Cybersecurity and Privacy Law Developments in Q4 of 2019

Cybersecurity and privacy law is evolving quickly as lawmakers, government agencies and plaintiffs respond to new technologies, privacy concerns and cyberattacks. Companies are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches or privacy scandals. Keeping track of these legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. Our quarterly updates highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

In the fourth quarter of 2019, many of the developments in cybersecurity and privacy law were influenced by the landmark California Consumer Privacy Act of 2018 (CCPA), which took effect at the beginning of 2020. Federal courts and the Federal Trade Commission also reached decisions on some of the major data breaches and privacy scandals of recent years, including a historic class settlement for consumers affected by the Equifax breach. Moreover, there was important guidance concerning the EU's General Data Protection Regulation (GDPR), including the adoption of final guidelines on extraterritorial application of the GDPR to non-EU companies. If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance. 

Statutes and Regulations

• On Oct. 1, amendments went into effect that expand the Nevada Privacy of Information Collected on the Internet from Consumers Act. Inspired by California's privacy legislation, Nevada's amended law creates a right for consumers to opt out of the sale of personal information and imposes further requirements on so-called "operators" subject to the law. As amended, "operators" include persons who own or operate websites or online services for commercial purposes that collect and maintain certain personal information and that engage in certain activities establishing a sufficient nexus to Nevada, such as directing activities there or consummating a transaction with a Nevada resident. The new opt-out obligation requires operators to provide a mechanism — that is, an email address, toll-free phone number or website — through which consumers may submit requests to opt out of the sale of their personal information. Although the law does not include a private right of action, the Nevada attorney general may enforce the new requirements by seeking an injunction or imposing a civil penalty of up to $5,000 per violation.[1]
• On Oct. 10, the California attorney general released the Proposed Text of Regulations[2] implementing the CCPA. He also issued a Notice of Proposed Rulemaking Action[3] and an Initial Statement of Reasons[4] corresponding to the proposed regulations. The proposed regulations contain much-anticipated guidance on how the CCPA will be interpreted and enforced, including definitions of key terms such as "household" and "service provider"; rules about the form and content of consumer notices; requirements for handling consumer requests under the CCPA, such as record-keeping obligations; special protections for minors; and further guidance on nondiscrimination under the CCPA. The proposed regulations were out for public comment until Dec. 6, 2019. Next, following any additional periods of public comment necessitated by revisions, the proposed regulations will be submitted to the California Office of Administrative Law for review and a decision on final approval.
• On Oct. 11, the California governor signed into law various CCPA amendments — leading to the final version of the law taking effect in 2020 — and a related bill requiring data brokers to register with the California attorney general. Among other changes, the amendments narrowed the scope of "personal information" under the CCPA by excluding deidentified or aggregate consumer information and by expanding the scope of the exemption for publicly available information. Requirements related to facilitating consumer requests were made slightly easier for certain online-only businesses and in regard to authenticating consumers. Consumers' opt-out rights were removed for personal information shared between new motor vehicle dealers and manufacturers for purposes of warranty or recall repairs. Finally, and significantly, the amended CCPA carved out an exemption until Jan. 1, 2021, for personal information collected in certain employment-related contexts and for personal information collected as part of certain business-to-business transactions or communications.
