Privacy

2020 Update: Data Privacy Laws in the United States

Posted on by Gavin Law Offices

After the European Union passed the General Data Protection Regulation (“GDPR”) in 2016, the world watched to see whether the United States would adopt a similar data privacy law at the federal level.  While U.S. lawmakers, the tech industry, and consumer advocates have been working towards a federal data privacy bill, Congress has yet to pass, or even seriously consider, such legislation.  However, a federal law may finally be on the horizon – two data privacy bills have been introduced in the Senate, and a bi-partisan bill is currently being developed by a House committee.  In honor of Data Privacy Day, celebrated internationally on January 28, we explore the current status of data privacy laws in the United States.

In the absence of a comprehensive federal law, numerous states across the U.S. have passed their own data privacy legislation, including, perhaps most notably, California.  The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020, creating new obligations for covered businesses regarding privacy notices and the handling of California consumers’ personal information.  The CCPA only protects Californians’ personal information but may apply to companies that do business in California even if they are not physically located in the state.  Businesses continue to scramble to understand and comply with the CCPA, which is only one of many state and industry-specific laws forming the current patchwork of data privacy laws in the U.S.

However, a federal solution may be on the horizon.  In November 2019, two data privacy bills were introduced in the Senate – the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (CDPA).  The bills share many similarities, including enforcement by the Federal Trade Commission, and would provide individuals with new rights regarding their personal information.  However, COPRA (introduced by Sen. Maria Cantwell, D-Wash.) and the CDPA (introduced by Sen. Roger Wicker, R-Miss.) vary on some important points, leading many to wonder whether either bill could make it through Congress.  For example, COPRA would preempt only state laws that expressly conflict with the Act, leaving state laws that provide additional protection to consumers intact, whereas the CDPA would preempt all state laws regarding data privacy (except for data breach notification provisions), including the CCPA.  COPRA would also allow for an individual private right of action, similar to the CCPA, while the CDPA would not.

Additionally, the House Energy & Commerce Committee recently released an initial draft of a bi-partisan data privacy bill.  Bi-partisan support will be critical for Congress to enact a federal data privacy law, but the initial House bill does little to reconcile the differences between the two introduced Senate bills.  Further, while this federal legislation is pending, numerous states are actively considering data privacy bills themselves.  Specifically, multiple states are in the process of considering data privacy legislation mirroring the CCPA.  In other states, such as Virginia (where the Virginia Privacy Act was introduced earlier this month), representatives have pulled provisions from the CCPA as well as the GDPR to create a more tailored bill for their state legislature to consider.  With many states in their legislative sessions and various federal bills pending, 2020 is already shaping up to be an exciting year for data privacy in the United States.

-Courtney Reigel, Esq.

Patchwork of State Privacy Laws

Posted on by Gavin Law Offices

Earlier this year, we wrote about the European Union’s General Data Protection Regulation (GDPR) and how California was following suit by passing the California Consumer Privacy Act (CCPA). This law will come into effect on January 1, 2020. 

The CCPA protects California residents by providing heightened privacy rights and consumer protection regarding the collection of their personal data online.  While California residents are the protected class, businesses nationwide will be affected by the CCPA.  Any company whose website is accessed by California residents is subject to the requirements of the CCPA.  Potential damages for violation of the CCPA include statutory or actual damages, as well as fines for intentional and unintentional violations; therefore, it is imperative that businesses ensure their websites, privacy policies, and data collection procedures are compliant with the CCPA as soon as possible.

Additionally, a patchwork of states have started drafting and passing privacy laws in the CCPA’s wake. The infographic above shows which states are proposing and passing new legislation.

One of the two states that has officially passed a data privacy law is Nevada.  Although only passed in May of this year, it will be effective a full three months earlier than the CCPA, October 1, 2019.  This law appears narrower than the CCPA, as it specifically addresses a consumer’s right to opt out of the sale of their personal information, while the CCPA covers the whole gamut of an individual’s rights to data.  Additionally, this bill does not include a private right of action, but rather relies on the Attorney General to enforce it. We are not at all shocked that Nevada would be one of the earliest adopters of additional privacy legislation, however. What happens in Vegas, stays in Vegas.

The other early actor is Maine, whose governor signed one of the strictest internet privacy protection bills into law just this month. Maine’s new privacy law, which goes into effect on July 1, 2020, will require internet service providers to seek consent from their consumers before selling or sharing their personal information with any third party.  Critics have attacked this law on various grounds, arguing that the law conflicts with federal laws, the U.S. Constitution’s Interstate Commerce Clause, and even the right of free speech.  Yikes.  We’re interested to see how these challenges will play out in the courts.

