Earlier this year, several pieces of privacy related legislation pending in the 2020 General Assembly session were referred by a standing committee of the Virginia House of Delegates to the Joint Commission on Technology and Science (JCOTS) for study outside of the regular legislative session.  JCOTS has taken its first steps toward establishing study committees to look at several issues prior to the 2021 regular legislative session.

Specifically, JCOTS established the following study committees:

  • Data Protection & Privacy Advisory Committee
  • Children’s Online Protection Advisory Committee
  • Facial Recognition within Law Enforcement Advisory Committee


Continue Reading Virginia Legislative Commission Set to Begin Look at Data Protection, Privacy and Children’s Online Privacy Protection Issues

Artificial intelligence (AI) refers to the ability of a computer or a computer-enabled robotic system to process information and produce outcomes in a manner similar to the thought processes of humans in learning, decision making and problem solving.  As a result of rapid advances in AI, pre-pandemic, McKinsey Global Institute estimated that between 75 and 375 million people around the world will need to change jobs or acquire new skills by 2030.  AI both holds promise of innovation and disruption, as does the legal framework that is developing to rein in its risks without hindering its progress.

In May 2019, the US Government joined the OECD (Organisation for Economic Co-operation and Development) in setting forth principles to improve the innovation and trustworthy development and application of AI.  At the same time, the bipartisan Artificial Intelligence Initiative Act (AIIA) was introduced in the US Senate to organize a national strategy for developing AI and provide a $2.2 billion federal investment over five years to build an AI-ready workforce, accelerating the delivery of AI applications from government agencies, academia, and the private sector over the next 10 years.


Continue Reading The Evolving World of AI

Does your phone immediately unlock for use after you glance at it?  Have you visited your favorite social media platform only to find that you have been tagged in dozens of pictures?  Or how about that time you scanned your fingerprints or eyes to open your phone, gain admittance to a theme park, or pass through airport security?  These features all involve biometrics technology—the latest trend and high-growth area of technology used to help organizations provide consumers with a more effortless and interactive experience in exchange for personal information about your physical or behavioral attributes.  Companies should be mindful in collecting this data and how they use and store that information.

Biometrics include facial, fingerprint, iris, gestures, and voice recognition.  While biometrics technology is becoming more ubiquitous in daily life and being employed by more governmental agencies and service providers, new privacy considerations will continue to emerge as a result of the pieces of personal information shared by consumers to increase convenience.


Continue Reading As Biometrics Technology Permeates Everyday Life, What Laws Should Companies Be Aware Of?

If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:


Continue Reading California Attorney General CCPA Enforcement—Make Sure You Pay Attention to What Customers Are Saying on Twitter

Update: On the evening of June 24, 2020—the same date we published the post below and the day before the original deadline for verification of signatures—the Secretary of State announced that the CPRA reached the signature verification threshold and qualified for the fall 2020 ballot.  While the Mactaggart lawsuit will now be a mere footnote in the history of the CPRA, any way you look at it, this was a successful week for Californians for Consumer Privacy.

On June 19, 2020, the Superior Court for Sacramento County, California issued a ruling providing relief to the promoters of the California Privacy Rights Act ballot initiative (the “CPRA”).  We wrote here about the potential problem with the timing of the signature verification process required for the CPRA to qualify for the Fall 2020 ballot, but that issue now appears to be resolved.

The specifics are to be ironed out in a further order to be jointly proposed by the parties, but suffice it to say that the procedural issue with the timing of signature verification will not prevent the CPRA from appearing on the Fall 2020 ballot.  For now, the Court ordered as follows:


Continue Reading CPRA Back on Track Following Court Order

On May 14, California Secretary of State Alex Padilla announced that the California Privacy Rights Act of 2020 (the “CPRA”) had obtained sufficient raw signatures to qualify for the November 3, 2020 ballot.  Those signatures are currently being verified by the counties in which they were obtained.  However, based on a complaint filed June 8 by Alastair Mactaggart and other members of Californians for Consumer Privacy—the proponents of the CPRA—it appears that the verification process may not be completed in time for the CPRA to appear on the ballot this Fall.

The lawsuit, Alastair Mactaggart, et al. v. Padilla, filed in Sacramento County Superior Court, alleges that Secretary of State Padilla failed to adhere to a provision of the California Elections Code requiring his office to “immediately” notify county officials to begin the verification process upon receipt of a sufficient number of raw signatures.  Here is a brief timeline of the events alleged in the Complaint:


Continue Reading A Day Late, but Will it Fall Short? CPRA Ballot Initiative May Not Appear on Fall Ballot

On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.


Continue Reading AG Submits Final CCPA Regulations—Is Enforcement Still on Track for July 1, 2020?

Two weeks ago we wrote about proposed legislation, The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”), introduced by a group of senior Republican senators, which was designed to address privacy issues arising in the wake of the COVID-19 pandemic.  In response, senior Democratic members of the Senate and House of Representatives introduced their own framework for protecting the privacy of individuals in light of the development of tools for tracking and containing the spread of the virus.

The Public Health Emergency Privacy Act

Senators Richard Blumenthal (D-CT) (Ranking Member of the Senate Commerce Committee’s Manufacturing, Trade and Consumer Protection Subcommittee) and Mark Warner (D-VA) (Vice Chairman of the Senate Intelligence Committee) lead a bicameral group of 10 lawmakers on a Democratic version of federal consumer privacy legislation as it relates to the coronavirus pandemic.  The Public Health Emergency Privacy Act (the “PHEPA”), introduced on May 14, seeks to give individuals protection and control over their covered health data by adopting an express affirmative consent regime, along with enumerated requirements for businesses. For a helpful summary of the key similarities and differences between the PHEPA and the CCDPA, please see the Chamber Technology Engagement Center’s (C_TEC) COVID-19 Privacy Bill Comparison Chart.


Continue Reading Privacy vs. Containment, Part 2: The Democratic Answer to a Framework for Federal Privacy Legislation on COVID-19

Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered healthcare providers that the HIPAA Privacy Rule remains in force during the COVID-19 public health crisis except as expressly relaxed under OCR’s prior guidance. Specifically, OCR’s most recent guidance addresses the disclosure of patient protected health information (PHI) to the media by allowing the media to film patients in facilities where PHI is accessible.

Continue Reading OCR Warns Providers and Media: Patient Privacy Remains Protected Despite Pandemic

On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:

  • maintain an information security program,
  • investigate all cybersecurity events,
  • notify the Commissioner of Insurance of cybersecurity events, and
  • notify consumers affected by cybersecurity events.


Continue Reading The Virginia Insurance Data Security Act – What You Need to Know