On Thursday, March 26, 2020, the Senate passed the Coronavirus Aid, Relief, and Economy Security Act (the “CARES Act”), which provides economic relief for individuals, businesses and industries affected by the COVID-19 pandemic. In addition, some provisions specifically relate to nascent privacy and data security concerns to be addressed both during and after the pandemic:

  • Financial Assistance for Training: Qualifying small businesses and minority owned businesses may apply for financial assistance in the form of grants to cover training and advising for employees on risks of and mitigation of cybersecurity threats in remote customer service or telework practices. The economic landscape following the COVID-19 pandemic will highlight businesses’ increased reliance upon technology, and the nascent need for increased attention to data security education. The financial assistance available to small and minority-owned businesses provides a great opportunity for companies to get ahead of the curve with respect to myriad information security threats.
  • Credit Reporting: The Fair Credit Reporting Act is revised so that furnishers of consumer and payment information, who make an accommodation with respect to one or more payments on a consumer’s account or credit obligation, must report the account or obligation as “current,” unless it was delinquent prior to the accommodation.
  • Public Health Service Act Amended to Conform with HIPAA: The Public Health Service Act is amended to include breach notification and consent requirements consistent with HIPAA. In addition, within one year after the date of enactment, the Secretary of Health and Human Services shall update 45 C.F.R 164.520 so that covered entities and entities creating or maintaining records relating to substance abuse education, training, treatment, and research shall provide easily understandable notices of privacy practices. As a result, some entities not currently regulated by HIPAA will need to adapt to some of the HIPAA requirements related to breach notification and notice of privacy practices.
  • Cybersecurity & Infrastructure Security Agency: $9 million is allocated for supply chain and information analysis, as well as impacted critical infrastructure coordination.
  • Funding for Public Health Surveillance: $500 million is allocated for public health data surveillance and analytics infrastructure modernization.


Continue Reading

While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading

In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.


Continue Reading

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading

Yes, it actually is. Jan. 28 has been set aside as a date to raise awareness and generally promote proper use and safeguarding of personal data. While it started in Europe, it is now recognized by more than 50 countries.

Why Jan. 28? The date is important because on this date in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (say that five times quickly) was introduced for signature by the Council
Continue Reading

As we have written in blog posts over the past year, the California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law to date. While there are a number of conditions and exemptions in play, the law goes into effect on Jan. 1, 2020, and will be enforced starting in July 2020.

In anticipation of the law’s effective date and requirements, we have provided a checklist to help you assess the applicability of the law to your business
Continue Reading

In Taft’s Privacy and Data Security Insight, we have been writing regularly on the California Consumer Privacy Act and what to expect as it goes into effect in January.  Like many new privacy laws, panic begins to set in about how to actually address the new approach towards consumer privacy (remember the great GDPR panic of May 25, 2018?)  In our last blog, we told you about the final amendments to the CCPA and how the language of the law will finally read. The next step to the implementation of the United States’ most comprehensive state privacy law is the issuance of the Attorney General’s  Proposed Regulations, a Notice of Proposed Rulemaking Action, and an Initial Statement of Reasons. These draft documents attempt to answer the question burning in the minds of lawyers and businesses around the country:  HOW am I supposed to actually do this? With these draft documents finally out (awaiting public comments until December), we have what we are to understand as the AG’s guidance to businesses on how to comply with the provisions of the CCPA, including, but not limited to:

  1. How to properly notify consumers;
  2. How to handle consumer requests;
  3. How to verify the identity of consumers;
  4. Collecting personal information of minors; and
  5. How the value of consumer data is calculated.

The California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020.


Continue Reading

As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.


Continue Reading