Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy, Please — a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.
- California Attorney General Announces Approval of Additional CCPA Regulations. On March 15, now former California Attorney General Xavier Becerra announced that the California Office of Administrative Law approved his fourth set of proposed modifications to the California Consumer Privacy Act’s (CCPA) implementing regulations (Fourth Set of Modifications), completing the finalization process. The Fourth Set of Modifications focus on providing consumers with clarity as to how they can opt out of the sale of their personal information and include provisions (i) banning so-called “dark patterns” that delay or obscure the process for opting out of the sale of personal information; (ii) permitting businesses to use an opt-out icon in addition to any “Do Not Sell My Personal Information” link; and (iii) requiring businesses that sell personal information collected offline to provide an offline right-to-opt-out notice. Troutman Pepper’s analysis of the Forth Set of Modifications can be found here. For information on how to comply with the CCPA, see Troutman Pepper’s article series on CCPA enforcement available here.
- California Privacy Protection Agency Board Members Appointed. On March 17, California Governor Gavin Newsom, former Attorney General Xavier Becerra, Senate President Pro Tempore Toni G. Atkins, and Assembly Speaker Anthony Rendon announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (Agency), the first stand-alone agency in the U.S. dedicated to the protection and enforcement of consumers’ data privacy rights. Agency board members include (1) Jennifer M. Urban, an attorney who served as a clinical professor of law and director of policy initiatives for the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley School of Law since 2009; (2) John Christopher Thompson, senior vice president of government relations at LA 2028; (3) Angela Sierra, an attorney, now former chief assistant attorney general of the Public Rights Division, and a 33-year veteran of the California Department of Justice; (4) Lydia de la Torre, an attorney and now former of counsel at Squire Patton Boggs LLP; and (5) Vinhcent Le, a technology equity attorney at the Greenlining Institute. Ms. Urban will serve as chair of the board.
- Illinois Considers Dramatic Changes to its Biometrics Statute. State lawmakers in Illinois are considering House Bill 559, which would revisit Illinois’ Biometric Information Privacy Act (BIPA), an act regulating the collection, distribution, and storage of individuals’ biometric information. On March 17, House Minority Leader Jim Durkin introduced the bill, citing the “cottage industry for a select group of attorneys to file class action lawsuits against big and small employers and nonprofit agencies.” Among other things, HB 559 requires that to initiate an action under BIPA, the “aggrieved person” must provide written notice of violation identifying the specific provisions being violated. The receiving entity then has 30 days in which to cure the violation to avoid litigation. Notably, the bill also specifies a one-year statute of limitations, an issue currently under review by the Illinois Appellate Court.
- Federal “Information Transparency and Personal Data Control Act” Introduced. On March 10, Rep. Suzan DelBene (D-WA) introduced a comprehensive federal privacy bill, citing the need for more predictable standards amid the patchwork of evolving state privacy laws. According to DelBene, the Information Transparency and Personal Data Control Act would “create a national data privacy standard to protect our most personal information and bring our laws into the 21st Century.” The bill seeks to regulate personal information, including financial data, biometric and genetic information, geolocation information, sexual orientation, citizenship and immigration status, Social Security numbers, religious beliefs, and information about children under 13 by, among other things, mandating opt-in provisions that will give the Federal Trade Commission rulemaking authority and subject companies to regular privacy audits.
- Florida Considers Comprehensive Consumer Privacy Bill Similar to CCPA. Florida House Bill 969 (HB 969) would create new obligations for certain businesses and greatly expand consumers’ rights in their personal information. Among other things, the bill (1) requires businesses that collect consumers’ personal data to disclose their data collection and selling practices; (2) allows consumers to request a copy of personal data collected and to demand deletion of such information; and (3) mandates businesses that collect personal information to implement reasonable security procedures and practices to protect the information. Critically, the bill also establishes a private cause of action against businesses that fail to maintain reasonable security procedures and practices to protect consumers’ information from unauthorized disclosure. The bill also expands the definition of “personal information” in the Florida Information Protection Act of 2014 (FIPA) to include biometric information. If passed, HB 969 would go into effect on January 1, 2022.
