We are officially six months away from the California Privacy Rights Act (“CPRA”) taking effect and amending the California Consumer Privacy Act (“CCPA”).  Even for companies that have grown comfortable with requirements under the CCPA, the CPRA changes require planning and preparation.  With CPRA taking effect on January 1, 2023, here are six tips to begin that preparation: Continue Reading Are You Ready for CPRA? 6 Tips for the Final 6 Months

The Office of the Comptroller of the Currency (the “OCC”), Treasury; the Board of Governors of the Federal Reserve System (the “Fed Board”); and the Federal Deposit Insurance Corporation (the “FDIC” and, collectively with the OCC and the Fed Board, the “Agencies”) issued a final rule detailing notification requirements for a “computer-security incident” that rises to the level of a “notification incident.” The new rule went into effect on April 1, 2022, with a compliance date of May 1, 2022. Given the recent history of computer-security incidents and their increase in severity in recent years in the banking industry, the Agencies believed that implementing a new breach notification rule was important to allow the Agencies to assess and respond to cyberattacks. Continue Reading Final Rule Regarding Security Incident Notification Requirements: Time to Review Your Existing Procedures and Contracts

You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern.

Think again. Continue Reading Think Again on Cybersecurity Training – Human Error Continues to Drive Numbers on Cybersecurity Attacks

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate. Continue Reading What is the American Data Privacy and Protection Act?

By now, we are used to seeing notifications on our phones asking whether we would like certain applications to track our activity across other companies’ apps and websites. Typically, these tracking tools are used to examine and assess advertising efficiency. Although beneficial marketing tools, companies must be mindful of how tracking tools are used on their platform to avoid infringing on individuals’ data privacy rights.

Recently, Canadian regulators found that Tim Hortons, a coffee and bake shop chain, violated Canada’s federal privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), by tracking customers’ (who downloaded its app) movement every few minutes of every day. Following an app update in May 2019, the company allegedly tracked users not only when using the app, but whenever individuals’ devices were turned on –collecting massive amounts of location data without users’ knowledge.

Continue Reading In Hot Water, eh? Canadian Regulators Investigate Tim Horton’s Tracking of App Users

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws. Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

One year ago this week, we posted a blog explaining that the New York Department of Financial Services (NYDFS) issued a framework of seven best practices that insurers should adopt, including a recommendation that insurers stop paying ransom payments in response to ransomware. Now, North Carolina has enacted a statute that not only forbids its public entities from paying ransoms, but also prohibits public entities from communicating with ransomware threat actors. Instead, North Carolina public entities, including public schools and universities, are required to consult with the North Carolina Department of Information Technology (NCDIT). Continue Reading To Pay the Ransom or Not to Pay the Ransom? North Carolina Tells its Public Entities the Answer is an Emphatic NO

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019. Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry

This week Meta, formerly known as Facebook, announced that it has disabled augmented reality effects, including filters and avatars, for its users in Texas and Illinois, citing state facial recognition laws.  Meta says that users in those states will see a “temporarily unavailable” message when accessing such features across Facebook, Messenger, Instagram, and Portal.  This decision comes at a time when the Illinois Biometric Information Privacy Act (BIPA) continues to wreak havoc on Illinois businesses, and just months after Texas Attorney General Ken Patton filed a lawsuit against Meta claiming the company misused facial recognition technology.  Denying any wrongdoing, Meta released a statement justifying the decision as a measure to avoid “meritless and distracting litigation”:

The technology we use to power augmented reality effects like avatars and filters is not facial recognition or any technology covered by the Texas and Illinois laws, and is not used to identify anyone.  Nevertheless, we are taking this step to prevent meritless and distracting litigation under laws in these two states based on a mischaracterization of how our features work. We remain committed to delivering AR experiences that people love, and that a diverse roster of creators use to grow their businesses, without needless friction or confusion.

Continue Reading A Social Media Influencer’s Nightmare – Fun Filters on Instagram and Facebook Disabled in Illinois and Texas

1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law. Continue Reading Mambo No. 5: Connecticut Becomes the Fifth State to Join the Privacy Party