Posts in Privacy.

On June 29, 2024, Rhode Island’s governor signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) into law. The RIDTPPA will go into effect January 1, 2026. The law generally aligns with other comprehensive data privacy laws, with a few notable exceptions, such as no cure period for violations disclosure requirements for third-party data sales, and the broad applicability of privacy notice requirements.

On May 24, 2024, Minnesota’s governor signed the 18th comprehensive state privacy law since California enacted the first comprehensive data privacy legislation in 2018. The Minnesota Consumer Data Privacy Act (“MCDPA”) will take effect on July 31, 2025. The MCDPA is similar in many ways to current data privacy laws but also has some elements unique to the MCDPA.

So far 2024 has seen a flurry of new and proposed state comprehensive privacy legislation. Nebraska and Kentucky are the two latest states to jump on the bandwagon. Both follow the now familiar framework established by the Virginia Consumer Data Protection Act. We explore each below.

New Hampshire.  On March 6, 2024, New Hampshire Governor Chris Sununu signed the state’s first comprehensive consumer privacy bill into law. The New Hampshire Privacy Act (the “NHPA”) is now the fourteenth such law to be passed in the United States, joining likes of California, Oregon, Montana, Iowa, Indiana, and Tennessee, just to name a few. The NHPA is slated to take effect January 1, 2025 and will be enforced by the New Hampshire Attorney General.

Like many of its predecessors, the NHPA provides New Hampshire residents with rights to access, correct, and delete their personal ...

Last week we wrote about the California Court of Appeals’ February 9th decision vacating the trial court’s June 2023 order delaying enforcement of the California Privacy Rights Act (“CPRA”).  After that decision, we were left to wonder whether the plaintiff, the California Chamber of Commerce (the “Chamber”), would pursue an appeal. This week we got our answer. On February 20th the Chamber filed a petition with the California Supreme Court seeking review of the Court of Appeals’ decision.

The Chamber’s petition is unsurprising, given its staunch opposition to ...

On February 9, 2024, a California Court of Appeals vacated a June 2023 order delaying enforcement of the California Privacy Rights Act’s (CPRA) implementing regulations. It has been a long journey for the California Privacy Protection Agency (CPPA), which promulgated the regulations almost a year ago, on March 29, 2023. The CPPA planned to begin enforcement of the regulations as early as July 1, 2023, but last spring, the California Chamber of Commerce (Chamber) filed a lawsuit arguing for delayed enforcement. In June 2023, a California superior court ruled in favor of the ...

In July, Oregon’s governor signed into law the Oregon Consumer Privacy Act (“OCPA”), making Oregon the eleventh state to enact a comprehensive privacy law.  The OCPA goes into effect on July 1, 2024.  Covered business other than applicable non-profits must comply with the OCPA by that date.  Applicable non-profits will become subject to the OCPA on July 1, 2025.   

On June 30, 2023, a court in Sacramento issued an order enjoining enforcement of the implementing regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act of 2020 (CPRA). If the order stands, enforcement will be delayed until March 29, 2024.

In June, Texas became the tenth state with a comprehensive privacy law. The Texas Data Privacy and Security Act (“TDPSA”) contains familiar provisions from other state privacy laws regulating the collection, use, processing, and treatment of consumers’ personal data, but also has Texas-specific provisions. The TDPSA will be effective as of July 1, 2024, allowing a one-year compliance period.

This month, Indiana, Montana and Tennessee passed comprehensive privacy laws. Each tracks closely the comprehensive privacy laws outside of California, but with some variations. None applies to employee data or has a private right of action.  All have cure rights. Tennessee uniquely provides an affirmative defense for controllers who follow the NIST privacy framework. Tennessee’s law will go into effect July 1, 2024, giving businesses just over a year to prepare to comply. Indiana’s law affords businesses more time to comply – it will not take effect until January 1, 2026. Montana’s law will go into effect October 1, 2024. Below is a summary of key points from each law.

