InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California’s privacy agency posts CPRA proposal
Recently, in advance of its June 8 board meeting, the California Privacy Protection Agency (CPPA) Board posted draft regulations to implement the California Privacy Rights Act (CPRA). As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020. Earlier this year, the CPPA provided an update on the CPRA rulemaking process, announcing its intention to finalize rulemaking in the third or fourth quarter of 2022 (covered by InfoBytes here). While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the February meeting that the rulemaking process will extend into the second half of the year. An updated formal rulemaking timeline may be released during the June 8 meeting.
The draft regulations, which were introduced outside of the rulemaking process, set forth a working draft of the regulations to implement the CPRA and modify certain provisions and propose new regulations, including:
- Adding, amending, and striking certain definitions. The CPRA draft regulations modify the definitions in the CCPA regulations. Specifically, the amendments strike “affirmative authorization” and “household” from its list of definitions, but adds new terms such as “disproportionate effect,” “first party,” “frictionless manner,” “notice of right to limit,” “opt-out preference signal,” as well as terms related to a consumer’s right to request to correct, opt-in to sale/sharing, delete, know, or limit.
- Outlining restrictions on the collection and use of personal information. The draft regulations state that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be “reasonably necessary and proportionate,” and “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses also must obtain a consumer’s explicit consent prior to collecting, using, retaining, and/or sharing the personal information for any purpose that is unrelated or incompatible with the original purpose for which the personal information was collected or processed.
- Providing disclosure and communications requirements. Disclosures and communications are required to be easy to read and understandable to consumers, be available in languages in which the business ordinarily provides information, and be reasonably accessible to consumers with disabilities. The draft regulations also stipulate requirements for website and mobile application links.
- Describing requirements for submitting CCPA requests and obtaining consumer consent. The draft regulations set forth methods for submitting CCPA requests and obtaining consumer consent, including requirements regarding the manner in which such requests and consents may be obtained. For example, the requests and consents must be easy to understand, must include symmetry in choice, and avoid confusing and manipulative language. Methods that do not comply with these requirements may be considered a “dark pattern” and will not constitute consumer consent.
- Amending requirements related to a business’s privacy notice. The draft regulations would amend the requirements related to the information that must be included in a privacy notice related to a business’s online and offline practices regarding the collection, use, sale, sharing, and retention of personal information; and an explanation of CPRA rights conferred on consumers regarding their personal information, how they can exercise their rights, and what they can expect from this process.
- Amending notices required by the CCPA. The draft regulations set forth additional requirements related to the notice at collection, the notice of right to opt-out of sale/sharing, and the “Do Not Sell or Share My Personal Information” link, such as updates to the content of the notices, location of the notices/links, and the effects of certain requests (e.g. “clicking the business’s ‘Do Not Sell or Share My Personal Information’ link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice”). The draft regulations would also amend the notice of financial incentive.
- Providing instructions for the Notice of Right to Limit Use of Sensitive Personal Information. The draft regulations outline requirements for businesses to comply with a consumer’s rights to limit the use of sensitive personal information. They also provide businesses the option to use an alternative opt-out link to allow “consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate…links.”
- Amending methods for handling consumer requests to delete, correct, and know. The draft regulations outline additional documentation requirements, as well as guidance on responding to consumer requests, including explanations for denying a request. Notably, in response to a request to know, “a business shall provide all the personal information it has collected and maintains about the consumer on or after January 1, 2022, including beyond the 12-month period preceding the business’s receipt of the request, unless doing so proves impossible or would involve disproportionate effort.” Additionally, a company that intends to collect additional categories of information that are “incompatible” with the originally disclosed purpose must provide a new notice at collection and obtain new consent.
- Opt-out preference signals. The draft regulations set forth requirements for opt-out preference signals and how businesses should respond to such preferences. Specifically, the draft regulations provide that processing an opt-out preference must be done in a “frictionless manner” and includes examples.
- Addressing consumer requests for limiting the use and disclosure of sensitive personal information. Businesses will be required to provide two or more designated methods for submitting requests to limit and must, among other things, comply with a request to limit “as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.” All service providers, contractors, and third parties must comply as well. The regulations set forth exceptions to the limitations for using and disclosing sensitive personal information.
The draft regulations also amend provisions related to contract requirements for service providers/contractors/third parties, verification of requests, authorized agents, minor consumers, discriminatory practices, requirements for businesses collecting large amounts of personal information, and investigations and enforcement.
Maryland amends security procedures standards
On May 29, Maryland HB 962 was enacted under Article II, Section 17(c) of the Maryland Constitution - Chapter 502, which amends the Maryland Personal Information Protection Act. The bill, among other things, expands the types of businesses that are required to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized use. The bill also decreases the period within which certain businesses must provide required notifications to consumers after a data breach. Violation of the bill’s provisions are considered to be an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), subject to MCPA’s civil and criminal penalty provisions. The law is effective October 1.
