Privacy & Information Security Law Blog

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

Texas Attorney General Ken Paxton is investigating Facebook Inc. (“Facebook”) for alleged violations of the Texas Business and Commercial Code, which contains provisions governing the collection, retention and disclosure of biometric data. As we previously reported, Facebook recently reached a $650 million settlement for alleged violations of Illinois’ Biometric Information Privacy Act for their use of facial recognition software without permission from affected users.

On Wednesday, July 22, the New York Department of Financial Services (the “NYDFS”) announced that it had filed administrative charges against First American Title Insurance Co. under the NYDFS Cybersecurity Regulation, marking the agency’s first enforcement action since the rules went into effect in March 2017.

On June 24, 2020, the Washington State Attorney General (“Washington AG”) announced that it had settled an enforcement action against the owners of the “We Heart It” social media platform for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and the Washington State Consumer Protection Act. Under the consent decree, the defendants must pay $100,000, with an additional $400,000 suspended contingent upon compliance with the consent decree.

On July 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became enforceable by the California Attorney General. Under the statute, businesses are granted 30 days to cure any alleged violations of the law after being notified of alleged noncompliance. If a business fails to cure the alleged violation, it may be subject to an injunction and liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

According to a memorandum issued by the California Secretary of State on June 24, 2020, the California Privacy Rights Act (“CPRA”) has garnered enough signatures to be placed on the State’s General Election ballot this November 3, 2020. As we previously reported, the CPRA would amend the California Consumer Privacy Act of 2018 (“CCPA”) to create new and additional privacy rights and obligations in California. According to early polling by Californians for Consumer Privacy (the group behind the CPRA), nine in 10 Californians would vote to support a ballot measure ...

On July 1, 2020, amendments to Vermont’s data breach notification law, signed into law earlier this year, will take effect along with Vermont’s new student privacy law.

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

On June 1, 2020, the Office of the California Attorney General submitted the final California Consumer Privacy Act (“CCPA”) proposed regulations to the California Office of Administrative Law (“OAL”). Notably, the final proposed regulations are the same as the draft issued in March. The OAL must review the rulemaking package for procedural compliance with California’s Administrative Procedure Act. The OAL’s typical 30-day review period has been extended by 60 calendar days under an executive order related to the COVID-19 pandemic. Assuming OAL approves the regulations, the final text will be filed with the Secretary of State.

In a “Ten Years Hence” speaker series hosted by the University of Notre Dame, Lisa Sotto, Chair of Hunton Andrews Kurth’s global Privacy and Cybersecurity practice, highlights why privacy and cybersecurity will remain relevant issues now and for decades to come in a lecture on Privacy and Cybersecurity: The New Frontier.

On May 4, 2020, Californians for Consumer Privacy (the group behind the ballot initiative that inspired the California Consumer Privacy Act of 2018 (“CCPA”)) announced that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot. The group announced that it was taking steps to submit the CPRA for inclusion on the November ballot in counties across California. The CPRA would amend the CCPA to create new and additional privacy rights and obligations in California, including the following:

California Attorney General (“AG”) Xavier Becerra recently issued an alert emphasizing the rights of California consumers under the California Consumer Privacy Act (“CCPA”) during the COVID-19 pandemic. The alert follows media reports that the AG’s office is “committed to enforcing the law upon finalizing the rules or [by] July 1, whichever comes first,” even with the “new reality created by COVID-19.”

On April 2, 2020, Hunton Andrews Kurth LLP will host a webinar on the California Consumer Privacy Act (“CCPA”): The CCPA Is Here—Are You Litigation-Ready? Most companies have now developed a framework for compliance with the CCPA. Having a compliance program in place is critical, and that includes preparing for the inevitable onslaught of class action litigation that is coming.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

On March 12, 2020, the Washington State Legislature passed SB 6280, which establishes safeguards for the use of facial recognition technology by state and local government agencies. Its stated goal is to allow the use of facial recognition services in ways that benefit society, but prohibit uses that put freedoms and civil liberties at risk.

On March 10, 2020, the Vermont Attorney General filed a lawsuit against Clearview AI (“Clearview”), alleging that Clearview violated Vermont’s consumer protection law and data broker law. We previously reported on Vermont’s data broker law, which was the first data broker legislation in the U.S.