U.S. LITIGATION AND ENFORCEMENT
- A California Court Held CCPA Does Not Apply Retroactively. In Gardiner v. Walmart, Inc., a Walmart customer who purchased goods online filed a putative class action, alleging that Walmart’s cybersecurity procedures led to a purported unauthorized disclosure of his personal identifying information. The court denied the plaintiff’s attempt to base his CCPA claim on an alleged breach that occurred before January 1, 2020, the date the CCPA became effective. The court held that because the CCPA lacks an explicit retroactivity provision, it cannot apply retroactively under California law. Conceding that the alleged breach occurred after January 1, 2020, the plaintiff argued that because his personal information is being sold on the dark web, the CCPA applies. The court disagreed, holding that a CCPA claim requires a “violation of the duty to implement and maintain reasonable security procedures and practices” that occurred on or after January 1, 2020, which was not alleged in the complaint. Troutman Pepper’s analysis of the decision can be found here.
- $92 Million TikTok Settlement On Hold Due to Objections. On March 2, U.S. District Judge John Z. Lee of the Northern District of Illinois refrained from granting preliminary approval of the $92 million settlement reached several months ago in multidistrict litigation, which accused TikTok of violating a number of privacy statutes, including Illinois’ Biometric Information Privacy Act (BIPA). Instead, the court continued the preliminary approval hearing to April 6 and ordered supplemental briefing on how the parties arrived at the final $92 million figure; how they addressed differences between adult users and minor users of the popular video-sharing app; and additional explanation for why class members purportedly couldn’t be notified about the deal through the app itself.
INTERNATIONAL REGULATION AND ENFORCEMENT
- European Data Protection Board Published Virtual Voice Assistant Guidelines. On March 12, the European Data Protection Board (EDPB) published its “Guidelines 02/2021 on Virtual Voice Assistants” for public consultation. Virtual voice assistants (VVA; think Amazon’s “Alexa” or Apple’s “Siri”) have the ability to understand voice commands and either execute them or relay them to other systems. Widely available on most smartphones and other “smart” devices, VVAs collect large amounts of personal data, including all user commands (g., browsing or search history) and device responses (e.g., appointments from a calendar). Because VVAs transfer and store voice and other data to remote servers, they raise compliance issues under both the General Data Protection Regulation (GDPR) and the e-Privacy Directive.
- China Issues Rules on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications.” On March 12, the Cyberspace Administration of China released final rules on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (Rules), available here in Chinese. According to the Cybersecurity Law of China, collection of personal information must follow the principles of legitimacy, propriety, and necessity. The Rules defined “necessary personal information” as personal information essential to the regular operation of mobile applications (apps). For 39 specified types of apps, the Rules delineate the types of personal information considered “necessary” and may be collected and used. Other types of apps are identified as not having any need to collect personal information. The Rules will become effective on May 1, 2021.
- ICO Fines Two Companies for Sending Nuisance Texts During the Pandemic. The Information Commissioner’s Office (ICO) fined two companies — Leads Works Ltd. and Valca Vehicle Ltd. — for sending spam text messages during the COVID-19 pandemic. West Sussex-based Leads Works was fined £350,000 for sending unwanted texts, attempting to capitalize on the pandemic that included messages that said, “In lockdown and want to earn extra cash? ... .” Valca Vehicle was fined £80,000 for similar messages that said, “*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org.”
TROUTMAN PEPPER TEAM SPOTLIGHT: ASHLEY TAYLOR
Richmond Partner Ashley L. Taylor, Jr. has represented clients in the state attorneys general and regulatory space for two decades. He focuses his practice on federal and state government regulatory and enforcement matters involving state attorneys general, the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and other entities. Ashley also advises clients in multistate attorneys general actions and litigation matters that often arise from enforcement actions.
Ashley’s consumer protection practice has evolved along with the regulatory landscape, expanding his work to data breach response and litigation in recent years. Drawing upon his experience as a deputy attorney general, Ashley develops compliance strategies that align with and anticipate legal, regulatory, and technological advancements.