• On Oct. 23, the new data breach reporting provisions of New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect. The SHIELD Act, which had been signed into law on July 25, 2019, amended New York's existing data breach notification law, which covered breaches of certain "private information" of New York residents such as social security and driver's license numbers and financial account access credentials. The SHIELD Act also created affirmative data security obligations for businesses that own or lease such information. Among other changes affecting breach notification, the SHIELD Act expanded the definition of "breach" to include mere "unauthorized access to" the information — that is, without "acquisition" — and expanded the definition of "private information" to include biometric information and information that would enable access to financial and online accounts. The SHIELD Act also requires notification to the New York attorney general about a breach of unsecured "protected health information" held by a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Whereas the new breach reporting provisions took effect on Oct. 23, the SHIELD Act's affirmative data security obligations will not go into effect until March 21, 2020.[5]
• On Dec. 19, the U.S. Department of Education and the Office of Civil Rights at the U.S. Department of Health and Human Services released updated joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the HIPAA Privacy Rule to education and health records about students. Providing clarifications for school administrators, health care professionals and families, this revised guidance supplements the original guidance issued in November 2008. The new guidance includes clarifications and FAQs about a range of topics, including when an adult child's health and education records can be shared with a parent; options for an adult student's family concerned about his or her mental health but where the student does not agree to disclosures; health care providers' ability to disclose information to parents about the minor child's mental health condition or substance use disorder; sharing health or education records about a student who presents a danger to self or others; and an educational institution's ability to disclose student health or education records to law enforcement officials.[6]
• On Dec. 4, the Senate Committee on Commerce, Science, and Transportation held a hearing to discuss a growing number of proposals for a federal privacy law to protect the personal data of consumers. On Nov. 26, 2019, the Consumer Online Privacy Rights Act was introduced by several Democratic senators.[7] Also, Sen. Roger Wicker, R-Miss, circulated a draft bill for a federal privacy law. The proposals have similar frameworks for individual privacy rights — such as data access, correction, deletion and portability — and guidelines for how businesses collect, use and share personal information. However, they also have many differences, including on the issues of a private right of action and the preemption of state law. The Republican draft bill includes no private right of action, whereas the Democratic bill would allow individual lawsuits for damages and injunctive relief. The Republican draft bill provides for broad federal preemption of state laws — likely negating the CCPA — whereas the Democratic bill preempts only "directly conflicting state laws" and does not override state laws with a 'greater level of protection" — likely preserving the CCPA.
• On Dec. 30, President Trump signed into law the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), which amended the Telephone Consumer Protection Act (TCPA) to give consumers greater protection from robocalls and caller ID spoofing. The TRACED Act strengthens the enforcement authority of the Federal Communications Commission, including by increasing fines and extending the statute of limitations for enforcement actions. The law also establishes a timetable for telephone carriers to implement new robocall tracing and blocking requirements at no additional cost to consumers. Carriers will need to implement the so-called SHAKEN/STIR framework for authenticating telephone calls by June 30, 2021.[8]

