Once again, the Virginia legislature is set to consider comprehensive data privacy legislation.  In the 2020 regular session of the Virginia General Assembly, the House of Delegates referred several bills dealing with privacy issues, including a proposed data privacy law, to the Virginia Joint Commission on Science and Technology for study.

This year, it appears Virginia is poised to seriously consider adoption of a broad consumer data privacy framework.  Senate Bill 1392 , sponsored by Senator David Marsden (D-Fairfax), was introduced on January 13, 2021. House Bill 2307, sponsored by Delegate Cliff Hayes, Jr. (D-Chesapeake), was introduced on January 20, 2021. The bills create the “Consumer Data Protection Act.”

Virginia does not currently have a comprehensive data privacy law governing consumer data.  Like most states, it has a data breach notification law and various protections for specific types of data in certain contexts.

Continue Reading Virginia Legislature Is Set to Consider Comprehensive Data Privacy Legislation

In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.

NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES

a. Key data protection principles

The GDPR revolves around seven key data protection principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability

Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II

A major consumer privacy law is likely this legislative session in Florida that stands to jeopardize not only technology companies, but financial services, healthcare entities, and thousands of small and medium-sized businesses that rely on digital marketing and advertising to conduct business.

Florida legislators are generally pro-business, but this year could be an exception. Talks are well underway in both the House and Senate to rewrite Florida’s data privacy laws with a nod toward adopting components of the more restrictive California Consumer Privacy Act of 2018, which became effective January 2020.

Proponents of more consumer-focused privacy legislation are gearing up for a fight this session.

From a recent POLITICO Florida article:

Since its creation, Propel Florida has given $100,000 in political contributions to key Republicans and hired a lobbying team ahead of the 2021 legislative session.

“The fact of the matter is Floridians can’t trust Big Tech,” said Shaun Keck, who identified himself in an email as Propel Florida’s director. “For years, virtual platforms have been collecting personal, private information from all of us. After which they capitalize by renting and selling this private information.” (“Mystery Florida company lobbying to fight big tech,” Matt Dixon, December 10, 2020, Politico Pro)

Businesses that serve Florida consumers still have time to stand up and take notice, but the clock is ticking – committees start hearing bills on January 11, 2021, and session officially kicks off March 2.

The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA).  We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA makes several significant changes to the CCPA:

  • It introduces the concept of “sensitive personal data”;
  • It introduces new obligations on businesses, and GDPR-style “principles”;
  • It introduces new rights for consumers; and
  • It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.

These changes are very significant – but do they represent a move closer to GDPR, or a move away?

Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part I

Did you miss our Dec. 15, 2020, webinar? Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here. You can watch a replay of the webinar below.

Our festive webinar discusses California’s newest data privacy law, the California Privacy Rights and Enforcement Act of 2020 (CPRA). Passed by ballot initiative during this year’s general election, the CPRA expands and modifies the California Consumer Privacy Act in several significant ways. This webinar covers some of the key changes brought by the CPRA and steps businesses can take now to prepare for this new law.

Continue Reading Webinar Replay: Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here.

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.

Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA

FRENEMIES Podcast logo

The third season in Frenemies has been released — watch these episodes.

  • The One Where California Falls in Love With Privacy: The California Consumer Privacy Act in 10 Minutes (featuring Bethany Lukitsch and Justin Yedor)
  • The One Where “Sale” Doesn’t Mean What You Think: What Is a Sale and Why Does it Matter? (featuring Ali Baiardo)
  • The One Where We Are All Still Confused About California: What Is in the Regulations Anyway? (featuring Anthony Le and Neelam Takhar)
  • The One Where an Old Flame Stuck Around: Shine the Light vs. CCPA (featuring Justin Yedor)

Watch Videos

Tune in for other seasons in the series:

We hope these sessions help marketing and legal departments understand each other, work together, issue-spot, and maybe go from being frenemies to friends. Registration is not required and after release, each season will be available for binge watching from your office or your couch.

On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.

Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom:

Continue Reading FTC “Zooms” Into Settlement Agreement with Communications Company Over Concerns with its Security Practices

The Department of Defense is rolling out new regulations over the next five years to set progressive steps toward mandatory cybersecurity certification for government contractors. The first set of requirements goes into effect Nov. 30.

Click here to learn what contractors must do now to ensure they are eligible for award of new contracts, task orders, delivery orders or option terms.