Hunton’s Centre for Information Policy Leadership (“CIPL”) reports on the top privacy-related priorities for this year:

1.  Global Convergence and Interoperability between Privacy Regimes

Around the world, new privacy laws are coming into force and outdated laws continue to be updated: the EU General Data Protection Regulation (“GDPR”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), Thailand’s Personal Data Protection Act, India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (“CCPA”), and the various efforts in the rest of the United States at the federal and state levels. This proliferation of privacy laws is bound to continue.

As reported by Bloomberg Law, on March 12, 2020, the Washington House and Senate were unable to reach consensus on the Washington Privacy Act.  As we reported this January, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill.  In the past two months, the much-discussed bill flew through the Washington Senate and House, but ultimately failed to pass.

The bill’s House version would have provided for a private right of action while the bill’s Senate version would have given sole enforcement authority to the state ...

On March 11, 2020, the California Attorney General (“AG”) issued a second set of modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial modified draft regulations about which we previously reported. According to the AG’s website, the second set of modified draft regulations are subject to another public comment period. The deadline to submit written comments is March 27, 2020, at 5:00 p.m. (PST).

On February 10, 2020, the California Attorney General issued a slightly revised version of the modified draft regulations implementing the California Consumer Privacy Act of 2018, having omitted a revision in Section 999.317(g) from the version published on February 7, 2020. The deadline to submit written comments has been extended to February 25, 2020, at 5:00 p.m. (PST).

On February 7, 2020, the California Attorney General (“AG”) issued modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial draft regulations about which we previously reported.  According to the AG’s website, the modified draft regulations are subject to another public comment period. The deadline to submit written comments is February 24, 2020, at 5:00 p.m. (PST).

At this point, most companies doing business in California are aware of the California Consumer Privacy Act (“CCPA”), and most have been bracing for the eventual onslaught of class action litigation to follow its passage.

Facebook disclosed on January 29, 2020, that it has agreed to pay $550,000,000 to resolve a biometric privacy class action filed by Illinois users under the Biometric Information Privacy Act (“BIPA”). BIPA is an Illinois law enacted in 2008 that governs the collection, use, sharing, protection and retention of biometric information. In recent years, numerous class action lawsuits have been filed under BIPA seeking statutory damages ranging from $1,000 per negligent violation to $5,000 per reckless or intentional violation.

On January 16, 2020, the Senate approved the United States-Mexico-Canada Agreement (“USMCA”), sending it to the President’s desk for ratification. Mexico ratified the Agreement in June 2019, and Canada is expected to follow suit later this month. To coincide with its ratification, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a white paper entitled What Does the USMCA Mean for a U.S. Federal Privacy Law?

On January 13, 2020, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill, in both the state Senate and House of Representatives. It would apply to companies conducting business in Washington or who provide products or services to Washington residents.

2019 was the “Year of the CCPA” as companies around the world worked tirelessly to comply with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA aims to provide data privacy rights for California residents and imposes significant new requirements on covered businesses.

Though all may be quiet on New Year’s Day, January 1, 2020, is the compliance date for the California Consumer Privacy Act of 2018 (“CCPA”). On the cusp of a new decade, we enter a new era of privacy rights.

The CCPA is now in effect, but the California Attorney General cannot begin enforcement until July 1, 2020. We want to congratulate everyone on their hard work this past year and a half.

If you watched the ball drop in New York City last night, we hope you can say that you didn’t drop the ball on CCPA compliance. They say hindsight is always 20/20. CCPA compliance can be your New Year’s ...

On October 11, 2019, California Governor Gavin Newsom signed into law AB 1130, which expands the types of personal information covered by California’s breach notification law to include, when compromised in combination with an individual’s name: (1) additional government identifiers, such as tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; and (2) biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual. Biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes.

On October 11, 2019, California Governor Gavin Newsom announced that he signed all five of the California Legislature’s September 2019 amendments to the California Consumer Privacy Act of 2018 (“CCPA”) into law: AB-25, AB-874, AB-1146, AB-1355 and AB-1564. The Governor had until October 13, 2019, to sign or veto the amendments, which were passed at the end of the Legislature’s 2019 legislative session. This news came just a day after California Attorney General Xavier Becerra released proposed regulations implementing the CCPA.

