The Current State of General State Privacy Laws

It’s a great time to be a privacy attorney.  On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications.  Two days of public hearings were recently held on October 21-22, 2022.  Given the rather extensive proposed changes, it seems unlikely that these will be the final regulations.  The current draft of the regulations is 72 pages long.   Most of the CPRA provisions become effective as of January 1, 2023.  While CPRA enforcement does not begin until July 1, 2023, and then on a prospective basis, there is enough of a difference between the California Consumer Privacy Act of 2018, as amended (CCPA) and the CPRA (which amends the CCPA) to warrant the review of current processes, operations, and policies.  In addition, the 30-day cure period available under the CCPA disappears under the CPRA.  In short, there is some work to do, collectively.  In the meantime, and until June 30, 2023, the CCPA (including the existing regulations) is still enforceable.  Deep breath.

That Was Then

When I co-taught Comparative Privacy Law at a San Francisco Bay Area law school in Spring 2020, the landscape seemed much simpler.  On the European side, we had the General Data Protection Regulation (GDPR), some opinions (guidance) from the European Data Protection Board (EPDB) and many more from its predecessor, the Article 29 Working Party, and an ocean of case law.  The Weltimmo decision (C-230/14) was and remains one of my favorites.  Not only does it shed light on the concept of an establishment in a given country (Hungary), but it also teaches readers that many problems can be avoided by simply being responsive to, and not upsetting, customers.  On the US side, in terms of general state privacy laws during that time period, it was the CCPA. 

This is Now

When I co-taught the course in Spring 2022, I focused on the US side and in particular the CCPA, CPRA, the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA).  Each state in the union has its own data breach notification law.  We touched on these generally.  We reviewed FTC settlements.  We touched on federal privacy laws, which are predominantly sectoral.  On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed, our nation’s fourth general state privacy law.  As an instructor, I could not resist presenting this new law to my students, whose heads were likely still spinning from the other privacy laws that I was teaching.  To my credit, I had the good sense to not include the UCPA on the final exam, which featured, of course, consumers in California, Colorado, and Virginia.  Public Act No. 22-15, entitled An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), was signed by the governor of Connecticut on May 10, 2022.  Luckily for my students, the semester was over, and a future cohort of students would need to show proficiency in understanding the metes and bounds of this new law. 

Is a comprehensive federal privacy law in sight?  Maybe.  H.R. 8152 (American Data Privacy and Protection Act or ADPPA) was introduced on June 21, 2022, referred to the House Committee on Energy and Commerce, and voted to be advanced to the full House of Representatives on a 53-2 basis.  Since then, it appears to have stalled.  In the current draft, the CPPA would have the authority to enforce the ADPPA.  Further, Section 1798.150 of the CPRA (private right of action for data breaches) would not be preempted.

In the meantime, the VCDPA becomes effective on January 1, 2023, the CPA and CTDPA become effective on July 1, 2023, and the UCPA becomes effective on December 31, 2023.  Holistically, and structurally, there are quite a few similarities between the VCDPA, CPA, UCPA, and CTDPA, with the VCDPA as the progenitor, although one should be careful not to assume that if one complies with one, one will comply with the others.  For example, all four use GDPR concepts and terms like data controller (equivalent to a business under the CCPA/CPRA), data processor (equivalent to a service provider under the CCPA/CPRA), and so on.  As intimated, important differences exist among these.  For example, the UCPA applies to controllers and processors with at least $25 million in annual revenue and that either (a) control or process the personal data of at least 100,000 consumers or (b) derive over 50% of their revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.  In contrast, VCDPA applies the second part of the test, but not the first; there is no $25 million annual revenue threshold.  Further, while both the VCDPA and the UCPA define sensitive personal data (SPD), UCPA requires notice and the right to opt out, while VCDPA requires consent.  VCDPA requires a data protection assessment for high-risk processing.  UCPA does not.  The VCDPA gives the consumer the right to correct inaccuracies.  The UCPA does not.  Notably, it was not until the CPRA that California consumers were given this right.  Both are unfunded, initially, with funding to come from enforcement actions.  Under the UCPA, once the balance in the “Consumer Privacy Account” exceeds $4 million, the balance is transferred to the general fund.  Neither has a private right of action, with enforcement authority vested solely in each state’s Attorney General.

