enforcement Archives - OF DIGITAL INTEREST

enforcement

Key Issues We’re Tracking as CCPA Enforcement Nears

by Amy C. Pimentel, Austin Mooney and McDermott Will & Emery | Jun 29, 2020 | Consumer Protection, Data Privacy

Although 2020 has already provided more than its share of surprises for businesses, one thing appears to remain unchanged: the California attorney general’s commitment to enforcing the California Consumer Privacy Act beginning July 1, 2020. As companies work to ensure compliance with this legislation, we explore several key issues.

No one will disagree that a lot has happened since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite the Coronavirus (COVID-19) pandemic, the invasion of murder hornets and a number of other not-entirely pleasant surprises that 2020 has brought us thus far, it appears that the California attorney general is still committed to enforcing the CCPA starting on July 1, 2020. As your business prepares for CCPA enforcement, there are a number of issues to keep in mind:

1. The CCPA regulations still have not been finalized and are unlikely to take effect until October 2020.

The attorney general’s regulations, which aim to interpret and implement the important provisions of the CCPA, still have not been finalized. March 27, 2020, marked the end of the comment period for the current draft regulations (which was the second set of modifications released by the attorney general). We are now waiting to see whether the attorney general will issue yet another set of proposed modifications, or submit the current version to the California Office of Administrative Law (OAL) for approval. For the regulations to take effect July 1, the OAL would need to receive and approve the final regulations by May 31, which appears to be an unlikely scenario. Accordingly, the regulations likely will not take effect until October 1, and could potentially be delayed until 2021. As a result, companies should be prepared for CCPA enforcement to begin before the regulations take effect.

2. We’ve started to see the effects of the private right of action.

California consumers have begun to file lawsuits seeking to enforce their (purported) rights under the CCPA. The cases present a first opportunity for courts to examine the private right of action created by the law. One case, in particular, presents a potentially unanticipated theory of harm, and could prove fundamental in establishing the extent of liability for businesses subject to the CCPA. We describe these lawsuits in greater detail here. Because these lawsuits will begin to define the contours and scope of the CCPA, businesses subject to the CCPA should keep a close eye on their progress.

3. The Office of the Attorney General lacks enforcement resources.

As we wrote in a previous article, despite significant enforcement expenditures by the Office of the Attorney General (OAG), it is still an agency with limited resources. This is even more true now that more of the OAG’s resources are likely devoted to COVID response and related urgent priorities. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if, as expected, it takes on large and well-funded companies. Media reports continue to indicate that the attorney [...]

Continue Reading

Importance of CCPA Compliance Highlighted by First Round of Private Actions

by Jonathan Ende and McDermott Will & Emery | Jun 26, 2020 | Consumer Protection, Data breach, Data Privacy

The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.

The first wave of private lawsuits filed under the California Consumer Privacy Act (CCPA) has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The recent explosion in popularity of video conferencing and social media software in response to the COVID-19 pandemic—and the technical issues some of these products have experienced—has inspired its own wave of litigation, with several cases alleging violations of CCPA along with other laws. The flurry of litigation activity makes clear the importance of CCPA compliance, particularly in the current challenging business environment. Although it’s too early to tell how these lawsuits will play out, some themes are emerging.

Refresher on CCPA Private Right of Action

Businesses are now familiar with the long list of privacy obligations imposed by CCPA and enforceable by the California attorney general. Although CCPA contains a private right of action, that right is applicable only to CCPA’s sole data security provision. Cal. Civ. Code § 1798.150 authorizes consumers to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft or disclosure of the consumer’s nonencrypted and nonredacted personal information. The definition of “personal information” in the context of § 1798.150 is narrower than the expansive definition applicable to other CCPA provisions, applying only to an individual’s name together with an identifying data element, such as a Social Security number, driver’s license number or medical information. A plaintiff may seek injunctive or declaratory relief, actual damages or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident. Before seeking statutory damages, however, the consumer must provide the business 30 days’ written notice to cure the alleged violation. The “notice and cure” provision is the subject of some controversy, because CCPA does not explain how a violation that resulted in a data breach can be “cured.” CCPA also explicitly prohibits consumers from using alleged violation of its provisions “to serve as the basis for a private right of action under any other law,” thus, in theory, prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. That hasn’t stopped plaintiffs from trying, as described below.

Theme #1: Suits Brought as Class Actions

Most, if not all, of the lawsuits brought under CCPA thus far have been brought as [...]

Continue Reading

New California Privacy Ballot Initiative Would Expand the CCPA

by Amy C. Pimentel, Austin Mooney and McDermott Will & Emery | Jun 26, 2020 | Consumer Protection, Data Privacy

A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.

A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.

The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.

The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.

New Clarifications, Rights and Responsibilities

In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:

“Personal information” would no longer include information that is manifestly made public by the individual or the media.
Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
“Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.

However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:

Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a [...]

Continue Reading

Though CCPA is Now Live, Questions About Its Constitutionality Linger

by Jonathan Ende | Jan 20, 2020 | Consumer Protection, Data breach, Data Privacy

As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague.

