In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.

First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:  
Continue Reading

Senate Bill 561, which would have generated even greater compliance challenges and litigation risk for businesses, has been held in committee and placed on suspense. This development effectively prevents the bill from advancing for a vote and is a bit of CCPA good news for businesses. It also serves as a minor setback to consumer

Cross-Posted from The Global Privacy Watch Blog

In Part 1 of our ‘Texas Joins the Privacy Fray’ series, we focused on the Texas Consumer Privacy Act. Here, we shine the light on the Texas Privacy Protection Act (HB 4390).

The TXPPA is distinguishable from both the TXCPA and the CCPA because the applicability threasholds are different. For the TXPPA to apply, a business must 1) be doing business in Texas; 2) have more than 50 employees; 3) collect personally identifiable information (“PII”) of more than 5,000 individuals, households, or devices (or has it collected on the business’s behalf); and 4) meet one of the following two criteria – the business’ annual gross revenue exceeds $25 million; or the business derives 50% or more of its annual revenue from processing PII.
Continue Reading

Cross-Posted from The Global Privacy Watch Blog

Last month, Texas saw the introduction of not one, but TWO privacy bills in the Texas state legislature: The Texas Consumer Privacy Act (TXCPA) and the Texas Privacy Protection Act (TXPPA). With news of this likely meeting with a collective groan and shoulder shrug, we do have some good news for you.

Both bills’ foundations are set with familiar CA Consumer Privacy Act (“CCPA”) language. Unfortunately, this is also bad news because they both suffer from the same problems found in the CCPA – we’ll explain below. It’s also still early in the game, with the bills having just been filed in the state legislature. Given that there is time in the legislative session for amendments to be made and especially considering the ‘ring-side’ view Texas lawmakers have to the CA legislative and Attorney General rule/procedure process currently unfolding, it would be unreasonable not to expect changes. Finally, the bills are reactive responses to the national (or international) focus on privacy issues of late and may allow impacted businesses a grace period, as we’ve seen in the CCPA. In this blog, we shine the light on the first of these bills: The Texas Consumer Privacy Act.
Continue Reading

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading

This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.

The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.

The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.


Continue Reading

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.


Continue Reading

Last Friday, Russia blocked LinkedIn based on a Russian court’s finding that LinkedIn violated Russian “localization” law that requires companies holding personal data of Russian citizens to store it on servers located within Russian borders.  This law came as an amendment to Russian data privacy laws, “Regarding information, information technologies and the protection of information,” “Regarding telecommunications,” and the Codex of Administrative Violations. The amendments, which came into law in September 2015, required websites and telecommunications providers to begin storing “on the territory of the Russian Federation information regarding the receipt, transfer, sending and/or processing of voice information, written text, images, sounds or other electronic messages of the users of Internet,” within six months after the law went into effect.

Russia took the position that the new requirements were necessary to ensure personal data on Russian consumers is properly protected, something the Russian government said can only be done if the servers are within Russian jurisdiction. The penalty for violating the law by companies was established at 500,000 roubles (approximately $8,000). The law also contemplated a punishment much worse than the monetary penalty. Specifically, the amendment empowered Roskomnadzor, the Russian federal agency charged with overseeing telecommunications services and information technologies, to investigate violations of the new law and to petition courts to block websites who refuse to comply.

Following the adoption of this law, many companies that collect and process Russian citizens’ information began working toward achieving compliance by ensuring that this data stayed on Russian soil. Some, however, decried the law as forcing businesses to needlessly invest in servers in Russia and rework established data workflows.

Soon after the law went into effect, Roskomnadzor began exercising its investigative powers and taking suspected violators to court. To keep track of the adjudicated violators, Roskomnadzor created a special registry of websites marked for blocking in case of continued noncompliance following the adjudication. LinkedIn, which has over 6 million registered Russian users, made Roskomnadzor’s “black list” registry and, on Friday, November 18, became the first website to be blocked in Russia for the violations of the localization law.


Continue Reading

The Article 29 Working Party has issued a statement about the so-called EU-U.S. Umbrella Agreement, which, while not providing legal basis for any data transfers, sets forth a high-level data protection framework for transatlantic cooperation on criminal law enforcement. The Agreement covers all personal data, including names, addresses, and criminal records, exchanged between the EU and the U.S. for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement, signed by EU and the U.S. on June 2, 2016, after five years of negotiations, requires the consent of the European Parliament to be ratified.

In its statement, the Working Party cautiously welcomed the conclusion of the Umbrella Agreement. The Working Party expressed hope that the Agreement will complement the existing law enforcement treaties between the U.S. and EU and its Member States, aid the negotiation of future data sharing agreements, and set forth the minimum data protection standard for data transfers between criminal law enforcement in the U.S. and EU.


Continue Reading