Litigation and Enforcement

• On Nov. 25, the FTC issued an opinion concluding that Cambridge Analytica violated Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce," by making deceptive statements about its collection of Facebook users' personal information and its about compliance with the EU-U.S. Privacy Shield, a program to allow the transfer of personal data from Europe to the United States under Europe's data protection laws. The Commission found that Cambridge Analytica made presumptively material false and misleading statements to Facebook users who agreed to authorize the company's survey app. The Commission also found that Cambridge Analytica claimed on its website to participate in the EU-U.S. Privacy Shield even after its certification had lapsed, another presumptively material false and misleading statement. The opinion was decided on undisputed facts after Cambridge Analytica filed for bankruptcy in 2018.[9]
• On Nov. 26, a federal district court in the Northern District of California certified a proposed worldwide class of Facebook users seeking changes to Facebook's security practices in connection with a data breach announced in September 2018 affecting 29 million users. Facebook had argued there was no standing for injunctive relief because they "fixed the bug that caused the data breach," but the court held that "Facebook's repetitive losses of users' privacy supplies a long-term need for supervision, at least at the Rule 23 [class certification] stage." By contrast, although the court found that the individual plaintiff had standing to seek damages based on the future risk of identity theft and his small amount of lost time responding to the breach, the court declined to certify two proposed nationwide classes seeking monetary damages for diminished value of personal information, future identity monitoring services and time spent responding to the breach. Among other reasons, the court explained that the supposed diminished value of the personal information was too speculative and that the amount of time spent handling the breach would be too particular to each individual.[10]
• On Dec. 3, the FTC announced settlements with four companies regarding allegations that they violated Section 5 of the FTC Act by deceiving customers about their participation in the EU-U.S. Privacy Shield. In two instances, the companies falsely claimed to participate in the EU-U.S. Privacy Shield, even after their certifications had lapsed, and they failed to affirm that they would apply the required protections for personal information while active in the program. The settlement requires these two companies to apply the EU-U.S. Privacy Shield protections to personal data they collected under the program or to return or delete that information.[11]
• On Dec. 6, a federal district court in the Western District of Pennsylvania decided that an online retailer's alleged gathering of consumer data without consent could not support an invasion of privacy claim but might support a wiretapping claim under Pennsylvania law. A customer alleged that her personal information was collected in real time from forms on the retailer's website that she filled out but did not ultimately submit. In dismissing the invasion of privacy claim, the court reasoned that the alleged data collection would not cause "outrage" or "mental suffering, shame or humiliation" in an ordinary person and thus did not rise to the level of an invasion of privacy based on applicable case law. However, the court allowed the state law claim of wiretapping to proceed to develop a record on various issues, such as whether the online privacy policy would have given the customer adequate notice of the retailer's data collection practices.[12]
• On Dec. 19, a federal district court in the Northern District of California dismissed a lawsuit brought against Google under the California Invasion of Privacy Act (CIPA) based on allegations that Google stored plaintiffs' geolocation data without their consent. Specifically, the plaintiffs contended Google led them to believe that turning off a "Location History" setting would stop Google from storing their geolocation data, but in reality Google continued to store such data gathered through their use of apps and services. Interpreting certain provisions of the law, the court concluded that CIPA applies only to the tracking of a person without consent and does not apply to the collection and storage of geolocation data. The court also dismissed the plaintiffs' remaining claims without prejudice, allowing them time to refile their lawsuit with more supportive allegations.[13]
• On Dec. 19, a federal district court in the Northern District of Georgia granted final approval to a class settlement requiring Equifax to pay at least $380.5 million, and potentially well over $2 billion, into a restitution fund for the approximately 147 million U.S. consumers affected by the 2017 data breach. In a subsequent written opinion, the court reasoned that the settlement provides monetary and injunctive relief that "likely exceeds" what class members could have achieved at trial. This deal was initially proposed in July 2019 and gathered support from the FTC, the Consumer Financial Protection Bureau and multiple state attorneys general. However, the deal is not without critics and likely will be appealed to the 11th Circuit. Class members have an initial claims period lasting until Jan. 22, 2020, to file claims for out-of-pocket losses, credit monitoring and other benefits available through the settlement. No claim is required to access identity restoration services.[14]

Developments in Europe

• On Nov. 12 and 13, the European Data Protection Board (EDPB) met for its 15th plenary session and addressed a variety of topics. Among these, the EDPB adopted the Third Annual Review of the EU-U.S. Privacy Shield on Nov. 12. This program allows U.S. companies to become eligible to receive transfers of personal data from the EU by self-certifying their compliance with EU-level data protection requirements to the U.S. Department of Commerce. Although the EDPB identified several areas needing further study and refinement, the main news for U.S. companies is that the EU-U.S. Privacy Shield will remain in effect.[15]
• On Nov. 12, the EDPB adopted final guidelines on the territorial scope of the GDPR under Article 3. These guidelines address the critical issue of when non-EU companies are subject to the GDPR. Among the key points, the guidelines indicate that application of the GDPR should be assessed with respect to each data processing activity of a company. One activity being covered does not mean that all of a company's activities are covered. Furthermore, in regard to the GDPR's application to non-EU companies processing data in the context of an "establishment" in the EU, the guidelines point out that a very limited EU presence (such as a single employee) might not constitute an establishment. As for the GDPR's application to non-EU companies offering goods or services in the EU, the guidelines emphasize that it must involve an intentional targeting of goods or services to people in the EU Notably, these guidelines reflect a similarity between the analysis of the GDPR's application to non-EU companies and the concept of "minimum contacts" used for the analysis of state court jurisdiction over out-of-state defendants in the United States.[16]
• On Nov. 13, the EDPB published guidelines for implementing data protection by design and by default as required by Article 25 of the GDPR. Article 25 sets forth a general requirement for controllers to pay close attention to data security and management when designing and operating their systems. The new guidelines clarify this requirement by providing detailed advice on how to implement appropriate technical and organizational compliance measures. Unlike the adoption of final guidelines mentioned earlier, these are draft guidelines that will remain open for public comment and could be revised. Nonetheless, they provide a helpful guide for companies working to comply with Article 25, and they signal the likely expectations of regulators.[17]
  