What to do? 

Detailed charts (and re-reading each a few times) help.  More helpful, however, would be to view these laws holistically, preferably in the context of a comprehensive privacy compliance program.  Certainly, companies having to comply with the GDPR were better positioned to comply with the CCPA, and companies having to comply with the CCPA will be better positioned to comply with the CPRA and the VCDPA, CPA, CTDPA, and UCPA.  Each subsequent compliance project becomes a gap analysis followed by an implementation phase.  To that end, the focus should be on compliance building blocks, generally required or helpful for compliance with any modern data privacy law.  These include records of processing activities (ROPAs), procedures for managing data subject requests (DSRs), procedures for managing data incidents, data processing agreements with suppliers, a process to vet suppliers for information security robustness and issues, a process to conduct data privacy impact assessments (DPIAs), internal policies, external notices, training, and so on.  Once the basic processes and documents are in place, then adjustments happen, in accordance with a crisp project plan covering objectives and detailing individual tasks to accomplish these.  The process is iterative, and, theoretically, less painful for each new general privacy law, until there is a comprehensive general federal privacy law, of course.  Good luck!

Illinois Court of Appeals: Statute of Limitations for Most Biometric Privacy Claims Remains at Five Years

In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records.  It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed.  It is also the most well known and heavily litigated of a slew of newly enacted, or soon to be passed, state and local laws aimed to regulate biometric information.

Many Illinois defendants had hoped that their liability under BIPA could be limited because, they argued, a one-year statute of limitations should apply to BIPA claims.  But, in a recently issued decision, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the Illinois Court of Appeals rejected this position for a majority of BIPA claims.  It held that a five-year statute of limitations applies to the most frequently cited sections of the statute. Continue Reading

The Only Bi-Partisan Show in D.C.: The U.S. Supreme Court Issues a Decisive Opinion Concerning TCPA Liability in Facebook, Inc. v. Duguid, et al.

In a widely anticipated ruling, the U.S. Supreme Court today ruled that just because a business has calling technology that has the capacity to store and dial multiple numbers – such as a cell phone — does not automatically subject that business to Telephone Consumer Protection Act (“TCPA”) liability for calls (and texts) to consumers that otherwise lack consent.

Beyond other aspects of what constitutes a robo-call, this ruling is likely to limit the number of class actions brought against businesses under TCPA.  Still, for businesses required to comply with consumer protection laws, obtaining and retaining evidence of consumer consent for calls and texts remains the primary business action to limit risk.  Where businesses use vendors to administer call campaigns, we recommend discussing with vendors the impact this decision may have on campaign practices.  As always, contacting experienced counsel to investigate whether creative steps can be taken to incorporate aspects of today’s ruling into your relationships is a wise step to better protect your business.

In an 8-0 opinion, with Justice Alito concurring in the judgment for unanimity, the U.S. Supreme Court reversed and remanded the Ninth Circuit’s decision in Facebook, Inc. v. Duguid, et al.  Slip Op. No. 19-511, 592 U. S. ___ (2021).  In the context of consumer protections ensconced in the TCPA, the Ninth Circuit held that any company maintaining a database that stored consumer phone numbers that could also be programmed to automatically call the numbers stored therein, were operators of “automatic telephone dialing systems” (“ATDS”).  Among other things, the TCPA prohibits unsolicited telemarketing and other calls and text messages from users of an ATDS.  The Ninth Circuit’s conclusion created a rift.  The TCPA’s definition of what constitutes an ATDS was more narrow than the Ninth Circuit’s interpretation.  As Facebook pointed out to the Supreme Court, the Ninth Circuit’s interpretation not only appeared to ignore the TCPA’s complete definition of what constitutes an ATDS – it made ubiquitous forms of technology previously untouched by the TCPA open to that liability. Continue Reading

