Enforcement - Federal Agency and State AG Action

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.


Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.

Read the full article on our

This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.

Read our full article on our Subject to Inquiry blog for highlights

Did you miss our Dec. 15, 2020, webinar? Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here. You can watch a replay of the webinar below.

Our festive webinar discusses California’s newest data privacy law, the California Privacy Rights and Enforcement Act of 2020 (CPRA). Passed by ballot initiative during this year’s general election, the CPRA expands and modifies the California Consumer Privacy Act in several significant ways. This webinar covers some of the key changes brought by the CPRA and steps businesses can take now to prepare for this new law.


Continue Reading Webinar Replay: Is it a holiday wish come true or just the CCPA dressed up in an ugly sweater? Naughty or nice, the CPRA is here.

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.


Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA

On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.

Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom:


Continue Reading FTC “Zooms” Into Settlement Agreement with Communications Company Over Concerns with its Security Practices

The Department of Defense is rolling out new regulations over the next five years to set progressive steps toward mandatory cybersecurity certification for government contractors. The first set of requirements goes into effect Nov. 30.

Click here to learn what contractors must do now to ensure they are eligible for award of new contracts, task

Did the U.S. Supreme Court ruling in Barr v. American Association of Political Consultants wipe out nearly five years of liability under the Telephone Consumer Protection Act? One district court answered yes. Does the TCPA apply to text messages? An amicus brief in another case headed to the Supreme Court argued no.

For analysis of

Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company.  They are the looming threat to incentivize and influence compliance.  Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation.  Said another way, violation should not be more profitable than compliance.”

Continue Reading FTC Fines: FTC Chairman Reminds Companies That Fines Are the FTC’s Strategic Tool To Deter Noncompliance

On September 17, 2020, four Republican Senators (Roger Wicker – Mississippi, Chairman, John Thune – South Dakota, Deb Fischer – Nebraska, and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled: Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act. This proposed comprehensive national privacy law has three main components:

  1. Provides consumers with more choice and control over their data
  2. Directs business to be more transparent and accountable
  3. Strengthens the FTC’s enforcement power


Continue Reading Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?