It’s a great time to be a privacy attorney. On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications. Two days of public hearings were recently held on October 21-22
Illinois Court of Appeals: Statute of Limitations for Most Biometric Privacy Claims Remains at Five Years
In Illinois, the Biometric Information Privacy Act (“BIPA”) regulates the collection and use of “biometric information” such as fingerprints, facial images, and voice records. It imposes significant penalties and has generated a cottage industry of class action litigation—hundreds of cases have been filed and millions of dollars in liability have been assessed. It is also the most well known and heavily litigated of a slew of newly enacted, or soon to be passed, state and local laws aimed to regulate biometric information.
Many Illinois defendants had hoped that their liability under BIPA could be limited because, they argued, a one-year statute of limitations should apply to BIPA claims. But, in a recently issued decision, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the Illinois Court of Appeals rejected this position for a majority of BIPA claims. It held that a five-year statute of limitations applies to the most frequently cited sections of the statute.
Continue Reading Illinois Court of Appeals: Statute of Limitations for Most Biometric Privacy Claims Remains at Five Years
Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot
Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2]
But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”),[3] if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim.
Continue Reading Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot
CCPA is Coming – Is Your Business Prepared For The Data Requests & Lawsuits?
Does your business collect personal information from residents in California? Does it monitor user activity on its website? If so, there is a good chance it will need to comply with the California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020.
Following the European Union’s implementation of GDPR, California adopted the CCPA, which
List of Pending 2018 Breach Legislation
While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights
CNIL’s GUIDANCE FOR PROCESSORS – ANSWERS TO YOUR MOST PRESSING QUESTIONS
See European Regulation on the Protection of Personal Data Guide Sub-Contractor Edition, September 2017.
- Are you a contractor within the meaning of European Regulation on data protection?
- Are you subject to EU regulation on data protection?
- What is the main change introduced by the European regulation for contractors?
- What are your obligations as of
PIAs & DETERMINATION OF RISK UNDER GDPR – THE LATEST:
The Article 29 Working Party updated the Guidelines on PIAs and evaluation of risk guidance on October 4, 2017:
CNIL created a PIA Infography to outline the main principles. Keep
GDPR Data Breach & Profiling Guidelines and last chance to comment!
The Article 29 Working Party published two Guidelines related to GDPR:
Guidelines on Personal data breach notification under Regulation 2016/679, wp250
The Guidelines are open for comments until November, 28, 2017. Comments should be sent to JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.
Proposed Oregon Legislation: Credit Card Data Breach Bill
We received a proposed data breach bill (available here) recently circulated in Salem. This draft is a variant of Oregon House Bill 2581 that died in committee. That bill would have required, among other things, merchants impacted by security breaches to notify issuing banks of all the credit cards subject to the breach.
ePrivacy Regulation On Track
The Council of the European Union published a revised version of the ePrivacy Regulation (EPR) which will be discussed at the September 19, 20 and 25th meetings of the Working Party for Telecommunications and Information Society. The EPR is keeping on track to meet its deadline of May 2018. As a regulation, it