Seattle & Portland Virtual Cybersecurity Summit Begins Tomorrow

Join me, Stoel Rives’ Chief Information Security Officer (and Global Privacy & Security Blog® author) Jon Washburn, for a panel discussion in which I will partner with top industry CISOs and CIOs to address the most pressing cybersecurity challenges of 2021. Register now for free for the Seattle & Portland Virtual Cybersecurity Summit, March 31 and April 1, 2021, for CPE credits, educational briefings, and three amazing keynote presentations. For more info or to register visit:

Don’t let Cyber Insurance be Your Cybersecurity Plan

In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not incentivize the insured to maintain a robust cyber security program, the insurer can end up bearing excessive risk when the customer leans on the policy as their business continuity plan.

You may be wondering “What does this have to do with my business? I don’t do any business in NY state.” However, your insurer might be subject to the NYDFS cybersecurity regulation (23 NYCRR 500) and, if so, likely received this letter.

According to NYDFS, every cyber insurer should have a formal strategy that incentivizes their insureds – through more appropriately priced plans – to “create a financial incentive to fill [cybersecurity] gaps to reduce premiums.” Below is our take on five of the key practices outlined in the NYDFS letter that have potential implications for insureds.

  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Up to now, many organizations have leveraged clauses in standard policies to cover ransomware attacks, such as those covering general liability, theft, malpractice and errors. NYDFS advises that “insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses.”  When you next renew your policy, read the fine print carefully to determine if there are any exemptions for cyber-related losses – even if you have a standalone cyber insurance policy. An insurer that was left ‘holding the bag’ for covering a ransomware attack under a policy that wasn’t priced to cover cyber losses is incentivized to update that policy language at the soonest opportunity.
  • Evaluate Systemic Risk. Here, insurers are being advised to “stress test” their coverage to ensure they would remain solvent while covering potentially “catastrophic” cyber events impacting multiple insureds. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program.
  • Rigorously Measure Insured Risk. No surprises here, unless you haven’t been filling out detailed questionnaires about your cyber security program. Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program – such as ISO 27001 or HITRUST – might improve your policy premium.
  • Educate Insureds and Insurance Providers. This practice states that “insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. They might be trying to tell you how you can lower risk – and your rates.
  • Require Notice to Law Enforcement. While this is a best practice, NYDFS is recommending this be more formally required in the policy language.  Involving law enforcement is important when responding to cyber incidents, especially when it comes to investigating the incident and attempting to recover funds. Make sure you involve legal counsel and have a plan for engaging law enforcement in the event of a breach.

Even if your insurer hasn’t received this guidance, they are certainly aware that cyber risk, and the cost of underwriting cyber insurance, continue to increase.  With the cyber insurance market estimated to exceed $20 billion by 2025, and the risk that intermediaries – including insurers – can be liable for ransom payments made to entities sanctioned by the Office of Foreign Assets Control, business leaders should expect that their insurers will be more closely scrutinizing their cyber security plans and controls. Rebuilding encrypted systems and restoring from backup, as opposed to paying ransoms, will need to be the first plan of action.

If your organization is still struggling with the decision whether to invest more in IT security and architecture improvements or continue to rely on insurance as your cyber security plan, the guidance in the NYDFS Cyber Insurance Risk Framework merits a closer look.

While cyber insurance can be essential to helping your organization recover from a data breach, it should not take the place of a strong cyber security program.  At minimum your cyber security program should include a Cyber Security Plan, Business Continuity and Disaster Recovery Plan and an Incident Response Plan. These plans should be tested, reviewed and updated at least annually, preferably in conjunction with a penetration test and vulnerability assessment from a qualified third party.

