Consumer Protection
Subscribe to Consumer Protection's Posts

CCPA and ‘Reasonable Security’: A Game Changer

On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households. The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented...

Continue Reading

Though CCPA is Now Live, Questions About Its Constitutionality Linger

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague. Dormant Commerce Clause The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike...

Continue Reading

Little by Little, Attorney General Becerra Sheds Light on the CCPA in 2020

Minimal Changes Expected to the Final Regulations On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10. The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes. The proposed regulations should give everyone a sense of...

Continue Reading

US Office of Management and Budget Calls for Federal Agencies to Reduce Barriers to Artificial Intelligence

On January 7, 2020, the Director of the US Office of Management and Budget (OMB) issued a Draft Memorandum (the Memorandum) to all federal “implementing agencies” regarding the development of regulatory and non-regulatory approaches to reducing barriers to the development and adoption of artificial intelligence (AI) technologies. Implementing agencies are agencies that conduct foundational research, develop and deploy AI technologies, provide educational grants, and regulate and provide guidance for applications of AI technologies, as determined by the co-chairs of the National Science and Technology Council (NSTC) Select Committee. To our knowledge, the NTSC has not yet determined which agencies are “implementing agencies” for purposes of the Memorandum. Submission of Agency Plan to OMB The “implementing agencies” have 180 days to submit to OMB their plans for addressing the Memorandum. An agency’s plan must: (1) identify any statutory authorities...

Continue Reading

California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators. Exemption for HIPAA Business Associates Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate. The CCPA also exempts covered entities to...

Continue Reading

A Sale or Not a Sale? The Digital Advertising Debate

The California Consumer Privacy Act (CCPA) requires businesses who engage in sales of personal information, to offer consumers the right to opt out of such sales through a “Do Not Sell My Personal Information” link or button on their websites. These “Do Not Sell” obligations present a particularly thorny question for businesses that participate in a digital ad exchange or otherwise use advertising tracking technologies on their websites. Because data elements such as IP address, cookie ID, device identifier and browsing history are considered “personal information” for purposes of the CCPA, the question is: does sharing that information with third-party ad tech providers constitute a “sale” of data? The answer, so far, is a resounding “maybe.” In what follows, we expand on the issue and survey different approaches to this hotly contested question. Why the Debate? The CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making...

Continue Reading

The GDPR’s Effects in China: Comparison with Local Rules and Considerations for Implementation

As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China. Does the GDPR Apply to Companies in China? The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to: The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or The monitoring of people’s behavior in the European Union. As a result, even if a Chinese company does not...

Continue Reading

Surfing “Tech’s Next Big Wave”: Navigating the Legal Challenges in Digital Health

Fortune’s April 2018 cover story, “Tech's Next Big Wave: Big Data Meets Biology,” conveys loudly and clearly that technological innovation is transforming the health care continuum—changing the way care is delivered, as well as how patients manage their ongoing health—and as patient demand for health innovation increases, more companies seem eager to hop on the digital health bandwagon. The article provides a thoughtful, realistic (and somewhat sobering) perspective on digital health innovation’s successes and other results to date. It also quite effectively uses real world stories to convey the human dimension of digital health. One is the story of a mother who manually sampled and recorded her son’s glucose levels 20 times a day before an automated monitoring system connected to a mobile app allowed them both to live their lives without constant interruption by this critical care management function. Another describes use of an artificial intelligence...

Continue Reading

Appeals Court Strikes Down Key Portions of FCC’s Onerous TCPA Rulemaking

Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading

Continue Reading

Order now: The Law of Digital Health Book

Designed to provide business leaders and their key advisors with the knowledge and insight they need to grow and sustain successful digital health initiatives, we are pleased to present The Law of Digital Health, a new book edited and authored by McDermott’s team of distinguished digital health lawyers, and published by AHLA. Visit www.mwe.com/lawofdigitalhealth to order this comprehensive legal and regulatory analysis, coupled with practical planning and implementation strategies. You can also download the Executive Summary and hear more about how Digital Health is quickly and dynamically changing the health care landscape. Explore more!

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES