On April 12, an Oregon federal jury in Wakefield v. Visalus, Case No. 3:15-cv-01857-SI, handed down what may turn out to be the largest Telephone Consumer Protection Act (TCPA) class action verdict ever awarded.

Health supplement marketer ViSalus, a lifestyle products company, was charged with making more than 1.8 million autodialed calls in violation of the TCPA. The court certified a class of 800,000 members. Although the jury did not assess a monetary award, the court will award statutory penalties pursuant to the TCPA, which prescribes up to $500 per violation and $1500 per willful violation. The total penalty could reach almost $1 billion, and if the court finds willfulness, this award could conceivably be tripled.
Continue Reading

Last week, the IAPP hosted its annual Global Privacy Summit in Washington, D.C.  This year’s summit was the IAPP’s largest event, with more than 4,000 attendees from around the world.  From day 1, it was clear that the summit was heavily focused on the California Consumer Privacy Act of 2018 (CCPA), with many of the conferences covering the CCPA’s nuances, and tech vendors, legal professionals, and consultants offering compliance solutions for this new law.
Continue Reading

On April 16, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers.  Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy.  The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems.  Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.
Continue Reading

Proposed Bill Makes Dramatic Changes To North Carolina Security Breach Notification Law

Some of the proposed changes include:

  • Businesses would have to “[i]implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business.”;
  • Businesses would be required to offer at least two years of free credit monitoring; and
  • Replacing the current “without unreasonable delay” standard for breach notification to “as soon as practicable, but not later than thirty (30) days after discovery of the breach or reason to believe a breach has ”

A copy of the bill can be found here.

24 Tech Companies Support CCPA amendment

According to the DuckDuckGo Blog, 24 different tech companies have written a letter in support of the CCPA amendment. The blog states, “CCPA is set to take effect in 2020 and is without a doubt a major advancement in individual privacy rights for Americans. As an Internet privacy company that empowers users to take control of personal information, we support the law. And we want to see it become even better.” A copy of the letter can be found here.
Continue Reading

What is this bill?  A new bill introduced in the U. S. Senate on March 14, 2019 would require companies to obtain explicit user consent before facial recognition data could be collected and shared. The bill is known as the Commercial Facial Recognition Privacy Act of 2019, and was introduced by Sens. Brian Schatz. D- Hawaii and Roy Blunt, R-Missouri.

What does the bill prohibit?  The bill makes it unlawful for any covered entity to knowingly use facial recognition technology to collect facial recognition data, UNLESS the covered entity obtains explicit consent from the individual after providing notice to such individuals. The bill would also require that covered entities notify individuals whenever their facial recognition data is used or collected.
Continue Reading

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers

On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act).  In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.

This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.

Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen.  For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data.
Continue Reading

On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law.
Continue Reading

On February 26, 2019, the Daily Journal hosted its annual Cyber Forum in Beverly Hills, California.  The event, entitled “A California Perspective from the Epicenter of Data Security and Privacy,” focused primarily on the California Consumer Privacy Act of 2018 (CCPA) and federal law enforcement’s approach to data breach investigations.
Continue Reading

At Password Protected we strive to inform readers of recent developments in data privacy law.  While California Consumer Privacy Act (CCPA) is forcing new changes to data privacy policies, procedures and practices, we want to remind you of an older California data privacy statute, called Shine the Light Law (STL), which still remains in effect following passage of the CCPA.  The STL may have fallen to the wayside in your compliance program with all the fervor surrounding the CCPA, and before that, the European Union’s General Data Protection Regulation.  However, with a significant uptick in STL class action lawsuits in California, we felt it was noteworthy to bring this to your attention.
Continue Reading