Explore MVALAW.COM

Posts in Privacy.
The Supreme Court’s Facebook Ruling Narrows TCPA Claims—But Does Not Eliminate Them

Last month, the Supreme Court resolved a long-standing circuit split over the definition of an “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA). The highly-anticipated decision in Facebook v. Duguid narrowed the type of equipment that constitutes an ATDS, and therefore drastically limited the scope of “automated” calls and texts that violate the TCPA.  

Another Major Setback for EU-U.S. Data Transfer in “Schrems II”

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its judgment in the “Schrems II” case, cautiously upholding Standard Contractual Clauses (SCCs) and invalidating the popular EU-U.S. Privacy Shield.  The judgment is the second major triumph affecting transatlantic commerce for Austrian privacy activist, Max Schrems. 

Under the EU’s General Data Protection Regulation (“GDPR”), an organization may only transfer individuals’ personal data to non-EU countries for processing if the European Commission determines the third country ...

Update: The Washington Privacy Act

For more background on the Washington Privacy Act, see: Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law (DataPoints, 1/22/2020)


Senate Bill 6281, the Washington Privacy Act, passed out of the Senate on February 14 and moved to the House of Representatives where it is expected to run up against some skepticism and questions. 

The bill was drafted to help bring Washington state more in line with California’s and the EU’s data privacy regulation efforts, in the absence of comprehensive privacy regulation at the federal level.  The Act places ...

Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law

Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been ...

Schrems II Opinion Casts Doubt on EU-US Data Protection Rules

Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor).  A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.

The ...

The Wait is Over: Proposed Regulations Implementing the CCPA are Released

By Suzanne Gainey and Tandy Mathis.  On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment.  Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA.  While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA ...

California Consumer Privacy Act Update: AB25 and AB1355 Approved by California Governor

Earlier we posted an article regarding the amendments to the California Consumer Privacy Act by AB 25 and AB1355 creating a moratorium on the application of much of the CCPA to employee personal information—subject to approval by California’s governor. Pleased to report that Governor Newsom approved both AB25 and AB1355 and therefore the moratorium will be in effect until January 1, 2021. Some welcome relief to businesses trying to comply with the CCPA’s requirements.

California Consumer Privacy Act Update: California Legislature Provides Relief for Businesses Processing Employee Data

The California Consumer Privacy Act (CCPA) imposes significant protections for California residents covered by the law, and significant burdens for companies required to comply with it.    One area of concern is whether the CCPA applied to employee data collected by a business.  The language of the CCPA was unclear, but was open to the interpretation that its protections covered such data.  With an effective date of January 1, 2020, employers have been watching to see if the California legislature would clear up the uncertainty.  The good news is that for at least until January 1, 2021, most ...

Washington State Legislature Moves Toward Passage of Broad Consumer Data Privacy Law

Following in the footsteps of California, and the European Union’s General Data Protection Regulation, the State of Washington is taking steps to adopt a comprehensive privacy law focused on protecting consumer information. SB 5376, better known as the Washington Privacy Act, passed in the Washington State Senate on March 6, 2019 by a vote of 46 to 1 and had a public hearing in the Washington State House Committee on Innovation, Technology & Economic Development on March 22, 2019.

The bill has also received support from Microsoft General Counsel and former U.S. FTC Commissioner ...

Illinois Supreme Court Rules on Biometric Privacy Case

Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act.  This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.

This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of ...

Update on California Consumer Privacy Act

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

What’s next for Facebook?

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

The CLOUD Act – Congress Passes New Bill Which Will Impact Access To Cross-Border Data

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

MVA Seminar - Privacy and Data Security in the Trump Era: How to talk to the FBI and your IT Department in a Data Breach

PRIVACY AND DATA SECURITY IN THE TRUMP ERA: HOW TO TALK TO THE FBI AND YOUR IT DEPARTMENT IN A DATA BREACH (MAY 24, 2017): Effectively responding to a data breach requires clear communication with a web of internal and external groups. Two important groups are law enforcement and a company’s internal IT department. With the help of an FBI agent and an IT professional, this seminar will explore how to effectively work with these two groups to address a breach. Wednesday, May 24, 2017 11:30 AM - 1:00 PM. Register here.