NAAG establishes cyber training center to help states understand emerging and evolving technologies
Recently, the National Association of Attorneys General (NAAG) established a new center dedicated to the development of programs and resources for supporting states’ understanding of emerging and evolving technologies. The Center on Cyber and Technology will also assist with cybercrime investigations and prosecutions and “serve as an information clearinghouse for the attorney general community on trending technology issues.” Faisal Sheikh will serve as the Center’s first director, and “will be responsible for developing programming on cybersecurity, cybercrime, and new and emerging technologies, as well as forming strategic partnerships with other government agencies, academic institutions, nonprofit organizations, and private sector entities that focus on these issues.” According to NAAG Executive Director Chris Toth, “digital evolution has highlighted the need for a sustained approach to addressing cyber and technology issues.”
Social media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.
FTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”
U.S. signs protocol to strengthen international efforts to combat cybercrime
On May 12, the U.S. signaled its commitment to fight cybercrime by signing the Second Additional Protocol to the Convention on Cybercrime to obtain access to needed electronic evidence. Deputy Assistant Attorney General Richard Downing of the DOJ’s Criminal Division signed the new protocol to strengthen and expand international law enforcement cooperation to combat cybercrime. Currently, 66 countries are party to the multilateral treaty (commonly known as the Budapest Convention), which presents a “technology-neutral approach to cybercrime” and “has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods.”
According to the DOJ’s announcement, the new “Protocol to the Budapest Convention will accelerate cooperation among parties to protect [] citizens from cybercrime and hold criminals accountable. As cybercrime proliferates, electronic evidence is increasingly stored in different jurisdictions. The Second Additional Protocol is specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies. All these tools are subject to a system of human rights and rule of law safeguards.”
Connecticut becomes fifth state to enact comprehensive privacy legislation
On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.
District Court settles data scraping lawsuit
On May 9, the U.S. District Court for the Northern District of California issued a final judgment on consent resolving a lawsuit concerning data scraping allegations. A professional networking site (plaintiff) sued a Singapore-based company and three company founders (collectively, “defendants”) claiming the defendants violated the terms of the plaintiff’s user agreement by gaining unauthorized access to areas of the plaintiff’s platform that are only accessible to real logged-in members, scraping millions of member profile pages, and using fake member accounts and prepaid virtual debit card numbers to fraudulently obtain access to a function that provides advanced features. In alleging claims for breach of contract, fraud and deceit, and misappropriation, among others, the plaintiff claimed the defendants’ activities defrauded it out of hundreds of thousands of dollars in revenue. According to the court’s judgment, the defendants have agreed to be permanently restrained and barred from engaging in the aforementioned activities, including using scraping to access the plaintiff’s data, engaging in marketing and advertising about the availability of user data on the defendant’s website, circumventing any technological measures that control access to the plaintiff’s servers, and transferring data to third parties. “Defendants represent that they have destroyed all [plaintiff] member profile data, whether stored in electronic form or otherwise, in their possession, custody, or control and have certified in writing that they have done so,” the judgment stated. While the judgment did not include a monetary penalty, the court noted that violation of the final judgment or consent shall expose the defendants and all other persons bound by the final judgment on consent “to all applicable penalties, including contempt of Court.”
District Court dismisses privacy class action claims citing absence of jurisdiction
On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of its wholly-owned subsidiaries operate an e-commerce platform that hosts merchants’ websites and facilitates and verifies customers’ payment information. According to the plaintiff, the defendants’ platform intercepts payment information and collects shoppers’ sensitive personal information through the use of cookies, including names, addresses, and credit card information. The plaintiff alleged that the defendants compile the data into individualized profiles, which is shared with merchants, and also share shoppers' data with other non-merchant third parties. Shoppers are not required to consent to any of these activities and are supposedly unaware that their sensitive information is being tracked and shared, the plaintiff stated, claiming violations of California’s Invasion of Privacy Act, Computer Data Access and Fraud Act, and Unfair Competition Law, among other things. In dismissing the action, the court concluded that the plaintiff’s privacy claims against the defendants are too general and fail to identify which defendant is responsible for the plaintiff’s alleged injuries. The court noted that it would normally permit the plaintiff to amend his complaint to address the issue, but said that in this case the court lacks both general and specific jurisdiction over any of the defendants. The court explained that the plaintiff failed to argue that any of the three entities (based either in Canada or Delaware) are subject to general jurisdiction in California. Simply stating that the platform “enables merchants to sell products online . . . does not represent an intentional act directed at California residents,” the court stated.
Defendants to pay $5.7 million for alleged data breach
On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant is required to pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant is required to pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.