Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA).  Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time. 

Continue Reading California Privacy Protection Agency Issues “Minimal” Guidance on CCPA in First Enforcement Advisory

Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.

With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.

Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.

Continue Reading California Delivers to DoorDash $375,000 Civil Penalty: California AG Announces Second CCPA Settlement

As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance.

In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. According to the FTC Chair Linda M. Kah, “[t]he proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.” Moreover, the FTC issued a lengthy statement from Commissioner Alvaro M. Bedoy that attempts to dispel the critiques around COPPA and other regulations around children’s data collection, such as the critique that many violations of such data privacy statutes regulate conduct that does not involve a great deal of harm. Looking at all of the above, it is clear that the FTC believes new tools and technologies utilized by companies online are a major risk to children and that this new rulemaking is necessary to keep up with such new tools and technologies.

Continue Reading Children’s Online Privacy Protection Act Update: Part Deux! New FTC Rulemaking Proposal

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today. 

Continue Reading California Appeals Court Holds CPRA’s Implementing Rules Are Immediately Enforceable

In late 2023, the Federal Communication Commission (FCC) adopted significant changes to its Telephone Consumer Protection Act (TCPA) regulations. The purpose of the changes was to address escalating consumer threats caused by scam robocalls and robotexts.

The FCC created new obligations for sellers/businesses that utilize text messaging and it imposed new requirements for mobile phone carriers. Most significantly, the manner in which (consumer) consent (to be contacted) is acquired has been revised. These revisions will have a profound effect on how third-party websites obtain consumer consent, and sellers/marketers will be accountable to strictly comply.

Continue Reading Navigating FCC’s Latest Rules: A Quick Guide to Compliance with new TCPA Regulations

It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.

Continue Reading The Garden State Joins the Privacy Party – New Jersey Becomes the Latest State to Adopt a Comprehensive Data Privacy Law

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just like getting in shape or starting that diet, NOW is the time to get started on finally enacting a plan to not only address risks and compliance requirements, but identify opportunities that lie within your company’s data.

In this quick-moving and engaging session, “10 Privacy and Security Resolutions in the New Year,” Taft’s Privacy and Data Security attorneys Scot GanowZenus Franklin, and Jordan Jennings will provide a review of the legal and security landscape and provide you with a plan to get started on finally managing those obligations.

Topics include:

  • An update on the current privacy and regulatory risk landscape.
  • Universal best practices for sound data governance.
  • A practical set of tools to complement your current practices.

Just. Get. Started. Register today!

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.

Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.

Continue Reading Breaking Down India’s Digital Personal Data Protection Act, 2023