The Biden administration has hit the ground running, issuing a flurry of executive orders, actions and memoranda with sweeping implications affecting a wide range of key issues. Companies should look internally and evaluate risks with particular consideration for administration priorities. This risk assessment can help to inform updates to compliance protocols. This article discusses where the administration is likely to focus its civil and criminal enforcement efforts in the months and years ahead.
California voters have approved the California Privacy Rights Act (CPRA), a new law coming into effect on 1 January 2023 that will significantly amend the California Consumer Privacy Act. The CPRA will, among other things, modify existing consumer rights and create new rights and establish the United States' first dedicated privacy enforcer. Despite never having been reviewed by California's legislature, the CPRA also limits the extent to which its provisions can be amended through future legislation.
When the United States began grappling with COVID-19 in March 2020, the US Securities and Exchange Commission (SEC) Division of Enforcement acted swiftly to make clear to market participants that it was ramping up its efforts to identify and prevent fraud in the wake of the pandemic. Approximately seven months later, statistics released by the SEC bear this out.
In response to the significant rise in ransomware attacks since the start of the COVID-19 pandemic and just in time for Cybersecurity Awareness Month, the Treasury Department's Financial Crimes Enforcement Network and the Office of Foreign Assets Control recently issued advisories on the potential legal risks of making or facilitating ransomware payments.
The Department of Commerce, the Department of Justice and the Office of the Director of National Intelligence have jointly issued a white paper containing information about privacy protections under the US law for national security access, with a particular focus on the issues raised by the European Court of Justice (ECJ) in its Schrems II decision. The white paper focuses on practical applications of the legal authorities that the ECJ examined and discounts mere 'theoretical possibilities' that are unlikely to occur.
Individual prosecutions under the Foreign Corrupt Practices Act (FCPA) have markedly increased over the past five years. This increase in case law will help to better define local, regional and international enforcement. In addition, more FCPA case law shedding clarity on open issues will be a boon to lawyers, judges and scholars seeking to understand the contours of a complex statute – the elucidation of which has previously been almost the sole province of enforcers.
The California attorney general recently issued the final implementing regulations for the California Consumer Privacy Act. The final regulations – which had been under review by the California Office of Administrative Law since 1 June 2020 – include several changes to the previous draft regulations and take effect immediately. Most of the changes relate to grammar, formatting and drafting consistency, but several substantive provisions have been withdrawn entirely for additional consideration.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, addresses the level of proof necessary to support 'natural' and 'satiety' claims involving competing experts and a variety of scientific data in dispute. Beyond NAD's specific findings, the decision also provides useful insight into how NAD evaluates health benefit and related claims and analyses the corresponding scientific evidence and other substantiation.
The US Department of Justice (DOJ) has updated its guidance on the Evaluation of Corporate Compliance Programmes, providing increased clarity on some of the key questions that prosecutors ask in assessing the adequacy of corporate compliance programmes when making charging, sentencing and plea and settlement decisions. The guidance helps companies to proactively create or enhance their compliance programmes and effectively advocate before the DOJ in criminal investigations.
The California Privacy Rights Act (CPRA) has received enough valid signatures to appear on the November 2020 ballot. If voters approve the initiative, the CPRA would significantly expand the California Consumer Privacy Act (CCPA), establish the California Privacy Protection Agency, remove the CCPA's cure period and impose a number of General Data Protection Regulation-style obligations on businesses, among other requirements.
The US District Court for the Eastern District of Virginia recently ordered Capital One to produce a forensic investigation report in multi-district litigation arising out of a cyber incident that Capital One had announced in July 2019. The court found that the report was not protected by the work product doctrine as Capital One had not shown that "but for" the litigation, the report would not have been prepared in substantially the same form.
The National Advertising Division recently announced new procedures to resolve straightforward digital advertising disputes in a matter of weeks. The new procedures – called the SWIFT process – represent a new way for advertisers to enforce against their competitors' (or defend their own) influencer marketing practices. Advertisers that rely heavily on social media influencers should take note.
The California attorney general recently submitted the final text of the California Consumer Privacy Act regulations to the California Office of Administrative Law for approval. Although regulations submitted to the Office of Administrative Law in June 2020 ordinarily would not become effective – if approved – until 1 October 2020, the attorney general has requested an expedited review.
President Trump recently signed the Broadband Deployment Accuracy and Technological Availability Act. The law requires the Federal Communications Commission (FCC) to collect and disseminate more granular data about the availability of broadband service and to establish processes to ensure data accuracy. The legislation comes in response to commentary about the FCC's broadband coverage maps and suggestions regarding the Form 477 data collection process used to create those maps.
During the coronavirus outbreak, many employers around the world are seeking to prioritise the wellbeing and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organisations must consider increased risks to the security of their networks, systems and data during this time.
The US courts of appeals increasingly agree on how to interpret the definition of 'automatic telephone dialling system' under the Telephone Consumer Protection Act. A unanimous Seventh Circuit panel recently refused to revise a putative class action after concluding that the dialling system used did not qualify as an autodialer. Like recent Eleventh Circuit and Third Circuit decisions, the Seventh Circuit held that an autodialer must use a random or sequential number generator to either store or produce numbers.
A recent action by the National Advertising Division (NAD), a self-regulatory arm of the Better Business Bureau, illustrates that advertisers that participate but decline to be bound by an NAD decision can expect to be referred to the Federal Trade Commission (FTC). The NAD recently announced that it had referred advertising claims made by a dietary supplement company to the FTC for further review, following a challenge by the Council for Responsible Nutrition.
The Eleventh Circuit panel recently released a landmark ruling in Glasser v Hilton Grand Vacations Company, LLC. The key issue was how to interpret ambiguous language in the Telephone Consumer Protection Act's (TCPA's) definition of an 'automatic telephone dialling system'. In recent years, imprecise statutory phrasing and the Federal Communication Commission's liberal reading of the legislative history has empowered plaintiffs to assert TCPA claims based on a wide array of calling systems.
Two recent cases highlight the increased False Claims Act risk that cybersecurity compliance poses for government contractors. The first is a cautionary tale for contractors that self-certify that their IT systems provide adequate security for sensitive federal information which they store, process or transmit in performance of a federal contract. The second signals the importance of accurately representing compliance with federal cybersecurity standards when selling IT products or services to the government.
The Washington Privacy Act (WPA) gained significant traction in the legislature in 2019, passing the state Senate almost unanimously, but ultimately failing in the state House of Representatives due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on 31 July 2021.