 

Your Uber Driver Might Not Be the Only One Who Knows Where You Were Picked Up and Dropped Off….
By Tandy Mathis, Elena Mitchell, and Mindy Vervais

 

Did you know that if you’ve taken a New York City taxi since 2009, your pick-up and drop-off locations were recorded and published (through June of 2016) on the internet for anyone to find? Now, New York City officials want ride-sharing companies like Uber and Lyft to start providing drop-off and pick-up location data, too.

The New York City Taxi and Limousine Commission, or TLC, currently collects all kinds of trip data from New York City taxis—including pick-up and drop-off dates and times, coordinates of the start and end ...

Happy Data Privacy Day!  A Few Tips from the MVA Privacy and Data Security Group

Saturday January 28, 2017 is Data Privacy Day.  The Moore & Van Allen Privacy and Data Security group took a break from the pre-holiday revelries to put together some thoughts and tips for DataPoints.  So hoist a glass and enjoy this read, and try not to ponder too long the irony that Data Privacy Day falls on the same day as China’s New Year’s celebration.  Cheers!

  • Update vendor contracts. Make sure that contracts include required data security and privacy requirements. Some older laws and regulations already impose specific data security and privacy standards for certain industries ...
Live Streaming: The Privacy Concerns of Behind-the-Scenes Access

By Leslie Pedernales

A professional football team clinches their playoff spot in an upset game, then hits the locker room for a celebration and an inspirational pep talk from their winning coach.  The perfect application for livestreaming, one might think.  Opening a window into this mysterious world for all the rest of us to see and experience.  Not so fast.

After the Pittsburgh Steelers upset the Kansas City Chiefs in the AFC playoff game on January 15, Steelers wide receiver Antonio Brown invited the world into the Steelers’ locker room to join in the celebration through Facebook ...

MVA Seminar - Contracting for the Cloud
CONTRACTING FOR THE CLOUD (OCTOBER 27, 2016): Privacy and data security issues impact every industry and affect almost all aspects of a company’s operations. Sales, human resources, data maintenance and storage, IT, legal and compliance, even litigation, all require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. Moore & Van Allen developed the Privacy & Data Security Seminar Series 2016 to help our clients and friends of the firm navigate the legal and the practical challenges ...
The Early Days of the EU-U.S. Privacy Shield: Should Your Organization Self-Certify?

On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework.  In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.

Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them.  To answer that question, it is important to understand some basic facts about the Privacy ...

European Parliament Passes Landmark Data Protection Regulation

Robert Sumner IV and Brandon Gaskins

On April 14, 2016, the European Parliament passed the General Data Protection Regulation (GDPR) and its companion, Data Protection Directive for Police and Criminal Justice Authorities.  The GDPR is a comprehensive regulation that includes new and enhanced privacy rights for European Union (EU) citizens, such as “the right to be forgotten” and the right to object to data processing, including data profiling.  The GDPR also establishes new and heightened obligations for companies doing business in the EU related to the collection, use, and ...

EU Article 31 Committee Approves EU-US Privacy Shield

EU Member States (the Article 31 Committee)  approved today the EU-US Privacy Shield.  The next step is formal adoption.  The full press release can be found here.

The approval of the Privacy Shield is good news for companies who transfer personal data from the EU to the US. Although legal challenges to the Privacy Shield are likely, the Privacy Shield was designed to address the shortcomings cited by the European Court of Justice in the now invalidated Safe Harbor self-certification scheme and should have a better chance of standing up to those legal challenges.

Related DataPoints Posts:

U.S. Government Petitions to Join Data Privacy Litigation Against Facebook in Ireland

On June 13, 2016, the United States government asked the Irish High Court to be joined as amicus curiae (friend of the court) in the case brought by the Austrian privacy activist Max Schrems against Facebook attacking the use of model contract clauses to transfer EU citizens’ data from the EU to the U.S. as violating fundamental privacy rights. This is an unusual request for the U.S. government to seek to intervene in private ligation, particularly in foreign courts. However, the stakes are high should Facebook lose, and the U.S. government’s surveillance practices are at the ...