Last week the Florida Senate passed its version of a comprehensive privacy law (SB 262), entitled the Florida Digital Bill of Rights. If signed by Governor DeSantis, the Digital Bill of Rights will require large companies (those with at least $1 billion in annual global gross revenues and who meet other metrics) to provide consumers with certain rights, including access, correction and deletion rights, opt-ins for processing of sensitive personal information and data of known children, and opting out of the collection of targeting advertising, profiling, and voice recognition data. Although the threshold for coverage is high, the obligations are significant, including reasonable security measures, fair information practices, data protection assessments, mandated data retention limits, specific disclosures if the controller is engaged in targeted advertising, and a controversial requirement for disclosure of search engine methodology. Although there is no private cause of action, the Florida Department of Legal Affairs can enforce the law and impose civil penalties up to $50,000 per violation with trebling in certain instances.

As artificial intelligence systems such as ChatGPT and Midjourney have become increasingly prominent, so have concerns about the effects that such programs may have on the economy and society at large. With more businesses incorporating artificial intelligence (“AI”) into their operations, these apprehensions about its use become more salient every day. While the potential uses of AI for innovation, automation, and streamlining tasks is great, the algorithms powering AI are not free from the biases reflected in the data and content that they are fed, creating risks of violating civil rights and consumer protection laws.

Iowa has become the latest state to enact a consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.  On March 28, Governor Kim Reynolds signed into law Senate File 262, which effective January 1, 2025, will provide Iowa consumers various protections over their personal data.  The law applies to businesses that either conduct business in Iowa or produce products or services targeting Iowa consumers AND that either controls or processes personal data of at least 100,000 consumers or controls or processes personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data.  Unlike California’s comprehensive privacy law, the Iowa statute does not have a revenue threshold for application of the statute.  The statute excludes from coverage financial institutions and affiliates and data subject to GLBA, and HIPAA covered entities, among others.

On March 29, 2023, Iowa’s governor made Iowa the sixth state with a comprehensive privacy law, following in the footsteps of California, Colorado, Connecticut, Virginia and Utah. The Iowa Act Relating to Consumer Data Protection (ICDP) goes into effect on January 1, 2025.

The ICDP (which can be found here: https://custom.statenet.com/public/resources.cgi?id=ID:bill:IA2023000S262&cuiq=8e04c833-ee30-5394-bd10-4b61a2d27686&client_md=d7215793292e6d8c9cb26a1382d8546d&mode=current_text )

is most similar to the Utah Consumer Privacy Act, although the ICDP ...

On May 29, 2022, Maryland amended the Maryland Personal Information Protection Act (PIPA). Effective October 1, 2022, the amendment (located here https://mgaleg.maryland.gov/2022RS/chapters_noln/Ch_502_hb0962E.pdf ) revises provisions regarding genetic information. These revisions include an undefined term “genetic information” for purposes of notices requires under PIPA. But the revisions also add a revised definition of genetic information as it applies to all other provisions of the law, including provisions requiring investigation into a data breach and the requirement that businesses implement and maintain reasonable security procedures and practices. Specifically, the revised definition includes data that results from the analysis of a biological sample of the individual or from another source that concerns genetic material and enables equivalent information to be obtained, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from such data, unless the information is encrypted, redacted or otherwise protected by a method that renders the information unreadable or unusable. 

Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.

The American Data Privacy and Protection Act (the “ADPPA”), a bill that would establish a comprehensive federal data privacy framework in the U.S., was formally introduced in the U.S. House of Representatives on June 21, 2022. Should the ADPPA become law, the United States will join the European Union and a handful of other countries such as Canada, Brazil, and New Zealand, in having a comprehensive data protection framework on a national level.

Utah is Fourth State to Pass Comprehensive Privacy Legislation

Utah recently became the fourth state in the United States, after California, Virginia and Colorado, to pass comprehensive privacy legislation. The Utah Consumer Privacy Act (the “UCPA”), passed by the Utah legislature as Senate Bill 227 and was signed by Governor Spencer Cox on March 24, 2022.

Invites to free webinars are not unsolicited advertisements, says Maryland federal court

The Telephone Consumer Protection Act (TCPA) prohibits sending an “unsolicited advertisement” to a fax machine, absent certain conditions. An “unsolicited advertisement” is “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person” without prior permission.

On its face, the TCPA’s definition seemingly would not include invitations to free seminars or webinars. However, in 2006 the Federal ...