• On Nov. 22, the Permanent Representatives Committee of the Council of the EU once again rejected the latest draft of the ePrivacy Regulation. Initially proposed in 2017 to replace a 2002 directive, this regulation would update existing rules on electronic communications, addressing important issues for e-commerce such as consent to electronic direct marketing, the processing of electronic communications and the use of cookies. The Finnish Presidency of the Council of the EU, which expired at the end of 2019, had circulated multiple drafts in 2019 in an effort to reach a deal, but ultimately that effort was unsuccessful. Now the rotating presidency passes to Croatia, which will pick up this effort again in 2020. The ePrivacy Regulation needs to be approved by the Council of the EU and the European Parliament to replace the current directive and a patchwork of national laws on the topic. Given the complexity of the process and lack of success thus far, it is difficult to predict whether and in what form the regulation will ever take effect.[18]

References

[1] The text of the amendment to Nevada's Privacy of Information Collected on the Internet from Consumers Act is available at https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text.

[2] The California attorney general's Proposed Text of Regulations implementing the CCPA is available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf.

[3] The Notice of Proposed Rulemaking Action issued by the California attorney general is available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-nopa.pdf.

[4] The Initial Statement of Reasons issued by the California attorney general is available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-isor-appendices.pdf.

[5] The text of New York's Stop Hacks and Improve Electronic Data Security Act is available at https://legislation.nysenate.gov/pdf/bills/2019/A5635A.

[6] The Dec. 2019 Update to the Joint Guidance on the Application of FERPA and HIPAA to Student Health Records is available at https://www.hhs.gov/sites/default/files/2019-hipaa-ferpa-joint-guidance-508.pdf.

[7] The text of the Consumer Online Privacy Rights Act is available at https://www.congress.gov/bill/116th-congress/senate-bill/2968/text.

[8] The text of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act is available at https://www.congress.gov/bill/116th-congress/senate-bill/151/text.

[9] The FTC's opinion in In the Matter of Cambridge Analytica, Dkt. No. 9383 (Nov. 25, 2019), is available at https://www.ftc.gov/system/files/documents/cases/d09389_comm_final_opinionpublic.pdf.

[10] The Northern District of California decision in Adkins v. Facebook, Case No. C 18-05982-WHA (N.D. Cal. Nov. 26, 2019), is available at https://www.robinsonbradshaw.com/assets/htmldocuments/Adkins%20v.%20Facebook.pdf.

[11] The FTC's announcement of settlements with four companies regarding the EU-U.S. Privacy Shield is available at https://www.ftc.gov/news-events/press-releases/2019/12/ftc-announces-settlements-four-companies-related-allegations-they.

[12] The Western District of Pennsylvania decision in Popa v. Harriet Carter Gifts, Case No. 2:19-cv-00450-WSS (W.D. Pa. Dec. 6, 2019), is available at https://www.robinsonbradshaw.com/assets/htmldocuments/Popa%20v.%20Harriet%20Carter%20Gifts.pdf.

[13] The Northern District of California decision in In re Google Location History Litigation, Case No. 5:18-cv-05062-EJD (N.D. Cal. Dec. 19, 2019), is available at https://www.robinsonbradshaw.com/assets/htmldocuments/In%20re%20Google%20Location%20History%20Litigation.pdf. 

[14] The Northern District of Georgia decision in In re Equifax Consumer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT (N.D. Ga. Jan. 13, 2020), is available at https://www.robinsonbradshaw.com/assets/htmldocuments/In%20re%20Equifax%20Consumer%20Data%20Security%20Breach%20Litigation.pdf. 

[15] A press release regarding the European Commission's Third Annual Review of the EU-U.S. Privacy Shield is available at https://ec.europa.eu/commission/presscorner/detail/en/IP_19_6134.

[16] The EDPB's final Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) are available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf.

[17] The EDPB's draft Guidelines 4/2019 on Article 25 Data Protection by Design and by Default under the GDPR are available at https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf.

[18] The latest version of the proposed ePrivacy Regulation is available at https://data.consilium.europa.eu/doc/document/ST-13808-2019-INIT/en/pdf.