Privacy

Subscribe to Privacy

As companies prepare for the provisions of the California Privacy Rights Act (“CPRA”) to come into effect in January 2023, California Office of Attorney General (“OAG”) has signaled that companies should not wait to start complying with the Global Privacy Control (“GPC”). A recent lawsuit and subsequent $1.2 million settlement by the OAG against French e-commerce company Sephora, Inc. that targeted compliance with the GPC. In announcing the settlement, the OAG also made it known that it had “also sent notices today to a number of businesses alleging non-compliance relating to their failure to process consumer opt-out requests made via user-enabled global privacy controls, like the GPC” because, “[u]nder the CCPA, businesses must treat opt-out requests made by user-enabled global privacy controls the same as requests made by users who have clicked the ‘Do Not Sell My Personal Information’ link.” In other words, the OAG is taking the position that the California Consumer Privacy Act (“CCPA”) already requires implementation of the GPC.
Continue Reading California AG Signals Enforcement of the Global Privacy Control Under the CCPA

A few weeks ago on this blog, we addressed some of the legal issues that have arisen for Zoom, as it becomes a significant part of American daily life during the COVID-19 pandemic.

Among those legal issues was an inquiry by the New York State Attorney General into Zoom’s privacy practices, and particularly into its measures to detect and prevent hackers or other outside parties attempting to observe or interfere with online meetings. In several incidents, the third parties interrupted meetings with disturbing messages or images. In fact, two other states – Connecticut and Florida – joined the New York probe after state government officials fell victim to “zoombombing.” Based on perceived security flaws, on April 6, 2020, the New York City Department of Education implemented a ban on public schools’ use of Zoom for classes and educational purposes.
Continue Reading Zoom Successfully Addresses New York’s Privacy and Security Concerns

As privacy-related litigation continues to heat up, Judge Beth Freeman (ND Cal.) recently laid out in In re Google Assistant Privacy Litigation (Case No. 19-cv-04286)[1] a potential roadmap for surviving or winning a motion to dismiss on privacy-related causes of action.

The consolidated lawsuit against Google alleges violations on twelve counts, all relating to the Google Assistant product – a voice-activated technology used in mobile and home devices that listens for “hotwords” in order to carry out user commands. This case is an important one to watch and should be broadly instructive as many companies, big and small, are and have been hard at work on voice-activated technologies (compare, for instance, to Amazon’s Alexa, Apple’s Siri, and countless speech recognition start-ups around the world). Huge numbers of households and individuals currently have these devices in their homes and/or on their person at all times.
Continue Reading A Roadmap to Litigating Privacy Claims? A Look at a Recent Order From the Google Assistant Privacy Litigation

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With such openings, governmental entities, trade organizations, and others are wisely recommending protocols, including using wellness screenings, in an effort to lower the risk that such reopenings result in a reversal of trends that have flattened the infection curve. While such protocols focus on ensuring the health and wellbeing of employees, customers, and others physically visiting the businesses and are necessary in any consideration of reopening, businesses implementing new data collection from their employees and customers need to consider the privacy implications of doing so.
Continue Reading Reopening Plans and Recommended Protocols Beg New Privacy Issues

Democratic Senators Richard Blumenthal and Mark Warner have introduced the Public Health Emergency Privacy Act in response to the bill of the same subject released by Senate Republicans (the COVID-19 Consumer Data Protection Act) at the end of last month. As with the CCDPA, the PHEPA regulates the collection of emergency health data. While the respective bills differ in many ways, the most glaring distinctions focus (not surprisingly) on enforcement, preemption, and certain uses of data.
Continue Reading Senate Democrats Release Competing COVID-19 Privacy Bill

A group of Republican senators has proposed a new privacy law to govern the collection and use of certain personal information thought to be both important and at risk during the current coronavirus crisis.

While numerous companies and governments have developed and deployed apps and programs to track individuals and trace contacts between individuals in furtherance of the laudable goal of helping to better understand and address the pandemic, there have been concerns that such data could be collected without proper authorization and/or used for purposes outside of the scope for which the data is willingly provided.
Continue Reading Federal “COVID-19 Consumer Data Protection Act” Proposed

With the explosion of COVID-19 cases worldwide, companies and governments have expanded their interest in the use of the vast stores of consumer data. Even where such collection and use of personal data is ostensibly for the public good, the privacy rights and legal requirements applicable to such data must be considered carefully.[i]
Continue Reading Public Ends From Private Means: Privacy Rights and Benevolent Use of Personal Data

The outbreak of the novel coronavirus (COVID-19) presents challenging medical privacy issues for employers. Employers must observe their employees’ continued legal right to privacy—including under the Americans with Disabilities Act (ADA), HIPAA, and/or relevant state and local laws—while maintaining a safe and healthy workplace. Below are some privacy guidelines for employers to consider with respect to the coronavirus outbreak.
Continue Reading Coronavirus and Employee Privacy Laws: What Employers Should Know

Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.

While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements.
Continue Reading Data Breach Disclosure Requirements Implicate More Than Privacy Law