On October 10, 2019, the California Attorney General (“AG”) announced Proposed Regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). Along with a Notice of Proposed Rulemaking Action and the Text of Proposed Regulations, the AG issued an Initial Statement of Reasons elaborating on the purposes of the proposed regulations.

On September 24, 2019, Alastair Mactaggart, drafter of the 2018 California ballot initiative that served as the basis for the California Consumer Privacy Act of 2018 (“CCPA”), announced that he is filing a new initiative for California’s November 2020 ballot, the California Privacy Enforcement Act (“CPEA”).

On September 20, 2019, Bloomberg Law reported that California Attorney General Xavier Becerra anticipates that draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”) will be published this October. According to Bloomberg’s reporting, the Attorney General aims to issue final regulations by January 1, 2020, the CCPA’s compliance deadline. Under the CCPA, the Attorney General may begin enforcement of the law six months after the publication of final regulations or July 1, 2020, whichever is sooner ...

California marked the end of the 2019 legislative session this past Friday, September 13, by passing five out of six pending bills to amend the California Consumer Privacy Act of 2018 (“CCPA”). The bills – AB-25, AB-874, AB-1146, AB-1355 and AB-1564 – now head to California Governor Newsom’s desk for signature, which must occur by October 13 for the bills to be signed into law. The only pending bill not to pass was AB-846, which would have addressed the law’s application to customer loyalty programs; it was ordered to the inactive file at the request of Senator Jackson.

There are six bills pending before the California legislature that would amend the California Consumer Privacy Act of 2018 (“CCPA”). These bills could significantly alter the law’s application and associated compliance obligations, including with respect to HR data, B2B customer data, loyalty programs and the definition of “personal information.” As of September 12, three bills have passed out of the California Senate and are pending before the Assembly for a concurring vote: AB 874, AB 1146 and AB 1564. The California legislature must vote on all pending CCPA ...

On August 29, 2019, the Maryland Insurance Administration issued new breach notification requirements for entities that provide health insurance or related services. The new requirements will apply to insurers, non-profit health plans, HMOs, third-party administrators, and certain other managed care entities. The new rules will take effect on October 1, 2019.

On August 2, 2019, New Hampshire Governor Chris Sununu signed into law SB 194 (the “Bill”), which requires insurers licensed in the state (“licensees”) to put in place data security programs and report cybersecurity events. Although the Bill takes effect January 1, 2020, licensees have one year from the effective date to implement relevant cybersecurity requirements and two years from the effective date to ensure that their third-party vendors also implement appropriate safeguards to protect and secure the information systems and nonpublic information accessible to, or held by, the third-party service providers.

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

On July 23, 2019, New York City Council members introduced Int. 1632-2019 (the “Bill”), an amendment to the administrative code of New York City that would prohibit telecommunications carriers and mobile applications from sharing a customer’s location data if such data was collected from a device in the five boroughs.

A number of bills to amend the California Consumer Privacy Act of 2018 (“CCPA”) are still pending before the California legislature. Of particular interest to many businesses is AB 25. AB 25 would exempt from the CCPA’s application “[p]ersonal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” if the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. The bill also would exempt from the CCPA’s application emergency contact information of these exempted categories of individuals and information necessary to administer benefits for persons related to such individuals.  Notably, AB 25 does not appear to exempt business-to-business customer representatives or representatives of other third-party business partners.  AB 25 also would authorize a business to require authentication of a consumer that is reasonable in light of the nature of the personal information requested. The bill further would authorize a business to require a consumer to submit the consumer’s verifiable request through the consumer’s account, where the consumer maintains an account with the business.

On July 11, 2019, Washington Attorney General Bob Ferguson announced that his office had entered into a consent decree and $10 million settlement with Premera Blue Cross (“Premera”) that stems from a 2014-2015 breach that affected more than 11 million individuals. The settlement, which includes a payment of roughly $5.4 million to Washington state and $4.6 million to a coalition of 29 other state Attorneys General (the “Multistate AGs”), is one of the largest ever for a breach involving protected health information (“PHI”) and comes just one month after another notable HIPAA settlement involving a similar coalition of state AGs.

Today marks one year since the California Consumer Privacy Act of 2018 (“CCPA”) was passed and signed into law. The CCPA signals a dramatic shift in the data privacy regime in the United States, imposing on covered businesses the most prescriptive general privacy rules in the nation. In addition, the past year has seen a legislative explosion in the form of similar proposed state laws and potential federal data privacy legislation.