The Supreme Court’s Facebook Ruling Narrows TCPA Claims—But Does Not Eliminate Them

Last month, the Supreme Court resolved a long-standing circuit split over the definition of an “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA). The highly-anticipated decision in Facebook v. Duguid narrowed the type of equipment that constitutes an ATDS, and therefore drastically limited the scope of “automated” calls and texts that violate the TCPA.  

Update: The Washington Privacy Act

For more background on the Washington Privacy Act, see: Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law (DataPoints, 1/22/2020)


Senate Bill 6281, the Washington Privacy Act, passed out of the Senate on February 14 and moved to the House of Representatives where it is expected to run up against some skepticism and questions. 

The bill was drafted to help bring Washington state more in line with California’s and the EU’s data privacy regulation efforts, in the absence of comprehensive privacy regulation at the federal level.  The Act places ...

Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law

Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been ...

Schrems II Opinion Casts Doubt on EU-US Data Protection Rules

Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor).  A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.

The ...

The Wait is Over: Proposed Regulations Implementing the CCPA are Released

By Suzanne Gainey and Tandy Mathis.  On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment.  Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA.  While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA ...

California Consumer Privacy Act Update: AB25 and AB1355 Approved by California Governor

Earlier we posted an article regarding the amendments to the California Consumer Privacy Act by AB 25 and AB1355 creating a moratorium on the application of much of the CCPA to employee personal information—subject to approval by California’s governor. Pleased to report that Governor Newsom approved both AB25 and AB1355 and therefore the moratorium will be in effect until January 1, 2021. Some welcome relief to businesses trying to comply with the CCPA’s requirements.

California Consumer Privacy Act Update: California Legislature Provides Relief for Businesses Processing Employee Data

The California Consumer Privacy Act (CCPA) imposes significant protections for California residents covered by the law, and significant burdens for companies required to comply with it.    One area of concern is whether the CCPA applied to employee data collected by a business.  The language of the CCPA was unclear, but was open to the interpretation that its protections covered such data.  With an effective date of January 1, 2020, employers have been watching to see if the California legislature would clear up the uncertainty.  The good news is that for at least until January 1, 2021, most ...

Washington State Legislature Moves Toward Passage of Broad Consumer Data Privacy Law

Following in the footsteps of California, and the European Union’s General Data Protection Regulation, the State of Washington is taking steps to adopt a comprehensive privacy law focused on protecting consumer information. SB 5376, better known as the Washington Privacy Act, passed in the Washington State Senate on March 6, 2019 by a vote of 46 to 1 and had a public hearing in the Washington State House Committee on Innovation, Technology & Economic Development on March 22, 2019.

The bill has also received support from Microsoft General Counsel and former U.S. FTC Commissioner ...

Illinois Supreme Court Rules on Biometric Privacy Case

Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act.  This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.

This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of ...

Update on California Consumer Privacy Act

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

What’s next for Facebook?

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

The CLOUD Act – Congress Passes New Bill Which Will Impact Access To Cross-Border Data

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

MVA Seminar - Privacy and Data Security in the Trump Era: How to talk to the FBI and your IT Department in a Data Breach

PRIVACY AND DATA SECURITY IN THE TRUMP ERA: HOW TO TALK TO THE FBI AND YOUR IT DEPARTMENT IN A DATA BREACH (MAY 24, 2017): Effectively responding to a data breach requires clear communication with a web of internal and external groups. Two important groups are law enforcement and a company’s internal IT department. With the help of an FBI agent and an IT professional, this seminar will explore how to effectively work with these two groups to address a breach. Wednesday, May 24, 2017 11:30 AM - 1:00 PM. Register here.

Your Uber Driver Might Not Be the Only One Who Knows Where You Were Picked Up and Dropped Off….
By Tandy Mathis, Elena Mitchell, and Mindy Vervais

Did you know that if you’ve taken a New York City taxi since 2009, your pick-up and drop-off locations were recorded and published (through June of 2016) on the internet for anyone to find? Now, New York City officials want ride-sharing companies like Uber and Lyft to start providing drop-off and pick-up location data, too.

The New York City Taxi and Limousine Commission, or TLC, currently collects all kinds of trip data from New York City taxis—including pick-up and drop-off dates and times, coordinates of the start and end ...