If you have any questions or would like any additional information about the topics raised in this post, please contact Hunter Ferguson, Jeff Jones or Jon Washburn.

Portland’s New Facial Recognition Ban Increases Litigation Risk, Creates Uncertainty

Is your business using or thinking of using facial recognition technology for activities in Portland, Oregon? Think again.

That’s the message to businesses operating in Portland in a new ordinance that broadly bans the use of facial recognition technology in the city, subject to certain exceptions. The ordinance, which took effect January 1, 2021, restricts private businesses from using automated or semi-automated processes to identify an individual by comparing an image of a person captured through a camera with images of multiple individuals in a database. Due to the expansive language contained in the final version of the ordinance, routine business practices used to support or improve operations are no longer permitted. For example, retailers may have previously used software that compares surveillance video images of individuals as they enter a store with a cloud-based photo database to identify suspected shoplifters. The ordinance now prohibits use of this software.

The law also has teeth. It creates a private right of action, statutory damages of $1,000 per day for each violation, and allows for recovery of attorneys’ fees. Similar to other biometric privacy laws, this ordinance has the potential to trigger a wave of costly class action litigation and upend business operations. This ordinance creates significant risk with use of facial recognition technology, and organizations should proceed with this awareness. The law also raises numerous unanswered questions, as noted below. Continue Reading

Digital Transformation – Cybersecurity Lessons from Recent Lawsuits

Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.

As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.


In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3]  In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.

On August 12, the first of many lawsuits was filed against Blackbaud.  Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.

The five years prior to the attack are telling.  In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.

Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4] Continue Reading

Digital Transformation – Regulator Issues $80 Million Penalty for Not Doing It Right

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.

On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud.  This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.

Why This Penalty Is Important

While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to

[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.

The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.”  This focus on a board’s knowledge of cybersecurity issues is not new.  The Federal Trade Commission (“FTC”) focused on this last year. 

Maintain a Strong Risk Management Program

Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:

  1. A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
  2. The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
  3. Reasonable policies and procedures and adequate technical controls to address these risks.

What Organizations Should Do

Before, during, and after any aspect of digital transformation, organizations should consider doing the following:

  1. Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
  2. Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
  3. Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.

Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.

As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks.  A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.

If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to Romaine Marshall, Jon Washburn, or Jose Abarca.

Securing Online Shopping has Never Been More Important

In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 related breach, and 17% would never return. While I imagine this sentiment would apply to any breach of personal information and not just one related to the current crisis, these numbers are a sharp step up from the estimated average customer turnover rate of 3.9% in last year’s 2019 IBM/Ponemon Cost of a Data Breach Report. While it’s just one survey, the significant increase in expected customer turnover rate in such a short time-period may represent a rapidly diminishing level of tolerance for websites that leak valuable personal information.

In order to remain in business, many retailers had to rush to upgrade their online presence in order to compensate for store closures and reduced foot traffic in locations that were able to remain open; or for the more fortunate retailers, to simply manage an unprecedented increase in online purchasing. As we balance security risk against the need to maintain the health of the business, it would not be surprising if ‘speed to market’ concerns took priority over rigorous application security review in some of these instances – after all, a strong cybersecurity program is meaningless if there’s no organization left to protect. Nevertheless, it is still critical to complete the cycle of secure software development and thoroughly test any changes and integration of new solutions to verify they are secure.

If you are a retailer that has had to prioritize retooling your online presence over everything else, please be sure to circle back around and undertake these important tasks:

  • Conduct a code review that focuses on verifying that your site is not vulnerable to web application security risks, such as those included in the OWASP Top 10
  • Validate that any integration of new technology – such as payment processing, customer experience or even anti-fraud solutions – is still properly managing personal information in line with your security and privacy policies
  • If you don’t already offer it, consider offering two-factor authentication to your online customers
  • Confirm your web servers are still using strong security certificates and aren’t allowing weak protocols.  You can check this for free at
  • Ensure everything is still running using the Principle of Least Privilege

Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

Continue Reading