they register as data brokers and, in that registration, include a link to their privacy policy containing opt-out instructions. 999.305(d).  

Do Not Sell 

8. Clarifying that businesses do not need to offer employees or job applicants a “Do Not Sell” link but requiring that businesses present employees and applicants with a notice at collection, which can be a link to an employee-specific privacy policy. 999.305(e).
   
9. Adding a new section that clarifies that businesses may not sell data collected while a Do Not Sell link was not posted, but that consumers whose data was collected during that time period are no longer deemed to have opted out, and therefore need not be counted for the reporting requirements. However, businesses must obtain affirmative authorization from those consumers to sell such data at a later time. 999.306(e).
   
10. Providing a new Do Not Sell icon that can be used in addition to, but not instead of, a Do Not Sell link. 999.306(f).
    
11. Clarifying that to be enforceable, a browser or other automated sale opt-out signal must be user-enabled and not set on by default.  999.315(d). Where that is the case, the signal cannot be ignored even if it conflicts with a user’s choice for that business, but rather the conflict has to be presented to the consumer to decide how to proceed. 999.315(d)(2).
    
12. Replacing the 90-day lookback (i.e., the requirement to transmit a Do-Not-Sell request to parties to which a business sold PI in the 90 days prior to receipt of a Do-Not-Sell request), with a lookback only for all sales that occurred between the submission of a Do-Not-Sell request and the honoring of that request. 999.315(f).
    
13. Noting that agents who submit access, deletion or opt-out requests must present something “signed by the consumer” giving them this authority. 999.315(g) and 999.326(a)(1).

Submission and Verification of Consumer Requests

14. Clarifying that the verification process need only be described “in general” in the privacy policy. 999.308(c)(1).
    
15. Incorporating an amendment to the statute whereby businesses that operate exclusively online and have a direct relationship with a consumer can satisfy the law by offering an email address for submitting access requests. However, such businesses must still provide two designated methods for deletion requests. 999.312(a).
    
16. Explaining that a two-step process for submitting deletion requests is allowed, but no longer required. 999.312(d).
    
17. Removing the requirement that businesses must treat an unverifiable request to delete as a request to opt out of sales but noting that in such situations businesses do have to ask consumers if they want to opt out of sales and point them to where they can go to opt out. 999.313(b).
    
18. Clarifying when consumer requests pertaining to “households” must be honored – namely, when the household (and not an individual consumer living within a household) has a password-protected account with a business. Absent a password-protected household account, a business can only process a household access or deletion request if every member of the household submits a request, is independently verified by the business, and is able to show that they are currently members of that household. 999.318(a).

Responding to Requests 

19. Clarifying that the right to request access relates to personal information (“PI”) that the business has “collected” about the consumer – not information that the business merely “has” about the consumer. 999.300(g).
    
20. Creating new exceptions for access requests that eliminate the need to provide PI that is kept solely for legal or compliance purposes and is not reasonably accessible or searchable and not sold or used for commercial purposes. 999.313(c)(3).
    
21. Clarifying that a service provider can disclose information to other service providers and use information it has to improve its services and for the standard legal and compliance uses specified in 1798.145 (a)(1) – (a)(4) of the statute.  However, these permissible uses do not include “building or modifying household or consumer profiles” or “cleaning or augmenting data obtained from another source.” 999.314(c). 
    
22. Requiring service providers to respond to access or deletion requests they receive directly from consumers by either acting upon the request or informing the consumer that they cannot act on the request because they are acting as a service provider. 999.314(e).

Discrimination 

23. Clarifying that refusing to delete information that is necessary to participate in a loyalty program that provides discounts is not discriminatory if that information is needed for the program but is discriminatory if the information is NOT needed to operate the program.   
    
24. Providing additional guidance on ways a company can calculate the “value” of a consumer’s data, to justify price or service differentials related to CCPA data rights. 999.336 and 999.337. 

Recordkeeping

25. Raising the threshold for recordkeeping and transparency requirements to 10,000,00 consumers, up from the 4,000,000 level (per calendar year).

