Decisions, decisions.  We are deluged by decisions.  What present should I buy?  Is the small cheese plate enough for my party guests, or should I go with the large?  How much of my bonus should I set aside for retirement this year, or should I up my charitable giving? 

Wouldn’t it be nice if we could all get a little technological assistance in making choices this holiday season?Continue Reading Jingle All the Algorithms: Automated Decisionmaking Amidst a Blizzard of State Privacy Laws

On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data.  The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous.  Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously.  As a result, data brokers will see a significant increase in the volume of such requests they are required to process.  Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits. Continue Reading California Adopts “Delete Act”:  New Requirements for Data Brokers

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.Continue Reading Across the Finish Line (Almost): Revised California Consumer Privacy Act Regulations Approved by California Privacy Board

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds

On March 1, 2022, the Senate passed a data breach and cybersecurity bill that could vastly expand data breach notice requirements. The Strengthening American Cybersecurity Act (the “Senate Bill”), which now shifts to the House of Representatives, would require organizations in certain critical infrastructure sectors to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyberincident has occurred, among other measures intended to enhance the nation’s cybersecurity posture. Covered organizations would also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. These provisions are not limited to data breaches affecting personal data and would significantly expand the breadth of data breach reporting requirements to many commercial enterprises that have not focused on consumer privacy issues.

While the bill was criticized by FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco for shifting cyber-focus from the DOJ/FBI to DHS/CISA, it remains likely to pass the House, where similar legislation was supported last year as part of the annual defense authorization package. In addition to its breach reporting provisions, the Senate Bill would also require or encourage new cybersecurity measures for federal agencies, clarify the roles of certain cybersecurity officials and authorize the federal contractor cybersecurity FedRAMP program for five years.Continue Reading Senate Approves Breach Reporting Legislation; Likely to Pass House

As ransomware attacks continue to proliferate, organizations are facing increasingly complex practical and legal considerations. Ransomware threats can range from simple Ransomware-as-a-Service models to sophisticated attacks with network-wide impacts. In many cases, ransomware attacks involve not only encryption but also data exfiltration with accompanying regulatory and contractual notification obligations. Ransomware attacks are now so pervasive that they were deemed “a direct threat to our economy” by a Treasury Department Press Release. The resulting governmental focus on ransomware will create new and evolving regulatory challenges for organizations experiencing an attack.

Ransomware in 2021

If 2020 initiated a new era of ransomware threat due to pandemic-related shifts to remote work and the associated security risks, 2021 proved that this threat is only likely to increase in 2022, as the toxic mix of host nations accommodating ransomware gangs, the widespread ability of businesses to pay ransomware under insurance policies, the decreasing technical barriers to entry for attackers, and the ready availability of often untraceable cryptocurrency all remain strong. High-profile ransomware attacks in 2021 included the Colonial Pipeline attack, which interrupted gas supplies along the East Coast of the United States and the attack on JBS Food, one of the world’s largest meat producers, which caused panic buying by some consumers. As with other cybersecurity threats, supply chains were also exploited, with the REvil ransomware gang leveraging unauthorized access to Kaseya’s IT administrator software infrastructure to push out a fake software update containing ransomware. In that instance, the FBI was able to provide some assistance by obtaining encryption keys, but victims of future attacks may not be so fortunate.Continue Reading Ransomware Threat Continues to Explode with New Legal and Regulatory Risks

BillThe proposed Washington Privacy Act (WPA) continues to move forward with new enforcement provisions, including a limited private right of action. The Washington House Committee on Civil Rights and Judiciary narrowly approved the so-called “striker” amendment, which would enable state residents to sue companies for injunctive relief over alleged violations; but does not allow suit for monetary damages. The bill had already passed in the Washington Senate by a vote of 48-1.
Continue Reading Proposed Washington Privacy Act Gets a Different Set of Teeth with Private Right of Action for Injunctive Relief

Thursday, in a unanimous decision, the Supreme Court narrowed the potential scope of the Telephone Consumer Protection Act (“TCPA”), which has been fertile ground for plaintiffs’ attorneys seeking class-wide damages. Justice Sotomayor wrote the opinion in Facebook v. Duguid, which held that for telephone dialing equipment to constitute an “automatic telephone dialing system” (“ATDS”) under the TCPA, “a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.” The upshot of this distinction is that computer systems that simply store phone numbers, not generated randomly or sequentially, for later dialing are not an ATDS.
Continue Reading Supreme Court Narrows Potential Scope of the Telephone Consumer Protection Act