Dormant Commerce Clause

The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike down state laws that explicitly discriminate against out-of-state actors or that regulate activity that occurs entirely outside of the state. In addition, the Dormant Commerce Clause prohibits laws that do not explicitly discriminate against out-of-state economic interests if the effect of a law is to unduly burden interstate commerce. If a state law does unduly burden out-of-state interests, a court will typically balance the burdens imposed on interstate commerce against the benefits the law creates for the state to determine whether or not the law should be upheld.

(more…)

DOJ Continues Telemedicine Enforcement in Q2 2019

by McDermott Will & Emery, Amandeep S. Sidhu and Marshall E. Jackson, Jr. | Aug 27, 2019 | Telehealth

During the second quarter of 2019, DOJ continued its focus on enforcement activity in telemedicine. As reported in prior editions of the Quarterly Roundup, telemedicine is an expanding field, causing DOJ to pay particular attention to the industry.

In April 2019, DOJ indicted the owner and operator of 1stCare MD and ProfitsCentric with one count of conspiracy to pay and receive kickbacks. The defendant’s arrest and federal indictment is part of a nationwide law enforcement action, as reported in the Q1 2019 Quarterly Roundup, that targeted 24 defendants involved in alleged extensive healthcare fraud schemes focused on telemedicine and durable medical equipment (DME) marketing. These schemes allegedly resulted in losses amounting to more than $1.2 billion. The indictment alleges that from 2016 to 2019 the defendant defrauded HHS in its administration and oversight of Medicare by conspiring with others by paying and receiving kickbacks and bribes in exchange for doctors’ orders for DME for Medicare beneficiaries. Prosecutors also alleged that the defendants, 1stCare MD and ProfitsCentric, through their network of doctors, generated thousands of doctors’ orders for DME absent a pre-existing doctor-patient relationship and a physical examination, and that the orders were based solely on a short telephone conversation. The indictment alleges that these activities resulted in the submission of approximately $40 million in fraudulent Medicare claims for DME.

Further, in July 2019, DOJ indicted a New York-based anesthesiologist for her alleged role in a $7 million telemedicine conspiracy to fraudulently bill Medicare, Medicare Part D plans and private insurance plans, resulting in more than $3 million in payments on those claims.[51] According to DOJ, the indictment resulted from investigative work by the Criminal Division’s Medicare Fraud Strike Force, a joint initiative of DOJ and HHS. Eastern District of New York prosecutors charged the anesthesiologist with one count of conspiring to commit healthcare fraud by misusing telemedicine channels under agreements with unidentified companies to prescribe DME and drugs to more than 3,000 Medicare beneficiaries. The indictment alleges that, from January 2015 to May 2018, the anesthesiologist and other providers allegedly received kickback payments from unidentified companies for improper telemedicine encounters. The indictment alleges that the anesthesiologist “prescribed and ordered DME and prescription drugs for beneficiaries who were not examined or evaluated by a licensed physician.” The prosecutors alleged that the prescriptions flowing from the alleged telemedicine encounters were for DME and drugs that were neither medically necessary nor the result of genuine physician-patient relationships.

PRACTICE NOTE: Given DOJ’s recent criminal enforcement related to telemedicine, telemedicine companies should closely review their compliance with the federal and state laws that may be implicated through a telemedicine practice. Further, DOJ’s focus on individual accountability is particularly important with respect to telemedicine, given its interest in pursuing criminal actions against physicians.

This blog post was originally published in McDermott’s Health Care Enforcement Quarterly Roundup | Q2 2019. Click here to view the full report.

Upcoming FTC Workshop on Informational Harm | Next Brushstrokes on the FTC’s Consumer Privacy and Security Enforcement Canvas

by McDermott Will & Emery and Bernadette M. Broccolo | Oct 25, 2017 | Consumer Protection, Cybersecurity, Data Privacy, Telehealth

On September 29, the Federal Trade Commission (FTC) formally announced a December 12th workshop on informational injury—the injury a consumer suffers when information about them is misused. The workshop will address questions such as, how to characterize and measure such injury and what factors businesses and consumers should consider the benefits and risks of collecting, using and providing personal information so as to gain further perspective for how the FTC should apply its legal framework for privacy and security enforcement under 15 USC § 45 (Section 5). In her September 19th remarks to the Federal Communications Bar Association, Commissioner Maureen Ohlhausen, the Acting Chairman of the FTC, metaphorically characterized the workshop’s purpose as providing the next brushstrokes on the unfinished enforcement landscape the FTC is painting on its legal framework canvas. The full list of specific questions to be addressed may be accessed here.

Background. The FTC views itself as the primary US enforcer of data privacy and security, a role it recently assumed. While the FTC’s enforcement against practices causing informational injury through administrative proceedings goes back as far as 2002, its ability to pursue corporate liability for data security and privacy practices under its Section 5 “unfair or deceptive trade practices” jurisdiction was only ratified in 2015 by the US Court of Appeals for the Third Circuit in FTC v. Wyndham Worldwide Corporation. The FTC has actively invoked its enforcement authority but, in doing so, has been selective in determining which consumer informational injuries to pursue by questioning the strength of evidence connecting problematic practices with the injury, examining the magnitude of the injury and inquiring as to whether the injury is imminent or has been realized. (more…)