Happy Data Privacy Day!  A Few Tips from the MVA Privacy and Data Security Group

Saturday January 28, 2017 is Data Privacy Day.  The Moore & Van Allen Privacy and Data Security group took a break from the pre-holiday revelries to put together some thoughts and tips for DataPoints.  So hoist a glass and enjoy this read, and try not to ponder too long the irony that Data Privacy Day falls on the same day as China’s New Year’s celebration.  Cheers!

  • Update vendor contracts. Make sure that contracts include required data security and privacy requirements. Some older laws and regulations already impose specific data security and privacy standards for certain industries ...
Live Streaming: The Privacy Concerns of Behind-the-Scenes Access

By Leslie Pedernales

A professional football team clinches their playoff spot in an upset game, then hits the locker room for a celebration and an inspirational pep talk from their winning coach.  The perfect application for livestreaming, one might think.  Opening a window into this mysterious world for all the rest of us to see and experience.  Not so fast.

After the Pittsburgh Steelers upset the Kansas City Chiefs in the AFC playoff game on January 15, Steelers wide receiver Antonio Brown invited the world into the Steelers’ locker room to join in the celebration through Facebook ...

MVA Seminar - Contracting for the Cloud
CONTRACTING FOR THE CLOUD (OCTOBER 27, 2016): Privacy and data security issues impact every industry and affect almost all aspects of a company’s operations. Sales, human resources, data maintenance and storage, IT, legal and compliance, even litigation, all require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. Moore & Van Allen developed the Privacy & Data Security Seminar Series 2016 to help our clients and friends of the firm navigate the legal and the practical challenges ...
The Early Days of the EU-U.S. Privacy Shield: Should Your Organization Self-Certify?

On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework.  In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.

Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them.  To answer that question, it is important to understand some basic facts about the Privacy ...

European Parliament Passes Landmark Data Protection Regulation

Robert Sumner IV and Brandon Gaskins

On April 14, 2016, the European Parliament passed the General Data Protection Regulation (GDPR) and its companion, Data Protection Directive for Police and Criminal Justice Authorities.  The GDPR is a comprehensive regulation that includes new and enhanced privacy rights for European Union (EU) citizens, such as “the right to be forgotten” and the right to object to data processing, including data profiling.  The GDPR also establishes new and heightened obligations for companies doing business in the EU related to the collection, use, and ...

EU Article 31 Committee Approves EU-US Privacy Shield

EU Member States (the Article 31 Committee)  approved today the EU-US Privacy Shield.  The next step is formal adoption.  The full press release can be found here.

The approval of the Privacy Shield is good news for companies who transfer personal data from the EU to the US. Although legal challenges to the Privacy Shield are likely, the Privacy Shield was designed to address the shortcomings cited by the European Court of Justice in the now invalidated Safe Harbor self-certification scheme and should have a better chance of standing up to those legal challenges.

Related DataPoints Posts:

U.S. Government Petitions to Join Data Privacy Litigation Against Facebook in Ireland

On June 13, 2016, the United States government asked the Irish High Court to be joined as amicus curiae (friend of the court) in the case brought by the Austrian privacy activist Max Schrems against Facebook attacking the use of model contract clauses to transfer EU citizens’ data from the EU to the U.S. as violating fundamental privacy rights. This is an unusual request for the U.S. government to seek to intervene in private ligation, particularly in foreign courts. However, the stakes are high should Facebook lose, and the U.S. government’s surveillance practices are at the ...

MVA Seminar - Responding to a Data Breach:  What to Expect and What to Avoid
RESPONDING TO A DATA BREACH: WHAT TO EXPECT AND WHAT TO AVOID (APRIL 20, 2016): Verizon, Experian, and T-Mobile are on a growing list of entities impacted by major data breaches in the past year.  But data breaches are not just limited to large national companies or organizations. No one is immune. For most organizations—big or small—the question is not “if” they will be impacted by a data breach, but “when.” This seminar will help attendees gain a better understanding of what to do in the aftermath of a data breach, analyzing such questions as:
  • What should I expect after a ...
Energy Industry Target of Cyber-Attacks and Congressional Efforts to Bolster Security

Cybersecurity of the electric power grid and energy sector as a whole has been the subject of heightened Congressional attention given the integral role the industry plays in our economy. According to a 2015 U.S. Senate committee report, nearly one-third of reported cyber-attacks involve the energy sector. Not surprisingly, the 114th Congress (2015-2016) has introduced several pieces of legislation targeted towards enhancing the security of the nation’s energy infrastructure. Among the bills introduced were S. 1068 – An act to amend the Federal Power Act to protect the ...

