FINRA recently filed a Complaint against a Chief Executive Officer and Chief Compliance Officer of a registered broker-dealer alleging, among other things, that the individual caused the broker-dealer to have wide-ranging...more
Setting new precedent in the world of data, the FTC has found that the work product of ill-gotten data is no longer retainable by the developer. On January 11, 2021, the U.S. Federal Trade Commission (FTC) announced that it...more
3/18/2021
/ Algorithms ,
Biometric Information ,
Data Collection ,
Data Retention ,
Enforcement Actions ,
Facial Recognition Technology ,
Federal Trade Commission (FTC) ,
Mobile Apps ,
Section 5 ,
Software ,
Software Developers ,
Unfair or Deceptive Trade Practices
On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”)...more
Although it received little notice, the CCPA was amended effective January 1, 2021 to clarify and modify the exemption relating to de-identified data, with particular focus on medical data. Specifically, AB 713 amended the...more
On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”),...more
On November 3, 2020, the state of California voted to pass Proposition 24, also known as The California Privacy Rights and Enforcement Act of 2020 (“CPRA”). As a result of this vote, businesses dealing with personal...more
11/6/2020
/ Administrative Agencies ,
Amended Legislation ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Employees ,
Enforcement Authority ,
Exemptions ,
General Data Protection Regulation (GDPR) ,
Governor Newsom ,
Job Applicants ,
New Legislation ,
Personal Information
Given the recent updates to CCPA, and the possible approval of California Privacy Rights Act (CPRA) which is on the November 3 ballot, it is increasingly likely that personal information collected in the course of clinical...more
On October 12, 2020, less than a month before California will vote on a referendum potentially overhauling the California Consumer Privacy Act (the “CCPA”), the California Attorney General published further proposed...more
The CCPA defines both “aggregate consumer information” and “deidentified information.” Aggregate consumer information is defined to mean “information that relates to a group or category of consumers, from which individual...more
No.
By its terms, the definition of personal information excludes aggregated or de-identified information....more
$7,500 per violation.
There is no private right of action for violations of the CCPA related to an individual’s right to be forgotten. The CCPA provides that the maximum fine that may be imposed by the Attorney General is...more
No.
Unlike a request for access, a business’s deletion obligation extends to all data held by the business regarding a consumer, unless an exception applies, irrespective of when that data was collected, generated or...more
Not immediately, but yes.
The CCPA does not distinguish or make allowances for backup and other less accessible systems when determining the scope of a business’s obligation to delete the personal information of a consumer...more
Not necessarily.
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021....more
Likely no.
Neither the CCPA nor the proposed regulations explicitly address the issue of imposing fees or costs on consumers for responding to requests for access or requests for deletion. However, the CCPA does prohibit...more
Yes, if currently pending regulations are made final.
As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for...more
When the CCPA was enacted last year, BCLP published a Practical Guide to help companies reduce the requirements of the Act into practice. Following publication of the Guide, we wrote a series of articles that addressed...more
3/11/2020
/ Advertising ,
Behavioral Advertising ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cookie Banners ,
Cookies ,
Opt-Outs ,
Personal Information ,
Private Right of Action ,
Statutory Penalties ,
Websites
To help identify trends in privacy representations, BCLP reviewed the websites and privacy notices of Fortune 500 companies identified as primarily engaged in the banking and financial service sectors.
The following...more
2/28/2020
/ Adtech ,
Banks ,
Behavioral Advertising ,
California Consumer Privacy Act (CCPA) ,
Cookies ,
Data Privacy ,
Data-Sharing ,
Financial Services Industry ,
Opt-In ,
Right to Delete ,
Surveys
Yes.
In fact, businesses may be required to obtain such confirmation from verified consumers under the current (non-final) regulations. As an initial matter, the CCPA states only that a business may have to delete the...more
Likely, yes.
A consumer’s right to deletion is subject to a number of exceptions. One of these exceptions is to “comply with a legal obligation.”...more
To help identify trends in privacy representations, BCLP reviewed the websites and privacy notices of those Fortune 500 companies that are primarily engaged in the property and casualty insurance industries.
The data shows...more
The CCPA only applies to personal information about “consumers,” a term which is defined as “a natural person who is a California resident.” As corporations or other legal entities are not people, the CCPA does not apply to...more
Likely not.
While the UK’s Privacy and Electronic Communications Regulation suggests that, in some circumstances, consent may be inferred when a subscriber amends or sets controls in an internet browser, the ICO has...more
No.
The English supervisory authority, the ICO, has stated that consent requests must be “clearly distinguishable from other matters” and that bundling consent as part of terms and conditions in impermissible. According to...more
The Information Commissioner’s Office or the “ICO” is the British supervisory authority charged with enforcing GDPR. The Commission Nationale de l’informatique et des libertes (the “CNIL”) is the French supervisory authority....more