In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.


Continue Reading COVID-19 Bulletin: Balancing Privacy and Public Health Needs

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and


Continue Reading COVID-19 Bulletin: Sending Employees Home? Don’t compromise information security in the process.

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading How am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications

Yes, it actually is. Jan. 28 has been set aside as a date to raise awareness and generally promote proper use and safeguarding of personal data. While it started in Europe, it is now recognized by more than 50 countries.

Why Jan. 28? The date is important because on this date in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (say that five times quickly) was introduced for signature by the Council
Continue Reading Happy Data Privacy Day! Is this really a thing?

As we have written in blog posts over the past year, the California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law to date. While there are a number of conditions and exemptions in play, the law goes into effect on Jan. 1, 2020, and will be enforced starting in July 2020.

In anticipation of the law’s effective date and requirements, we have provided a checklist to help you assess the applicability of the law to your business
Continue Reading Business Considerations: California Consumer Privacy Act

In Taft’s Privacy and Data Security Insight, we have been writing regularly on the California Consumer Privacy Act and what to expect as it goes into effect in January.  Like many new privacy laws, panic begins to set in about how to actually address the new approach towards consumer privacy (remember the great GDPR panic of May 25, 2018?)  In our last blog, we told you about the final amendments to the CCPA and how the language of the law will finally read. The next step to the implementation of the United States’ most comprehensive state privacy law is the issuance of the Attorney General’s  Proposed Regulations, a Notice of Proposed Rulemaking Action, and an Initial Statement of Reasons. These draft documents attempt to answer the question burning in the minds of lawyers and businesses around the country:  HOW am I supposed to actually do this? With these draft documents finally out (awaiting public comments until December), we have what we are to understand as the AG’s guidance to businesses on how to comply with the provisions of the CCPA, including, but not limited to:

  1. How to properly notify consumers;
  2. How to handle consumer requests;
  3. How to verify the identity of consumers;
  4. Collecting personal information of minors; and
  5. How the value of consumer data is calculated.

The California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020.


Continue Reading How am I supposed to do this?: California AG issues proposed regulations for making CCPA a reality

As we have discussed before, the California Consumer Privacy Act (“CCPA”) is forcing entities doing business in California to critically examine their information collection and sharing practices. Although California signed it into law last year, the CCPA does not go into effect until January 1, 2020. Last month, the California Legislature passed six amendments to the CCPA that will affect how businesses operate, while also affording California residents their newfound rights.

I. Limiting Personal information & Publicly Available Information (AB-874).
The CCPA, before this amendment, defined “personal information” as any information that “is capable of being associated with… a particular consumer or household.” This amendment changes that language to any information that “is reasonably capable of being associated with… a particular consumer or household.” This is an attempt to clarify and limit the scope of personal information and what information is “capable of being associated with” a consumer. Much like other areas of the law, we expect contentious debate over what is “reasonable” when anticipating association with a particular consumer or household. Additionally, the definition of “personal information” will now exclude de-identified or aggregated consumer information. This amendment also removes restricting language on what information is treated as “publicly available” and simply states that it is information made available by federal, state, or local governments.


Continue Reading California Raisin’ the Stakes: Final CCPA Amendments Pass CA Legislature

The Background of the Law

Of late, the U.S. private sector has been abuzz with the European Union’s new General Data Protection Regulations and the implementation of the same. However, savvy companies cannot forget that state legislatures have been for some time enacting statutes aimed at protecting its residents in how businesses use and disseminate their personal information. In 2008, Illinois became one of the first states to be mindful of the uniqueness of biometrics with the passage of the Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/5, et seq. BIPA provides standards of conduct for private entities in connection with the collection, use, retention, and destruction of “biometric identifiers” and “biometric information.” A “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry while “biometric information” is defined as “any information … based on an individual’s biometric identifier used to identify an individual,” 740 ILCS 14/10. Under BIPA, a private entity in possession of such identifiers and information must establish written policies regarding their retention and destruction and cannot obtain such data unless it: (1) informs the subject of the collection; (2) informs the subject of the specific purpose for the collection and how long the data would be stored; and (3) receives written consent from the subject. 740 ILCS 10/15(b). Importantly, BIPA also provides a private cause of action for “[a]ny person aggrieved by a violation” of the statute and the greater of $1,000 in liquidated damages or actual damages for negligent violations and the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations. 740 ILCS 14/20(1) and (2). The statute also provides for reasonable attorneys’ fees and costs. 740 ILCS 14/20(3).

While initially dormant, BIPA became the focal point for a flurry of class action lawsuits starting in 2015 against social media websites that used facial recognition for photo tagging purposes. More recently, it has been used increasingly against employers who had timekeeping systems that required fingerprinting scans. At that time, many companies were unaware that BIPA even existed or that it could apply to the technology they were using.


Continue Reading The Illinois Biometric Information Privacy Act: Aggrieved or Not Aggrieved – That is the Question

Rebekah Mackey, Taft summer associate, contributed to this article.

Just months after the European Union’s General Data Protection Regulation, or “GDPR” changed the landscape of data privacy around the globe, California reaffirmed its position as the United States pioneer of consumer-friendly data privacy protections with the state legislature’s passage of Assembly Bill No. 375.

The California Consumer Privacy Act (“Act”) was originally a ballot initiative to be voted on by California residents in November, but the fate of the policy changed course rapidly when AB 375 passed within one week of being introduced in the state’s legislature. Here are some of the key provisions of which businesses and consumers should be aware when the law goes into effect Jan. 1, 2020.


Continue Reading So Goes California, So Goes the Country?: The Golden State Again Breaks New Privacy Law Ground