Twenty years ago, privacy and cybersecurity obligations were still taking shape. Today, they sit at the center of commercial risk allocation—and many businesses are still operating under contracts drafted for a very different legal and technological landscape.
In this thought piece, John Pavolotsky traces the evolution of privacy and cybersecurity law from the early days
Privacy and cybersecurity are incredibly dynamic, and in 2025 we have committed ourselves to a look ahead post every six months, with the next one in July 2025. The new Congress convened on January 3, 2025, and a new administration starts on January 20. Most state legislatures reconvene in early-to-mid January. If you track privacy
2023 has seen a flurry of general state privacy laws, with twelve (12) such laws now on the books. The next one to “go live,” on December 31, 2023, is the Utah Consumer Privacy Act (UCPA). With no general federal privacy law in sight, the state privacy landscape continues to get more crowded and challenging
As consumer demand for new artificial intelligence (“AI”) tools continues to grow, businesses must be prepared to build tools with “privacy by design” principles in mind, and to remain educated about privacy best practices and risk mitigation strategies when working with AI. The following areas provide the greatest opportunities to manage data privacy risks and
To say that class action litigation regarding the use or collection of “biometric information” – such as fingerprints, face records, or voice records – is expensive would be a gross understatement. The damages sought, and sometimes recovered, in litigation under the Illinois Biometric Information Privacy Act and similar laws that impose statutory penalties can be
It’s a great time to be a privacy attorney. On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications. Two days of public hearings were recently held on October 21-22
Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2]
But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”),[3] if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.
Continue Reading Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot
As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities.
What the PF Does
Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.”[1]
Consumers can initiate this private right of action right now, whereas other consumer rights can only be enforced by the Attorney General beginning in July.[2]
Why This Matters
Most civil actions filed against companies during the last decade were dismissed. Why? Consumers were unable to demonstrate a suitable harm. Sure, cybersecurity incidents are a hassle for consumers to deal with, but that alone was not enough. Recently, however, courts have said “the hassle” is enough, at least for cases to proceed past their initial stages. This has led to a steady rise in both the number of cases that are settled and their dollar amounts.
Complicating things further, under the CCPA proving harm doesn’t necessarily matter. If personal information is compromised because of a failure to implement and maintain reasonable security, the CCPA quantifies harm to be “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident” or an amount higher if proven.[3] What matters is whether your security is reasonable.
Google’s search engine defines reasonable as “as much is appropriate or fair.” For those who reminisce about how they spent three years in law school learning the many ways “reasonable” can be interpreted, the CCPA may trigger déjà vu; neither the CCPA nor its proposed regulations defines “reasonable security.” But reliable guidance is available.
Continue Reading CCPA Is Here – Is Your Security “Reasonable”?
On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria,[1] the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated.[2]
Examples of companies that handle personal information on a company’s behalf include marketing companies, managed security service providers (MSSP), and software-as-a-service (SaaS) providers such as payment processing, document and email management, and customer analytics companies.
Why this Matters
Under the California Consumer Privacy Act (“CCPA”), companies that handle consumer information on behalf of a company are “service providers.”[3] The CCPA requires that a company enter into an agreement with a service provider that
prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business … [4]
This is important because the CCPA exempts a company for any violation of the CCPA if its service providers have executed an agreement and they, not the company providing the personal information, violates any of the rights given to California consumers under the CCPA.[5]
Continue Reading CCPA is Here – Are Your Agreements Ready?
Last year towards the end of May, a barrage of emails and pop-ups informed online users about how companies use cookies – small bits of software that track website activity – in accordance with a requirement under the European Union’s General Data Protection Regulation.
On January 1, 2020, many companies will inform consumers about updates to their privacy notices – agreements between companies and their consumers about how personal information is processed – in accordance with a requirement under the California Consumer Privacy Act (“CCPA”).
Why this Matters
A privacy notice (aka privacy policy or privacy statement) is typically the first place a company explains its practices for handling the personal information it collects. Privacy notices have received considerable attention this year, not all of it positive. You do not have to read all of the New York Times article, “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster,” to know what it concluded.[1] Similarly, an article titled “Are Organizations Ready for New Privacy Regulations?” summarizes the Online Trust Alliance’s analysis of 1,200 privacy statements and its view that many of these privacy notices could result in penalties for failing to follow new laws such as the CCPA.[2] In addition, privacy notices have been the subject of litigation in cases asserting that the sale of customer information to non-affiliated entities for marketing purposes,[3] and the transfer of customer data in a merger, asset sale, or sale of customer information, were all improper because they violated companies’ privacy notices.[4]
Continue Reading CCPA is Here – Is Your Privacy Notice Ready?