California voters have approved the California Privacy Rights Act (CPRA), a new law coming into effect on 1 January 2023 that will significantly amend the California Consumer Privacy Act. The CPRA will, among other things, modify existing consumer rights and create new rights and establish the United States' first dedicated privacy enforcer. Despite never having been reviewed by California's legislature, the CPRA also limits the extent to which its provisions can be amended through future legislation.
In response to the significant rise in ransomware attacks since the start of the COVID-19 pandemic and just in time for Cybersecurity Awareness Month, the Treasury Department's Financial Crimes Enforcement Network and the Office of Foreign Assets Control recently issued advisories on the potential legal risks of making or facilitating ransomware payments.
The Department of Commerce, the Department of Justice and the Office of the Director of National Intelligence have jointly issued a white paper containing information about privacy protections under the US law for national security access, with a particular focus on the issues raised by the European Court of Justice (ECJ) in its Schrems II decision. The white paper focuses on practical applications of the legal authorities that the ECJ examined and discounts mere 'theoretical possibilities' that are unlikely to occur.
The California attorney general recently issued the final implementing regulations for the California Consumer Privacy Act. The final regulations – which had been under review by the California Office of Administrative Law since 1 June 2020 – include several changes to the previous draft regulations and take effect immediately. Most of the changes relate to grammar, formatting and drafting consistency, but several substantive provisions have been withdrawn entirely for additional consideration.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, addresses the level of proof necessary to support 'natural' and 'satiety' claims involving competing experts and a variety of scientific data in dispute. Beyond NAD's specific findings, the decision also provides useful insight into how NAD evaluates health benefit and related claims and analyses the corresponding scientific evidence and other substantiation.
The California Privacy Rights Act (CPRA) has received enough valid signatures to appear on the November 2020 ballot. If voters approve the initiative, the CPRA would significantly expand the California Consumer Privacy Act (CCPA), establish the California Privacy Protection Agency, remove the CCPA's cure period and impose a number of General Data Protection Regulation-style obligations on businesses, among other requirements.
The US District Court for the Eastern District of Virginia recently ordered Capital One to produce a forensic investigation report in multi-district litigation arising out of a cyber incident that Capital One had announced in July 2019. The court found that the report was not protected by the work product doctrine as Capital One had not shown that "but for" the litigation, the report would not have been prepared in substantially the same form.
The National Advertising Division recently announced new procedures to resolve straightforward digital advertising disputes in a matter of weeks. The new procedures – called the SWIFT process – represent a new way for advertisers to enforce against their competitors' (or defend their own) influencer marketing practices. Advertisers that rely heavily on social media influencers should take note.
The California attorney general recently submitted the final text of the California Consumer Privacy Act regulations to the California Office of Administrative Law for approval. Although regulations submitted to the Office of Administrative Law in June 2020 ordinarily would not become effective – if approved – until 1 October 2020, the attorney general has requested an expedited review.
President Trump recently signed the Broadband Deployment Accuracy and Technological Availability Act. The law requires the Federal Communications Commission (FCC) to collect and disseminate more granular data about the availability of broadband service and to establish processes to ensure data accuracy. The legislation comes in response to commentary about the FCC's broadband coverage maps and suggestions regarding the Form 477 data collection process used to create those maps.
During the coronavirus outbreak, many employers around the world are seeking to prioritise the wellbeing and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organisations must consider increased risks to the security of their networks, systems and data during this time.
The US courts of appeals increasingly agree on how to interpret the definition of 'automatic telephone dialling system' under the Telephone Consumer Protection Act. A unanimous Seventh Circuit panel recently refused to revise a putative class action after concluding that the dialling system used did not qualify as an autodialer. Like recent Eleventh Circuit and Third Circuit decisions, the Seventh Circuit held that an autodialer must use a random or sequential number generator to either store or produce numbers.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, illustrates that advertisers that participate but decline to be bound by an NAD decision can expect to be referred to the Federal Trade Commission (FTC). The NAD recently announced that it had referred advertising claims made by a dietary supplement company to the FTC for further review, following a challenge by the Council for Responsible Nutrition.
The Eleventh Circuit panel recently released a landmark ruling in Glasser v Hilton Grand Vacations Company, LLC. The key issue was how to interpret ambiguous language in the Telephone Consumer Protection Act's (TCPA's) definition of an 'automatic telephone dialling system'. In recent years, imprecise statutory phrasing and the Federal Communication Commission's liberal reading of the legislative history has empowered plaintiffs to assert TCPA claims based on a wide array of calling systems.
Two recent cases highlight the increased False Claims Act risk that cybersecurity compliance poses for government contractors. The first is a cautionary tale for contractors that self-certify that their IT systems provide adequate security for sensitive federal information which they store, process or transmit in performance of a federal contract. The second signals the importance of accurately representing compliance with federal cybersecurity standards when selling IT products or services to the government.
The Washington Privacy Act (WPA) gained significant traction in the legislature in 2019, passing the state Senate almost unanimously, but ultimately failing in the state House of Representatives due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on 31 July 2021.
The Federal Communications Commission (FCC), in consultation with the Department of Agriculture, has announced the members of the Task Force for Reviewing the Connectivity and Technology Needs of Precision Agriculture in the United States. The task force, an advisory body to the FCC, will investigate the current state of broadband access in agricultural areas and recommend policies and regulatory solutions to the FCC to promote broadband deployment and precision agriculture.
The Department of Defence (DoD) has announced a plan to pilot 5G technologies on four military installations in partnership with private industry and the Federal Communications Commission. The project has been heralded as an opportunity for the DoD to work with industry and collaborate across federal agencies to advance the Trump administration's policy of maintaining the United States' global leadership in 5G.
California Governor Gavin Newsom recently signed the Consumer Call Protection Act 2019 to address the rise in deceptive robocalls and protect consumers from fraudulent calls. The act requires telecoms service providers to implement secure telephony identity revisited (STIR) and secure handling of asserted information using tokens (SHAKEN) protocols by 1 January 2021 and is the latest in a series of ongoing efforts to promote STIR/SHAKEN or similar call authentication frameworks.
New York Governor Andrew Cuomo recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law. Businesses maintaining the private information of New York residents will now be required to develop reasonable safeguards within their organisation as part of a new reasonable security requirement.