MVA Seminar - Responding to a Data Breach:  What to Expect and What to Avoid
RESPONDING TO A DATA BREACH: WHAT TO EXPECT AND WHAT TO AVOID (APRIL 20, 2016): Verizon, Experian, and T-Mobile are on a growing list of entities impacted by major data breaches in the past year.  But data breaches are not just limited to large national companies or organizations. No one is immune. For most organizations—big or small—the question is not “if” they will be impacted by a data breach, but “when.” This seminar will help attendees gain a better understanding of what to do in the aftermath of a data breach, analyzing such questions as:
  • What should I expect after a ...
Energy Industry Target of Cyber-Attacks and Congressional Efforts to Bolster Security

Cybersecurity of the electric power grid and energy sector as a whole has been the subject of heightened Congressional attention given the integral role the industry plays in our economy. According to a 2015 U.S. Senate committee report, nearly one-third of reported cyber-attacks involve the energy sector. Not surprisingly, the 114th Congress (2015-2016) has introduced several pieces of legislation targeted towards enhancing the security of the nation’s energy infrastructure. Among the bills introduced were S. 1068 – An act to amend the Federal Power Act to protect the ...

President Obama Signs New Privacy Law – Judicial Redress Act

On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed.  The  Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.”  To be designated, however, the countries and REIOs must ...

MVA Seminar - Privacy and Data Breach:  What Can Companies Expect in 2016?
PRIVACY AND DATA BREACH: WHAT CAN COMPANIES EXPECT IN 2016? (MARCH 16, 2016, SPEAKERS - KARIN MCGINNIS, TODD TAYLOR): 2016 promises to bring significant developments and challenges in information privacy and data security. Congress and state legislatures are continuing to focus on new laws to protect personal information while at the same time minimize the impact of cybersecurity threats. The Federal Trade Commission has made clear that it will continue to be a watchdog for privacy and data security violations affecting consumers, while at the same time the National Labor ...
Mobile Applications that Track User Information Have the FTC’s Attention

by Member Omari Sealy
Similar to website browsers, many mobile applications collect a variety of information from the user, including, the user’s identity, usage history, past log-ins, and location.  This enables the application to provide various functionality and to tailor features of the application for a better user experience (e.g., items retained in a shopping cart or targeted advertising).  These applications can be found in a variety of everyday devices such as smartphones, tablets, laptops, smart TVs, and even in some newer automobiles.  However, the enhanced ...

US and EU “Privacy Shield” Framework for Cross-Border Data Transfers Submitted to Article 29 Working Party Today

by Privacy & Data Security Member Karin McGinnis

On the same day that groundhog Punxsutawney Phil predicted an early Spring, the EU College of Commissioners brought some sunshine of its own, announcing yesterday that it has reached an agreement with the U.S. on transfers of personal  data from the EU to the U.S.  Details on the “Privacy Shield” are sketchy, and the EU Commission still must confer with the Article 29 Working Party and draft a decision document setting forth the terms.  But this is welcome news for companies on both sides of the pond.  More good news came today.  The Article ...

Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016

by Associate Breana Jeter

The end of 2015 represented a mixed bag for the Federal Trade Commission on privacy enforcement.  In November, the FTC’s Chief Administrative Law Judge dismissed the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information.  The patient’s sensitive information was discovered on peer-to-peer software by a data security company seeking to sell its services to LabMD.  While LabMD maintained that the patient’s information never left the company’s network and that there was no actual ...

Federal Trade Commission PrivacyCon 2016 Recap: Insights into the FTC’s Perspective on Privacy and Data Security

by Privacy & Data Security Member Karin McGinnis

The Federal Trade Commission’s PrivacyCon event brings together the FTC, researchers and academics to discuss the latest research and trends related to consumer privacy and data security.  Much of the discussion today centered on Big Data, coming on the heels of the FTC’s report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, which can be found here.  Also prominent were concerns about web transparency and whether consumers in fact understand what data is collected on them and how it will be used.  FTC ...

European Court of Justice Invalidates E.U. – U.S. Safe Harbor Framework

On October 6, 2015, the European Union's Court of Justice (the "ECJ") invalidated the E.U. – U.S. Safe Harbor Framework (the “Safe Harbor”) -- a data transfer arrangement upon which thousands of U.S. based companies have relied for legally transferring personal data outside of the European Union to the United States.   In order to better understand the likely impact of the ECJ’s decision, it may be useful to understand the original purpose behind the Safe Harbor.

Background on the Safe Harbor

Prior to the adoption of the Safe Harbor, legally transferring personally ...