Notably, the verification examples provided still do not help specify what needs to be collected to verify at a “reasonably high” degree of certainty.

Visit this page for more details on the AG’s CCPA rulemaking process, including background documents. After considering comments on the modified Regulations, the AG has the option to make further changes or finalize this modified version.  Once a final version of the regulations are released, they cannot take effect for at least one month, and enforcement cannot begin until July 1.

The post Key Changes in the AG’s Updated Proposed CCPA Regulations appeared first on Law across the wire and into the cloud.

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has released a new report, entitled Cybersecurity and Resiliency Observations, which stands as their most detailed and comprehensive information security guidance to date. Companies supervised by OCIE may want to consider the report to be an information security “benchmark,” as it amounts to a kind of roadmap for navigating the SEC’s supervisory expectations for cybersecurity programs.

Although cybersecurity has long been an area of concern for the agency, the latest report demonstrates a new level of sophistication and technical fluency for OCIE. Much of the guidance adds significant detail to some of OCIE’s previous recommendations (e.g., asset management; identity management; awareness and training; operational resilience), while some of the recommendations are almost entirely new.

OCIE Risk Alert History:

05/23/2019 – Safeguarding Customer Records and Information in Network Storage

08/07/2017 – Observations From Cybersecurity Examinations

09/15/2015 – OCIE’s 2015 Cybersecurity Examination Initiative

The report identifies best practices that OCIE has identified across seven categories of controls, including governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Here are some of the ways the report reflects OCIE’s evolving views on cybersecurity preparedness:

• Mobile Security – OCIE devotes an entire section of the report to mobile security and lists several ways in which organizations can ensure that they adequately address mobile devices’ unique vulnerabilities. In addition to crafting policies for the use of mobile devices, for example, the report recommends using mobile device management software and requiring all internal and external users to utilize multi-factor authentication.

• Incident Response Considerations – OCIE’s previous guidance stressed the importance of having an incident response plan, but the new report includes specific considerations such as addressing applicable reporting requirements, developing a communication strategy for various stakeholders, and delegating particular roles for employees to take on in the event of a cyber incident.

• Contextual Data Protection – Although the report cites to techniques OCIE has identified before—such as conducting vulnerability scans and implementing a patch management program—it addresses data protection in new and notable contexts, such as developing an insider threat monitoring program and creating a system for ensuring that legacy hardware and software do not create vulnerabilities when decommissioned.

The issuance of comprehensive guidelines, as well as the fact that information security is once again on OCIE’s list of examination priorities this year, should indicate to financial firms that the SEC has increasingly stringent expectations on this subject. Entities under OCIE’s supervision should consider developing and finessing their cybersecurity strategies accordingly.

The post SEC Releases InfoSec “Roadmap” for GLBA Entities appeared first on Law across the wire and into the cloud.

Related: Washington Strengthens Breach Notification Law

Washington state may be leading the charge on privacy legislation in 2020. The state legislature introduced several privacy bills during the first week of its 2020 legislative session, including an updated version of the Washington Privacy Act (“WPA” or “Act”)—a comprehensive data protection framework modeled after the California Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation (“GDPR”).

The reintroduction of the Act comes on the heels of the January 1, 2020 effective date of the CCPA. Although consistent with the CCPA in many ways, the Act would provide Washington consumers with rights that extend beyond those granted to Californians under the CCPA and would impose GDPR-like requirements on both controllers and processors. The WPA also includes new requirements not found in the GDPR or CCPA, such as an entire detailed section focused exclusively on facial recognition technology.

The WPA is likely to undergo at least a few revisions before a final vote, and has already seen some changes this session—a substitute bill replaced the original version following a committee hearing on January 23^rd. Although the substitute bill contains some minor revisions, the core provisions of the Act remain fundamentally the same. Below are some notable aspects of the WPA as amended on January 27, 2020.