Texas Governor Greg Abbott recently signed into law HB 4390 (the “Bill”), which amends the state’s data breach notification law and creates an advisory council tasked with studying and developing recommendations regarding data privacy legislation.

The Illinois legislature recently passed the Artificial Intelligence Video Interview Act, which prohibits an Illinois employer from using artificial intelligence (“AI”) to evaluate job interview videos unless the employer complies with certain requirements.

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.

On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

On June 4, 2019, Hunton hosted a webinar with partners Lisa Sotto, Aaron Simpson, Brittany Bacon and Fred Eames on the evolving U.S. privacy landscape. The past year has seen highly consequential legislative developments in U.S. privacy law affecting compliance obligations for businesses that have or use consumer data. Various states and the U.S. Congress are considering bills that could transform privacy in the United States. In this program, our speakers discuss the California Consumer Privacy Act of 2018 (“CCPA”) and other significant state and federal privacy legislation.

On May 27, 2019, the Illinois General Assembly voted 79-32 to approve Senate Bill 1624, an amendment to the Personal Information Protection Act (“PIPA”). The bill’s sponsor, Senator Suzy Glowiak (D), expects Illinois Governor J.B. Pritzker (D) to sign the bill into law in short order. The amendment had already unanimously passed the state Senate last month.

On May 29, 2019, Nevada’s governor approved SB 220 (the “Amendment Bill”), which provides amendments to an existing law that requires operators of websites and online services (“Operators”) to post a notice on their website regarding their privacy practices. The Amendment Bill will require Operators to establish a designated request address through which a consumer may submit a verified request directing the Operator not to make any “sale” of covered information collected about the consumer. Pursuant to the Amendment Bill, Operators must respond to a verified opt-out request within 60 days of receipt.

On May 16, 2019, the California State Senate Appropriations Committee did not approve SB 561, a bill that would have amended the California Consumer Privacy Act (“CCPA”) to expand the private right of action to permit consumers to sue for any violations of the CCPA. The Committee’s decision to hold the bill means it will not pass out of the Senate this session.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

As reported by Bloomberg Law, on May 7, 2019, Washington State Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law. The new requirements include the following:

• Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information.” Washington’s breach notification law previously defined personal information as an individual’s name in combination with the individual’s Social Security number, state identification card number, or financial account or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. HB 1071 adds the following data elements to the definition, when compromised in combination with an individual’s name:
  • full date of birth;
  • private key that is unique to an individual and that is used to authenticate or sign an electronic record;
  • student, military or passport identification number;
  • health insurance policy number or health insurance identification number;
  • any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.

In late April, the California state legislature’s Privacy and Consumer Protection Committee held hearings on nine bills that seek to refine the California Consumer Privacy Act of 2018 (“CCPA”) by clarifying the legislation and limiting its scope. Eight bills advanced to the Assembly Appropriations Committee; the ninth is non-fiscal and will next be heard by the full Assembly. Last week, the California Assembly Appropriations Committee approved three of the bills. These bills, now on the Assembly’s “Consent Calendar,” will be heard this week. The Appropriations Committee will hold hearings on the other five bills in the next two weeks.

From the Assembly’s Appropriations Committee, bills must go through the full Assembly, the California Senate and the California governor to be enacted as law.

On April 22, 2019, Washington state legislators voted to send HB 1071 (the “Bill”) to Governor Jay Inslee for consideration. The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report, which found that data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018.

Hunton Andrews Kurth LLP is pleased to announce the launch of a dedicated site focused on the California Consumer Privacy Act of 2018 (“CCPA”), which serves as a resource for businesses to understand and prepare to comply with the CCPA. Transformative in nature, the CCPA will impact most businesses that process the personal information of California residents, and is likely to set the stage for a wider shift in standards on data privacy across the United States.

The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.

During the week of April 1, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted its annual executive retreat in Washington, D.C. (the “Retreat”). During the Retreat, CIPL held a full-day working session on evolving technologies and a new U.S. privacy framework followed by a closed members only half-day roundtable on global privacy trends with special guest Helen Dixon, Data Protection Commissioner of Ireland.

On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information or data” of a Utah resident, including (1) location information, stored data or transmitted data of an electronic device, and (2) data that is stored with a “remote computing service provider” (i.e., data stored in digital devices or servers).  The law provides for situations in which law enforcement may obtain such information without a warrant.