Five additional states have proposed legislation.  All of these proposed bills have pros and cons, but we will look into them in more depth as they progress.

  • New York has proposed a broadly worded bill regarding privacy that includes imposing an obligation on companies as a “data fiduciary” and allows for a private right of action. We expect such an aggressive bill to get some pushback, as a fiduciary duty is a very high obligation.
  • Maryland’s proposal incorporates the CCPA’s prohibition on discriminating against those who exercise their individual rights to data access or deletion (which was one of the big changes from the GDPR to the CCPA) and shares many characteristics with the CCPA. This bill does not allow for a private right of action.
  • Massachusetts’ proposed bill allows for a private right of action for consumers who have had their personal information “improperly collected.” It also prohibits discrimination where consumers have exercised their associated privacy rights.
  • Hawaii’s proposed legislation currently has no definition for “business,” which will hopefully be remedied before its passage. It also does not include a private right of action . . . or any penalties for violations.
  • New Mexico’s proposed bill includes many key individual rights addressed in the CCPA, such as the right to access and deletion of personal information.

Additionally, Mississippi, Washington, and Texas all attempted to pass legislation this year that addressed consumer privacy.  While these bills did not make it through the legislatures, these states are participating in active discussions, which is just more inspiration for the remaining states.

A federal law may soon address this developing patchwork of state laws.  As early as November 2018, various House and Senate Committees held hearings and drafted federal legislation regarding consumer data protection. We expect to hear more from Washington D.C. by August 2019, but again, we’ll keep you posted.

– Kat Gavin, Esq.

GDPR update: 1 Year Later

Posted on by Gavin Law Offices

One of the most significant data privacy laws enacted, the European Union’s General Data Protection Regulation (GDPR), brought substantial changes for organizations which are located in the EU or process the personal data of individuals residing in the EU.  In light of the one year “anniversary” of the GDPR, which came into force a year ago on May 25, 2018. Here is a short overview of the current global data privacy law climate and noted some upcoming changes and trends that may impact businesses internationally.

 

1) Europe – The General Data Protection Regulation (GDPR):

  • The GDPR was designed to harmonize data privacy laws across Europe and give greater rights to individuals residing in the EU in terms of their personal data.  Last year, businesses around the world scrambled to comply with the GDPR, in part due to fines for non-compliance.  While the expected fines have generally yet to materialize (the largest fine for violating the GDPR was issued by France’s regulatory agency against Google for 50 million Euros earlier this year), industry experts note that enforcement of the GDPR is just getting started.  The process of investigating violations and issuing fines can take time, and many EU member states are reportedly struggling to staff their regulatory offices.
  • The GDPR requires certain businesses to appoint a data protection officer, a role new to many organizations, and includes data breach reporting guidelines.  As a result, the International Association of Privacy Professionals (IAPP) reports that over 500,000 organizations have registered data privacy officers in the past year, shedding light on the rapid growth of the privacy profession due largely in part to the GDPR.  Additionally, according to the European Data Protection Board, over 65,000 data breach notifications have been initiated by businesses as a result of the GDPR.  Businesses generally appear to be using the GDPR’s framework to update their data privacy policies and procedures, and to be cooperating with regulators.
  • The GDPR launched a dialogue about data privacy laws around the world, causing countries such as Brazil, China, India, Japan, South Korea, Thailand, and Australia to pass or propose new legislation, or consider changes to existing laws, that would bring their privacy regulations into closer alignment with the GDPR.

2) The United States – The California Consumer Privacy Act (CCPA) & Other State Laws:

  • Currently, the United States has no federal data privacy law as large in scope as the GDPR, but rather a patchwork of state data privacy laws.  Many businesses that were required to comply with the GDPR will also need to comply with the CCPA, California’s new data privacy law, which will come into effect on January 1, 2020.
    • The CCPA applies to businesses that receive personal data from California residents and exceed one of these three thresholds: (1) annual gross revenues of $25 million; (2) obtains personal information of 50,000 or more California residents, households, or devices annually; or (3) makes 50% or more of its annual revenue from selling California residents’ personal information.
  • The CCPA is a broad privacy law that expands the definition of “personal information,” and grants additional rights and protections to California residents regarding the use of their personal information by covered businesses.  California residents will be able to request that businesses provide them with information about how their individual personal information is being used, and may request that businesses stop selling their personal information.
  • Covered businesses should ensure that their websites and privacy policies are compliant with the new requirements of the CCPA.  It is important to note that just because a business is GDPR compliant, does not mean it will be CCPA compliant.
  • Other states in the U.S. are considering legislation that closely mirrors the CCPA and the GDPR, showing a trend for laws which expand the privacy rights of consumers.  Changes to the CCPA are still occurring – for example, a California bill that would have added a sweeping and unrestricted private right of action for any violation of the CCPA died in an appropriations committee earlier this month.  Also, lobbyists across various industries have been asking Congress to pass a federal data privacy law, which would preempt the new law in California and other states that are trying to follow suit, stating that the patchwork of laws in the U.S. will be too difficult for businesses to follow.