User Beware: Facebook’s Internet.org Platform Considered to be “Privacy Nightmare”

By:  Tandy Blackburn and Mindy Vervais

On May 4, 2015, Facebook introduced Internet.org Platform, an open program for developers to create services that integrate with Internet.org.  However, many privacy advocates have deemed the Internet.org Platform to be a “privacy nightmare” for internet users in developing countries where Internet.org is offered.

Nearly a year ago, Facebook first introduced Internet.org and its companion mobile application, Internet.org App (“the App”) to the world, starting with the African country of Zambia.  Facebook has since introduced ...

MVA Seminar - Limiting Legal Liability for Potential Privacy and Data Security Issues: Practical Approaches to a Complex Problem
LIMITING LEGAL LIABILITY FOR POTENTIAL PRIVACY AND DATA SECURITY ISSUES: PRACTICAL APPROACHES TO A COMPLEX PROBLEM (APRIL 29, 2015):  You know that privacy and data security issues pose a huge risk for your company.  Regulatory penalties, litigation costs and recovery, and even just the cost of analyzing a data breach and sending out required notices can hurt a company’s bottom line not to mention its reputation.  Target’s breach cost the company over $148 million.  Fortunately, there are practical steps that your company can take now to limit liability when the inevitable ...
Proceed with Caution: Vehicle to Vehicle Communication Technology

Will the brave new world of automobiles include talking vehicles?  According to a plan by the National Highway Traffic Safety Administration (“NHTSA”), the answer is yes.  NHTSA has provided advanced notice that it intends to propose a rule http://www.nhtsa.gov/About+NHTSA/Press+Releases/NHTSA-issues-advanced-notice-of-proposed-rulemaking-on-V2V-communications  that all passenger cars and light trucks must have vehicle to vehicle (“V2V”) communication capability by 2019.  Many automakers are already incorporating some V2V technology in their ...

President Obama Proposes Legislation to Nationalize Data Breach Notification Standard

2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans.  On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach.  This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to ...

An Early Christmas Present for Consumers?  Court Rules that Retailers Can Be Liable to Banks Arising from Data Breaches.

by Privacy & Data Security Members Karin McGinnis & Robert Sumner

Cyber-Monday sales weren’t the only good thing that happened for consumers this week.  Later in the week a federal judge in Minnesota thwarted Target’s attempt to dismiss a lawsuit brought by banks and credit unions arising out of the massive data breach last year.  Although the breach and access to the credit card information of some 40 million consumers resulted from hackers obtaining the password of a Target vendor who was accessing an unrelated subsystem, the banks and credit unions claimed that Target was liable ...

Apple Strengthens Privacy Protections

Apple recently changed its privacy policy which has made headlines – it will no longer unlock iPhones and iPads for law enforcement.  Prior to this change, Apple would assist law enforcement in unlocking Apple devices when presented with a valid subpoena or court order.

According to Apple’s CEO, Tim Cook, the company attempts to avoid collecting user data when it designs new technology and services.  The most recent version of Apple’s mobile device operating system, iOS 8, encrypts the data for all iOS 8 applications, such as email, call records, and iMessage, and this data is ...

Social Media Password Protection: Where are we now?

In just two years, social media password protection has gone from a privacy advocate’s dream to an employer’s harsh reality in many states.  Maryland became the first state (in 2012) to enact legislation that prevented employers from requesting the user names or passwords to an employee’s or applicant’s personal social media accounts.  Two states quickly joined Maryland in 2012 by passing similar password privacy laws, and nine more states added privacy protections in 2013.

So far in 2014, six states – Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and ...

Privacy & Data Security Update: Supreme Court Rules that Warrants are Required for Cell Phone Searches

[On June 27, 2014, Charlotte Privacy & Data Security Member Karin McGinnis and Senior Counsel Todd Taylor published the following update regarding the U.S. Supreme Court decision in Riley v. California, 573 U.S. ___ (2014)]   On June 25th, the Supreme Court brought the Fourth Amendment into the digital age with its ruling in Riley v. California.  The case presented the question of whether a warrant was required in order for law enforcement to search a cell phone found on a suspect during the course of an arrest.  Chief Justice Roberts, writing for a unanimous court, stated clearly “[o]ur ...

About Data Points: Privacy & Data Security Blog

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.

Stay Informed

* indicates required
Jump to Page

Subscribe To Our Newsletter

Stay Informed

* indicates required

By using this site, you agree to our updated Privacy Policy and our Terms of Use.