Privacy & Information Security Law Blog

As reported in BNA Privacy Law Watch, a new law makes data protection a constitutional right in Chile. The measure, which was enacted by the National Congress of Chile, lists “protection of one’s personal data” as an individual right under the Constitution’s Article 19. As a result of this measure, Chilean courts must expedite privacy-related cases under constitutional protection.

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

On June 22, 2018, the United States Supreme Court held in Carpenter v. United States that law enforcement agencies must obtain a warrant supported by probable cause to obtain historical cell-site location information (“CSLI”) from third-party providers. The government argued in Carpenter that it could access historical CSLI through a court order alone under the Stored Communications Act (the “SCA”). Under 18 U.S.C. § 2703(d), obtaining an SCA court order for stored records only requires the government to “offer specific and articulable facts showing that there are reasonable grounds.” However, in a split 5-4 decision, the Supreme Court held that the Fourth Amendment requires law enforcement agencies to obtain a warrant supported by probable cause to obtain historical CSLI.

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer's identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information.

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information; (2) notify affected Chicago residents and the City of Chicago in the event of a data breach; (3) register with the City of Chicago if they qualify as “data brokers”; (4) provide specific notification to mobile device users for location services; and (5) obtain prior express consent to use geolocation data from mobile applications.

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

• Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
• Definition of “Brokered Personal Information.” “Brokered personal ...

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face ...