Based on the above, we anticipate that new data privacy laws and changes to existing data privacy laws will continue to emerge.  Frequently, countries’ motivation for passing or updating legislation is to enjoy the privileges of transferring personal information between themselves and the EU under the GDPR.  While many believe the GDPR has not been enforced as zealously as they anticipated, the law has clearly impacted privacy laws on a global scale in its first year.

– Courtney Reigel, Esq.

Data Privacy

Posted on by Gavin Law Offices


Data Privacy

For businesses, data privacy and protection has become an important aspect of everyday operations.  Data breaches, such as those seen in the news at large companies including Target and Equifax, can result in costly regulatory compliance requirements and damage to a brand’s reputation.  Businesses that wish to adopt data protection “best practices” need to be aware of the software their company uses and how that software could contribute to a disaster such as a data breach.  A lack of proper policies and procedures governing the use and maintenance of software products can lead to serious consequences down the line.

First, what is Open Source Software?

Open Source Software is the byproduct of a movement in the software development community that wants software development to be an open and collaborative process.  Anyone can access and edit the source code for open source software—source code is the text used by software developers to create and edit a program.  Most commercial software products (or “proprietary software”) do not allow users to access or edit the software’s source code.  Consumers that purchase a proprietary software product are usually required to sign or electronically “accept” a license stating that they will not copy, edit, or perform any other restricted actions to the software.  For example, think of purchasing Microsoft Office (a proprietary software product), and the long list of restrictions in the license a user must accept in order to use the program.  In contrast, open source software products usually have less restrictive licenses, and many open source software programs are free to use.

Open source software is usually free? That sounds great!

Open source software does have many benefits: it is often free to download, users can modify the software to fit their particular needs, and an extensive community of developers work on open source software programs.  Many people use open source software without even knowing it, including popular programs such as WordPress and Mozilla Firefox.  The open source community works to monitor for any hackers and attempts to quickly fix and update open source software programs, but even this is not enough to mitigate all threats. 

So, there are risks associated with using Open Source Software? 

Yes.  A misconception exists that since open source software is usually free, that there are no strings attached to using such software.  In reality, open source software requires quite a bit of maintenance. 

  • Users need to monitor for announcements about security-related issues or updates to their open source software products.  Open source software users who do not understand this responsibility, or who ignore notices and updates, make themselves vulnerable to hackers. 
  • Because of the open and collaborative nature of open source software, the source code is available to the public.  This means that hackers can access the code and make malicious changes, or a well meaning developer can make a mistake for a hacker to exploit. 
  • Users need to understand the open source software’s licenses and comply with any requirements.  Failing to comply with an open source license can result in a lawsuit.  
  • Open source software typically does not offer warranties or indemnification, any legal risk associated with using the open source software product traces back to the user himself.

Are there any examples of open source software leading to a data privacy or security issue? 

Yes.  A hacker can wreak havoc regardless of the type of software.  The significant difference is that a company using open source software is responsible for vigilantly checking for any issues with the software and making fixes themselves. A company using proprietary software company, however, has accept to customer support and security updates.  Equifax’s historic 2017 data breach was traced back to a vulnerability in open source software they used.  Equifax saw the notice about the software’s vulnerability and information about how to fix it, but left the problem unresolved for too long.   Hackers noticed the open source software had not been updated and took advantage of this vulnerability to access the personal information (including social security numbers and addresses) of over 150 million U.S. citizens. 

What can be done to mitigate the risks of using open source software?

Open source software can be a great resource for businesses, but it needs to be used properly.  Hiring employees who understand all the requirements and risks associated with using open source software can be expensive, but a lawsuit or security issue like a data breach could be even more costly.  Businesses who use open source software should have policies and procedures that require all open source software usage to be tracked, all notices and updates to be monitored, any relevant changes or updates to be made correctly and quickly, and for all license requirements to be complied with.  At Gavin Law, our attorneys can help users understand licenses and license requirements as well as draft these crucial policies and procedures for employees.