On February 22, 2019, California state senator Hannah Beth-Jackson introduced a bill (SB-561) that would amend the California Consumer Privacy Act of 2018 (“CCPA”) to expand the Act’s private right of action and remove the 30-day cure period requirement for enforcement actions brought by the State Attorney General. The bill would not change the compliance deadline for the CCPA, which remains January 1, 2020. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

As we previously reported, the California Consumer Privacy Act of 2018 (“CCPA”) delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. The California Department of Justice anticipates publishing a Notice of Proposed Regulatory Action concerning the CCPA in Fall 2019.

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity ...

The Illinois Supreme Court ruled today that an allegation of “actual injury or adverse effect” is not required to establish standing to sue under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”). This post discusses the importance of the ruling to current and future BIPA litigation.

As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.

The California Department of Justice will host six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) to provide the general public an opportunity to participate in the CCPA rulemaking process. Individuals may attend or speak at the events or submit written comments by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

On November 20, 2018, the Illinois Supreme Court heard arguments in a case that could shape future litigation under the Illinois Biometric Information Privacy Act (“BIPA”). BIPA requires companies to (i) provide prior written notice to individuals that their biometric data will be collected and the purpose for such collection, (ii) obtain a written release from individuals before collecting their biometric data and (iii) develop a publicly available policy that sets forth a retention schedule and guidelines for deletion once the biometric data is no longer used for the purpose for which it was collected (but for no more than three years after collection). BIPA also prohibits companies from selling, leasing or trading biometric data.

Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

As reported on the Blockchain Legal Resource, California Governor Jerry Brown recently signed into law Assembly Bill No. 2658 for the purpose of further studying blockchain’s application to Californians. In doing so, California joins a growing list of states officially exploring distributed ledger technology.

On September 28, 2018, California Governor Jerry Brown signed into law two identical bills regulating Internet-connected devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”), aimed at the “Internet of Things,” require that manufacturers of connected devices—devices which are “capable of connecting to the Internet, directly or indirectly,” and are assigned an Internet Protocol or Bluetooth address, such as Nest’s thermostat—outfit the products with “reasonable” security features by January 1, 2020; or, in the bills’ words: “equip [a] device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure[.]”

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. 

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA.

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA ...

On August 3, 2018, Ohio Governor John Kasich signed into law Senate Bill 220 (the “Bill”), which provides covered entities with an affirmative defense to tort claims, based on Ohio law or brought in an Ohio court, that allege or relate to the failure to implement reasonable information security controls which resulted in a data breach. According to the Bill, its purpose is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Bill will take effect 90 days after it is provided to the Ohio Secretary of State ...

As reported in BNA Privacy Law Watch, on June 27, 2018, Equifax entered into a consent order (the “Order”) with 8 state banking regulators (the “Multi-State Regulatory Agencies”), including those in New York and California, arising from the company’s 2017 data breach that exposed the personal information of 143 million consumers.

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer's identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information.

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

• Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
• Definition of “Brokered Personal Information.” “Brokered personal ...

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018.

On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement.

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances.

On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on June 1, 2018.

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states' consumer protection and breach notification laws.

On September 29, 2017, Samanage USA, Inc. (“Samanage”), a North Carolina-based technology company that provided cloud-based IT support services as a subcontractor for Vermont’s health care exchange (“Vermont Health Connect”), agreed to a $264,000 settlement with the Vermont Attorney General in relation to a breach that exposed the Social Security numbers of 660 Vermont Health Connect users.

As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification.

On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. 

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6). 

Recently, the Colorado Division of Securities (the “Division”) published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.

On May 16, 2017, the Governor of the State of Washington, Jay Inslee, signed into law House Bill 1493 (“H.B. 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The law will become effective on July 23, 2017. With the enactment of H.B. 1493, Washington becomes the third state to pass legislation regulating the commercial use of biometric identifiers. Previously, both Illinois and Texas enacted the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001), respectively.

On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites (e.g., in privacy policies) or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information. Pursuant to H.B. 2090, a company engages in an unlawful trade practice if it makes assertions to consumers regarding the handling of their information that are materially inconsistent with its actual practices. Consumers can ...

On May 23, 2017, various attorneys general of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date.