Ashley also founded and currently co-chairs the American Bar Association committee on state attorneys general matters. He previously served as a commissioner on the U.S. Commission on Civil Rights, appointed by President Bush from 2004-2010.
Ashley is married to Gail Taylor and has three children: Julian, Collin, and Lydia. He is also an avid fan of the Washington Wizards, the Washington Capitals, and the Washington Football Team.
- Operationalizing the Virginia Consumer Data Protection Act: Leveraging Lessons From the CCPA | Thursday, April 15, 2021 | 3 p.m. ET (12 p.m. PT). We long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), later amended by the California Privacy Rights Act of 2020 (CPRA). Virginia recently became the first state to do so, surprising many with news that it quickly passed and signed comprehensive privacy legislation into law, namely the Virginia Consumer Data Protection Act (CDPA). Join our speakers as they discuss Virginia’s CDPA, and how it compares to California’s approach to privacy under the CCPA and CPRA. To register, please click here.
- Going the Distance: Managing Discovery with a Remote Workforce | Tuesday, April 20, 2021 | 3 p.m. ET (12 p.m. PT). Troutman Pepper Partner Alison Grounds will moderate the panel “Going the Distance: Managing Discovery with a Remote Workforce” during the National Institute on E-Discovery Virtual Conference. She will share insights and strategies on how to effectively manage and optimize e-discovery processes and protocols with a remote workforce. To register, please click here.
- Compliance Priorities for Tenant Screeners to Reduce Regulatory and Litigation Risk | Tuesday, April 20, 2021 | 1:15 p.m. ET (4:15 p.m. PT). Troutman Pepper Partner Ron Raether will speak on the PBSA panel, “Compliance Priorities for Tenant Screeners to Reduce Regulatory and Litigation Risk.” He will discuss the top areas of risk for tenant screeners based on lessons learned from litigation, regulatory investigations, and other intel from the front lines. To register, please click here.
- Recent Developments and Best Practices in Data Breach Incident Response | Thursday, April 22, 2021 | 2 p.m. ET (11 a.m. PT). Troutman Pepper Partners Wynter Deagle, Ron Raether, and David Anthony will participate in the Association of Corporate Counsel CLE, “Recent Developments and Best Practices in Data Breach Incident Response,” where they will discuss recent and significant developments in the world of data security incident response and provide practical guidance on how to manage the response process while mitigating risk. To register, please click here.
- The Sedona Conference Working Group 1 Midyear Meeting 2021 | Wednesday, April 28 | 12:15 p.m. ET (3:15 p.m. PT). Troutman Pepper Partner Alison Grounds will serve as a dialog leader during a “Case Law Review Session” at The Sedona Conference Working Group 1 Midyear Meeting 2021. To register, please click here.
- How 2020 Vision Has Blurred Attorney Client Privilege in Incident Response | Monday, May 17, 2021 | 3:15 p.m. ET (12:15 p.m. PT). Troutman Pepper Partners Ron Raether and Ashley Taylor will speak on the RSA panel, “How 2020 Vision Has Blurred Attorney Client Privilege in Incident Response,” where they will discuss what the law says about attorney-client privilege and what security teams can do from a practical perspective to keep forensic efforts from coming back to haunt them. To register, please click here.
- Three Reasons Why 2021 is a Good Year to Review Your Privacy Compliance Program | Wednesday, March 31, 2021 | 3 p.m. ET (12:00 PT). With no federal privacy legislation in sight, states are beginning to follow in the footsteps of California’s Consumer Privacy Act. Just recently, Virginia joined California by becoming the second state with comprehensive data privacy legislation. With more states in the pipeline to adopt their own frameworks, business leaders need to stay aware of ways new laws may implicate existing and planned business practices. In this webinar, our speakers discussed the basic framework of a privacy compliance program. They also focused on several recent updates in the law that require updates to compliance programs and described what possible changes should be considered. To access the recording, please click