The Supreme Court ruled, at the end of June, that seizing cell-site location information—data that tracks cell phone users’ movements—constitutes a search under the Fourth Amendment. Speaking for a 5-4 majority in Carpenter v. United States, Chief Justice Roberts addressed questions surrounding law enforcement’s warrantless seizure of over 12,000 cell site location points pinged by the defendant’s phone, which allowed for nearly minute-by-minute tracking of his past movements. At the time, police needed only to prove that the data was reasonably relevant to their investigations. In its opinion the Court will now require that a warrant be obtained with a showing of probable cause – a higher burden of proof than previously required –, and an individualized suspicion that the data’s owner committed a crime in order to access cell-site records.
June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation. California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits. Yesterday, both houses of the legislature passed – and Governor Brown signed into law – the California Consumer Privacy Act of 2018.
Earlier we wrote about the effort to pass the California Privacy Ballot Initiative No. 17-0039 (the “Ballot Initiative”) that would be put forth on the November 6th, 2018 ballot. The Ballot Initiative would give consumers broad rights regarding their personal information, including being able to learn who their personal information is being disclosed or sold to, preventing businesses from discriminating against consumers who exercise their rights under the act including opting out of the sale of their personal information. Further, the Ballot Initiative would have given a private right of action to consumers to sue businesses where the business experienced a security breach and failed to implement reasonable security procedures, with statutory damages of $1,000, which would increase to $3,000 for willful violations.
Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents. These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018. The Colorado Attorney General’s office led part of the effort to pass the new law, making enforcement a likely priority.
The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions (such as HIPAA) and is the shortest of any U.S. state.
A challenge to the use of a cy pres charitable donations to settle privacy claims against Google will be heard by the Supreme Court. In Frank v. Gaos, petitioners seek reversal of lower court decisions rejecting their objection to an $8.5 million settlement of claims arising from Google’s transmission of users’ search terms to third-party websites. Because the proposed settlement amount could not feasibly be distributed to the estimated 129 million class members, the settlement called for Google to pay the settlement proceeds, less class counsel fees, to certain privacy-related charities. The trial court awarded 25% of the settlement — or $2.125 million – to class counsel; the balance went to the charities. The petitioner’s objections to the settlement were overruled.
Uber Technologies, Inc. (“Uber”) has agreed to an expansion of its initial August 2017 proposed consent agreement with the Federal Trade Commission (“FTC”), in light of revelations of an additional security breach in October 2016, which it knew about but did not disclose until November 2017, after it settled over its initial May 2014 breach. The second security breach occurred right in the middle of the FTC’s nonpublic investigation into Uber’s security practices from the initial breach; nevertheless, Uber failed to disclose the breach. Both breaches resulted from Uber’s lax security practices and Acting FTC Chairman Maureen K. Ohlhausen described them as “strikingly similar.” In light of the additional information, the FTC withdrew from the original proposed settlement it reached after the May 2014 breach, expanded the terms, and threatened to fine Uber for future incidents. In an attempt by new CEO Dara Khosrowshahi to set a new tone for the company, Uber agreed to the revised terms on April 12. Continue Reading Failure to Signal: Uber Forced to Accept Expanded Settlement after Concealing Security Breach from FTC
Facebook has recently chosen to no longer fund opposition to the California Consumer Privacy Act, which could appear on the California State Ballot as an initiated state statute on November 6, 2018. According to the petition summary the potential statute would:
Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumers’ data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses that meet specific criteria.
We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception. “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.
Privacy can also be a key differentiator and a competitive advantage. Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage
Biometric data is a hotbed of activity these days. We’ve discussed the frenetic pace at which class actions are being filed in Illinois under the Biometric Information Privacy Act. Today, Brian Lam wrote in our sister blog, Sports Law Matters, about the issues surrounding the increasing use of biometric data in sports to track just about everything.
Read the article here.
Since last September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.
EU Data Protection GDPR for Life Sciences (3/14/2018)
This webinar, the ninth in our EU General Data Protection Regulation Series, focuses on topics that are vital to life sciences companies seeking to come into compliance, including handling clinical study data, other scientific research, CRO and other contractor agreements, and transferring personal data outside of the EU.
Getting Your Contracts Ready for GDPR (11/16/2017)
This webinar, the eighth in our EU General Data Protection Regulation Series, reviews the GDPR’s express contract requirements and discusses additional matters that you may want to address in your contracts.
This webinar, the seventh in our EU General Data Protection Regulation Series, reviews current options for transferring personal data, including under Privacy Shield, and previews the new landscape under GDPR.
This webinar, the sixth in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it. We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.
Transferring Data from the EU (1/12/2017)
This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.
Data Protection Officers: Do You Need One? (12/15/2016)
This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.
Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)
This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.
This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.
The clock is ticking down to May 25, 2018 , the date that the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR is likely to be a game-changer for US companies doing business with the European Union, and many are racing against the clock to figure out exactly what their compliance obligations are.
We are presenting an in-person seminar in three cities to help make sure your company is on the right course to GDPR compliance.
Join us in either Boston, New York or Washington, DC for a look at GDPR Essentials and GDPR Hot Topics. Register here.
Mintz Levin is an approved CLE provider and this seminar is accredited in California and New York. We are also approved by the International Association of Privacy Professionals for IAPP CPE credit.