In California Privacy Protection Agency et al. v. The Superior Court of Sacramento County (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection Agency (CPPA) to enforce the regulations promulgated under California’s groundbreaking consumer data privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)). 

The California Chamber of Commerce had challenged the CPPA’s timeline for enforcing its newly finalized regulations, arguing that the agency had missed statutory deadlines, which, in their view, should delay the enforcement start date a full year after their promulgation—to March 29, 2024. The regulations in question, which address aspects such as privacy notice requirements and the handling of browser signals for opt-out requests, are part of the broader framework established by the CCPA. The lower court agreed and temporarily stripped the CPPA of its enforcement capabilities.

The appellate court overturned that decision. The court found no explicit mandate in the law that would necessitate delaying enforcement until a year after the finalization of the regulations, as the Chamber had contended. Consequently, the CPPA can now immediately begin enforcing the regulations finalized last March without the previously imposed delay.Continue Reading California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

The FTC recently issued a proposed order that would settle an enforcement action against Drizly, LLC and its co-founder and CEO, James Rellas, arising from data breaches in 2018 and 2020 that affected over 2.5 million customers. The FTC’s proposed order is unusual in that applies to Rellas personally. The order requires Rellas to implement various data security practices at any company he owns or oversees in the next decade, even if Rellas moves to a company unrelated to Drizly.

Let’s take a look at the data security breaches that led to the FTC’s enforcement action and some of the key takeaways that result from the FTC’s unusual proposed order.
Continue Reading Cybersecurity Regulation: Key Takeaways From an Unusual FTC Order That Will Follow CEO for a Decade

On October 5, 2022, after a monthlong jury trial, former Uber Chief Information Security Officer Joseph Sullivan was found guilty of obstructing proceedings of the Federal Trade Commission (FTC) and misprision of a felony related to failure to disclose two data breaches in 2014 and 2016. Sullivan remains on bond pending his sentencing, where he faces a maximum sentence of five years for the obstruction charge and three years for the misprision charge.

Sullivan was hired by Uber in 2015 and handled the company’s response to the FTC regarding the 2014 breach. Sullivan supervised Uber’s responses to the FTC, testified under oath to the committee regarding the company’s data protections, and supported a preliminary settlement entered into by Uber and the FTC in the summer of 2016.

However, shortly after Sullivan’s testimony in 2016, Uber fell victim to another cyber-attack.
Continue Reading Uber’s Former Chief Security Officer Found Guilty of Obstruction for Coverup of Data Breaches

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to become a reality for some. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings poses some unique challenges.

By taking proactive measures, a business can transform the personal data it holds from a reorganization liability into an asset. However, the issue of whether or not personally identifiable information (PII) can be sold (and under what terms) is a common way privacy issues come into play during liquidation and reorganization proceedings. As further discussed below, the GDPR and the CCPA, along with the prior positions taken by the FTC and various State Attorneys General, are all factors for companies to consider to ensure that data does not lose its value as part of the bankruptcy process.
Continue Reading Privacy During Bankruptcy Proceedings: Why It Matters

With a little time to consider the finalized California Consumer Privacy Act regulations released by the California Attorney General on August 14, 2020, it is clear that some last-minute negotiations (or perhaps just some thoughtful additional analysis) took place that led to some unexpected changes. The lion’s share of the regulation requirements have been discussed in depth, so let’s just focus on the following noteworthy changes:
Continue Reading Twists in the Plot: California AG Releases Final CCPA Regulations

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom, as it becomes a significant part of American daily life during the COVID-19 pandemic.

Among those legal issues was an inquiry by the New York State Attorney General into Zoom’s privacy practices, and particularly into its measures to detect and prevent hackers or other outside parties attempting to observe or interfere with online meetings. In several incidents, the third parties interrupted meetings with disturbing messages or images. In fact, two other states – Connecticut and Florida – joined the New York probe after state government officials fell victim to “zoombombing.” Based on perceived security flaws, on April 6, 2020, the New York City Department of Education implemented a ban on public schools’ use of Zoom for classes and educational purposes.
Continue Reading Zoom Successfully Addresses New York’s Privacy and Security Concerns

Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.

While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements.
Continue Reading Data Breach Disclosure Requirements Implicate More Than Privacy Law

It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software?  I think it will.

So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data?
Continue Reading Data Security: Are you looking at your third party software?