1. Expansion of Consumer Rights

In addition to access and deletion rights, the WPA grants consumers a right to correct inaccurate personal information. The Act also has broader opt-out rights—giving consumer the ability to opt out of (i) the use of their data for certain forms of targeted advertising, (ii) “profiling” in furtherance of decisions that produce significant effects on them, and (iii)  the “sale” of their data, which is defined somewhat differently than in the CCPA.

2. Increased Responsibilities for Controllers

Controllers would face an increase in responsibilities under the WPA. Like the CCPA, the WPA requires that controllers provide privacy notices that contain information such as the categories of personal data processed by the controller, the purposes for which the data is processed, and the categories of third parties with whom consumers’ personal data is shared. The WPA further requires, however, that controllers “clearly and conspicuously disclose” whether they process personal data for targeted advertising and that they provide for an appeals process in instances where the controller denies a consumer’s request to exercise WPA rights. Controllers are also subject to purpose specification and data minimization requirements and must conduct data protection assessments of certain processing activities, such as the sale of personal data or the use of personal data for targeted advertising. These assessments, which must weigh the benefits against the risks to consumers, must be provided to the Washington Attorney General on demand. The law’s consent requirement for processing “sensitive data,” which includes health information, ethnicity, citizenship status and somewhat precise geolocation data (accuracy better than 1,750 feet), has arguably narrower exceptions than the GDPR.

3. Increased Responsibilities for Processors

Under the WPA, processors would be subject to a number of direct responsibilities—including a requirement to maintain “reasonable security procedures and practices” for consumers’ personal data and to ensure that individuals within the company who process personal data are subject to a duty of confidentiality. Processors must also assist controllers with their obligations to consumers, provide controllers with data necessary for controllers to perform their data protection assessment requirements, and allow for periodic audits of processors’ policies and practices. Contracts with processors must contain more provisions than what the CCPA requires. The requirement is closer to that found in the GDPR. Similar to the GDPR, it appears that both controllers and processors would be responsible for having such contracts in place.

4. No Private Right of Action

While the CCPA contains a limited private right of action for certain data breaches, the WPA contains no private right of action. Instead, all suits must be brought by the Washington Attorney General, rather than directly by consumers. Both controllers and processors that are found to have violated a provision of the Act are subject to an injunction or penalties of up to $7,500 per violation.

5. Accountability for Facial Recognition Technology Companies

The WPA significantly increases accountability for companies that provide and use facial recognition services. Notably, under the Act, processors must make the technology available for controllers and third parties to conduct “reasonable” tests for accuracy across different subpopulations, such as those defined by race, skin tone, ethnicity, gender, age, disability status. Where the tests result in a negative outcome—and the processor can confirm the validity of that outcome—the processor must create and implement a plan for addressing the discrepancies. Processors must also provide documentation that explains the “capabilities and limitations” of the service in clear language, and contractually prohibit controllers that engage their services from unlawfully discriminating against individuals through the use of facial recognition technology. Moreover, with the exception of a limited carve-out, controllers must provide a conspicuous notice wherever a facial recognition service is deployed, obtain consent from consumers before placing their image in a database, develop a process through which consumers can correct or challenge their inclusion in a facial recognition database, and conduct periodic employee trainings on facial recognition service operation.

The WPA contains a partial exemption for voluntary facial recognition services that are used to verify an airline passenger’s identity, but it still imposes data retention limits and consent requirements in this airline context that will likely be challenged as preempted by the federal Airline Deregulation Act.

In addition to its comprehensive data protection bill, the Washington state legislature introduced ten other pieces of privacy-related legislation, including a bill that would give individuals a property right in their biometric identifiers, and a bill that would increase oversight into government uses of facial recognition technology and limit use of the technology for certain purposes.

It is currently unclear whether any of Washington’s recently introduced privacy bills will become law. However, despite the uphill battle state legislators often face with privacy legislation, the growing number of recent privacy bills introduced at the state level may galvanize Congress to move faster on federal privacy legislation.

The post New Push for Washington’s Privacy Bill in 2020 appeared first on Law across the wire and into the cloud.