President Obama Signs New Privacy Law – Judicial Redress Act

On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed.  The  Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.”  To be designated, however, the countries and REIOs must ...

MVA Seminar - Privacy and Data Breach:  What Can Companies Expect in 2016?
PRIVACY AND DATA BREACH: WHAT CAN COMPANIES EXPECT IN 2016? (MARCH 16, 2016, SPEAKERS - KARIN MCGINNIS, TODD TAYLOR): 2016 promises to bring significant developments and challenges in information privacy and data security. Congress and state legislatures are continuing to focus on new laws to protect personal information while at the same time minimize the impact of cybersecurity threats. The Federal Trade Commission has made clear that it will continue to be a watchdog for privacy and data security violations affecting consumers, while at the same time the National Labor ...
Mobile Applications that Track User Information Have the FTC’s Attention

by Member Omari Sealy
Similar to website browsers, many mobile applications collect a variety of information from the user, including, the user’s identity, usage history, past log-ins, and location.  This enables the application to provide various functionality and to tailor features of the application for a better user experience (e.g., items retained in a shopping cart or targeted advertising).  These applications can be found in a variety of everyday devices such as smartphones, tablets, laptops, smart TVs, and even in some newer automobiles.  However, the enhanced ...

US and EU “Privacy Shield” Framework for Cross-Border Data Transfers Submitted to Article 29 Working Party Today

by Privacy & Data Security Member Karin McGinnis

On the same day that groundhog Punxsutawney Phil predicted an early Spring, the EU College of Commissioners brought some sunshine of its own, announcing yesterday that it has reached an agreement with the U.S. on transfers of personal  data from the EU to the U.S.  Details on the “Privacy Shield” are sketchy, and the EU Commission still must confer with the Article 29 Working Party and draft a decision document setting forth the terms.  But this is welcome news for companies on both sides of the pond.  More good news came today.  The Article ...

Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016

by Associate Breana Jeter

The end of 2015 represented a mixed bag for the Federal Trade Commission on privacy enforcement.  In November, the FTC’s Chief Administrative Law Judge dismissed the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information.  The patient’s sensitive information was discovered on peer-to-peer software by a data security company seeking to sell its services to LabMD.  While LabMD maintained that the patient’s information never left the company’s network and that there was no actual ...

Federal Trade Commission PrivacyCon 2016 Recap: Insights into the FTC’s Perspective on Privacy and Data Security

by Privacy & Data Security Member Karin McGinnis

The Federal Trade Commission’s PrivacyCon event brings together the FTC, researchers and academics to discuss the latest research and trends related to consumer privacy and data security.  Much of the discussion today centered on Big Data, coming on the heels of the FTC’s report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, which can be found here.  Also prominent were concerns about web transparency and whether consumers in fact understand what data is collected on them and how it will be used.  FTC ...

European Court of Justice Invalidates E.U. – U.S. Safe Harbor Framework

On October 6, 2015, the European Union's Court of Justice (the "ECJ") invalidated the E.U. – U.S. Safe Harbor Framework (the “Safe Harbor”) -- a data transfer arrangement upon which thousands of U.S. based companies have relied for legally transferring personal data outside of the European Union to the United States.   In order to better understand the likely impact of the ECJ’s decision, it may be useful to understand the original purpose behind the Safe Harbor.

Background on the Safe Harbor

Prior to the adoption of the Safe Harbor, legally transferring personally ...

User Beware: Facebook’s Internet.org Platform Considered to be “Privacy Nightmare”

By:  Tandy Blackburn and Mindy Vervais

On May 4, 2015, Facebook introduced Internet.org Platform, an open program for developers to create services that integrate with Internet.org.  However, many privacy advocates have deemed the Internet.org Platform to be a “privacy nightmare” for internet users in developing countries where Internet.org is offered.