 

Secrets to a Successful Privacy Policy

Posted on by Rina Van Orden

Privacy policies may seem like a snooze, but they can actually be a key tool in protecting your business and communicating with customers.  A privacy policy explains your entity’s views and procedures regarding privacy and provides information about how you will use a website user’s personal information and/or data.  It also details the steps you take to maintain user information securely.

Privacy policies must:

  • Be specifically tailored to your industry, business, and circumstances
  • Have clear and accessible explanations understandable to the average consumer
  • Provide enough information that users have informed consent
  • Be strictly adhered to once published
  • Be updated to reflect any changes

A recent case underlines the importance of a well-crafted privacy policy.  In Carlsen v. GameStop, Inc., the plaintiff brought a lawsuit against GameStop regarding the video game retailer’s information sharing practices.[1]  The appeals court dismissed the plaintiff’s claims and proposed class action because of GameStop’s privacy policy.

The plaintiff subscribed to GameStop’s monthly publication Game Informer magazine, including both print and online versions.  GameStop provides a feature that allows subscribers to log in to the magazine content through their personal Facebook accounts.  The plaintiff filed suit because once he logged in to the magazine through Facebook, his Personal Facebook ID and Game Informer browsing history were transmitted to Facebook.

In order to access the online content of Game Informer, a subscriber must agree to the site’s terms and conditions, which includes GameStop’s privacy policy.  GameStop’s policy stated that “Game Informer does not share personal information with anyone.”

The court held that the transmission of Game Informer subscribers’ Facebook IDs and browsing history did not constitute “personal information” under GameStop’s privacy policy because these items were not included in the explicit list in the privacy policy detailing “personal information” and because the information at issue was not specifically solicited by Game Informer or voluntarily submitted in response to such a solicitation, as specified in the privacy policy.  Because the Facebook IDs and browsing history were not included in the privacy policy as protected personal information, GameStop did not act wrongly in sharing that information, and thus there was no breach of contract.  GamerStop’s clear and well-written policy was key in extricating GameStop from this lawsuit.

Privacy policies have become a common business practice for many websites.  These days, website users are keenly aware of privacy concerns and protective of their personal information.  The prevailing view is that a credible website will operate with at least minimal privacy standards in place.  Privacy policies are especially necessary when you are engaged in e-commerce or data collection.  If your prospective and current clients are likely to have concerns about privacy, then they will expect you to have a policy that details the various protections and procedures that you have in place.

Every website will have different elements to cover, and some websites will need more comprehensive policies than others. This is likely dependent on what kind of user information is collected and how much/to what extent it will be shared with third parties.

Regulated industries, like banking, medical, and others, are required by law to maintain a privacy policy that applies both on and off the internet.  Entities in these industries should address all issues covered under industry regulations in an online privacy policy as well.

We advise against copying a policy from another business, even if that business is similar to yours.  A poorly written or inapplicable policy taken from another website can expose you to liability.  You want to make sure that your privacy policy specifically covers the individual needs of your business.

Often websites will have full terms and conditions with a separate privacy policy integrated into the terms.  A privacy policy needs to be easy to understand even though it is a legal document.  Your policy should be also clearly and prominently displayed on your site and accessible from key pages like the homepage and shopping cart, if not every page.

You want to make sure that as your business or technology evolves (say you launch a related app or pair with a social media platform), your privacy policy is updated to address the same.  Anytime a change to your policy is made, you should provide clear notice to users and in some cases obtain consent from users for material changes.

Privacy policies typically include sections that address:

  • user information that is collected
  • method of collection
  • how that information is shared and/or stored

A policy should address not only the required personal information that a user enters into the website but also any data logged automatically by your website, application, servers, etc.  A privacy policy should also address any use of cookies.

Once you have a policy in place, it is essential that you abide it and make sure that your practices actually match the statements in your policy. Your policy creates a contract with your users. If your policy and practices do not align, you open yourself up to liability, both from lawsuits by users and actions by regulators like the FTC, who scrutinize unfair or deceptive trade practices.

If your website is directed toward children under the age of 13, additional requirements apply to your website under the Children’s Online Privacy Protection Act and should be detailed in your privacy policy.

As demonstrated by the GameStop case, a clear privacy policy drafted to meet your needs and circumstances can not only provide your users with a transparent explanation of your privacy practices, but also protect your entity from liability. — Rina Van Orden

[1] 833 F.3d 903 (8th Cir. 2016).