Nearly a year ago, Facebook first introduced Internet.org and its companion mobile application, Internet.org App (“the App”) to the world, starting with the African country of Zambia.  Facebook has since introduced ...

MVA Seminar - Limiting Legal Liability for Potential Privacy and Data Security Issues: Practical Approaches to a Complex Problem

LIMITING LEGAL LIABILITY FOR POTENTIAL PRIVACY AND DATA SECURITY ISSUES: PRACTICAL APPROACHES TO A COMPLEX PROBLEM (APRIL 29, 2015):  You know that privacy and data security issues pose a huge risk for your company.  Regulatory penalties, litigation costs and recovery, and even just the cost of analyzing a data breach and sending out required notices can hurt a company’s bottom line not to mention its reputation.  Target’s breach cost the company over $148 million.  Fortunately, there are practical steps that your company can take now to limit liability when the inevitable ...

Proceed with Caution: Vehicle to Vehicle Communication Technology

Will the brave new world of automobiles include talking vehicles?  According to a plan by the National Highway Traffic Safety Administration (“NHTSA”), the answer is yes.  NHTSA has provided advanced notice that it intends to propose a rule http://www.nhtsa.gov/About+NHTSA/Press+Releases/NHTSA-issues-advanced-notice-of-proposed-rulemaking-on-V2V-communications  that all passenger cars and light trucks must have vehicle to vehicle (“V2V”) communication capability by 2019.  Many automakers are already incorporating some V2V technology in their ...

President Obama Proposes Legislation to Nationalize Data Breach Notification Standard

2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans.  On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach.  This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to ...

An Early Christmas Present for Consumers? Court Rules that Retailers Can Be Liable to Banks Arising from Data Breaches.

by Privacy & Data Security Members Karin McGinnis & Robert Sumner

Cyber-Monday sales weren’t the only good thing that happened for consumers this week.  Later in the week a federal judge in Minnesota thwarted Target’s attempt to dismiss a lawsuit brought by banks and credit unions arising out of the massive data breach last year.  Although the breach and access to the credit card information of some 40 million consumers resulted from hackers obtaining the password of a Target vendor who was accessing an unrelated subsystem, the banks and credit unions claimed that Target was liable ...

Apple Strengthens Privacy Protections

Apple recently changed its privacy policy which has made headlines – it will no longer unlock iPhones and iPads for law enforcement.  Prior to this change, Apple would assist law enforcement in unlocking Apple devices when presented with a valid subpoena or court order.

According to Apple’s CEO, Tim Cook, the company attempts to avoid collecting user data when it designs new technology and services.  The most recent version of Apple’s mobile device operating system, iOS 8, encrypts the data for all iOS 8 applications, such as email, call records, and iMessage, and this data is ...

Social Media Password Protection: Where are we now?

In just two years, social media password protection has gone from a privacy advocate’s dream to an employer’s harsh reality in many states.  Maryland became the first state (in 2012) to enact legislation that prevented employers from requesting the user names or passwords to an employee’s or applicant’s personal social media accounts.  Two states quickly joined Maryland in 2012 by passing similar password privacy laws, and nine more states added privacy protections in 2013.

So far in 2014, six states – Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and ...

Privacy & Data Security Update: Supreme Court Rules that Warrants are Required for Cell Phone Searches

[On June 27, 2014, Charlotte Privacy & Data Security Member Karin McGinnis and Senior Counsel Todd Taylor published the following update regarding the U.S. Supreme Court decision in Riley v. California, 573 U.S. ___ (2014)]   On June 25th, the Supreme Court brought the Fourth Amendment into the digital age with its ruling in Riley v. California.  The case presented the question of whether a warrant was required in order for law enforcement to search a cell phone found on a suspect during the course of an arrest.  Chief Justice Roberts, writing for a unanimous court, stated clearly “[o]ur ...

About Data Points: Privacy & Data Security Blog

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.

Stay Informed

* indicates required
Jump to Page

Subscribe To Our Newsletter

Stay Informed

* indicates required

By using this site, you agree to our updated Privacy Policy and our Terms of Use.