The United States election on November 3rd will impact the future use of personal information for organizations doing business with US citizens. From presidential results to state propositions, there will be many privacy ramifications, and how we move forward to embrace the new changes is a topic that will bring many perspectives.
Join us as we discuss the implications of the US election, including California’s Proposition 24 which would expand the provisions of the CCPA and what the next administration’s role will be in helping shape the new framework for EU-US data transfers.
-Privacy issues that were included or arose in the 2020 election
-Implications of election outcomes on privacy laws or priorities
-What to watch for in 2021
2. How to Manage Vendors and Third Parties to Minimize Privacy Risk
2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
3. Speakers
3
K Royal
Associate General Counsel
Privacy Intelligence
TrustArc
San Francisco
Ian C. Ballon
Co-chair, Global Intellectual
Property + Technology Practice
Group, Greenberg Traurig, LLP,
East Palo Alto
Veronica Torres
Chief Privacy Officer
Comscore
Washington, DC
4. Agenda
4
● Privacy issues going into 2020 - or were election issues
● Implications of election outcomes on privacy laws or priorities
● What to watch for in 2021
6. Going into 2020 - Step Back in Time
6
● California
○ CCPA - passed, going through amendments
○ CPRA - announced the proposal
● States
○ Proposed privacy laws
■ FL, HI, IL, MD, MS, NE, NH, NJ, VT, VA, WA
■ plus from 2019 NM, NY, PA, RI, TX
○ NY - Stop Hacks and Improve Electronic Data Security (SHIELD) Act
● In the News
○ Cambridge Analytica - documentary The Great Hack plus Facebook memo
○ Election tampering concerns, but mainly security
○ Facial recognition - Clearview AI
○ FTC enforcement against Facebook $5B penalty
○ FTC settlement with Equifax
7. Journey to California Privacy Rights Act
7
2017
CCPAballotinitiative
2018
CCPAlawJune
AmendmentsSep,Oct
2019
Regulations
forumsQ1
CPRA
announced
Amendments
Regulationhearings
2020
CCPAeffective
Regulations2&3draft
CPRAqualified
FinalRegs
CCPA
enforcementJul1
Amendments
Moreproposedregs
CPRApassed
8. Cybersecurity Class Action Litigation
8
● Cybersecurity claims
○ Breach of contract (if there is a contract) or covenant of good faith and fair dealing (if the
contract claim isn’t on point) or implied contract (if there is no express contract)
○ Breach of fiduciary duty, Negligence, Fraud, unfair competition
○ State cybersecurity statutes (especially those with statutory damages and attorneys’ fees)
○ California (and potentially Oregon) IoT Law, CCPA
● Securities fraud
○ In re Facebook, Inc. Securities Litigation, 405 F. Supp. 3d 809 (N.D. Cal. 2019)
● Data privacy claims
○ Federal - Electronic Communications Privacy Act, Computer Fraud and Abuse Act, Video
Privacy Protection Act
○ State laws – IL / TX / WA Biometric, MI, CA
○ Breach of contract/ privacy policies – 2019
■ In re Equifax, Inc., Customer Data Security Breach Litigation, 362 F. Supp. 3d 1295,
1331-32 (N.D. Ga. 2019)
■ Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1037-38 (N.D. Cal. 2019)
9. Privacy as a Conversation for Election Platforms
9
● COVID-19
● State legislatures stopped meeting
● EU congresses stopped meeting
● Privacy around remote work - Zoom
● Mass demonstrations / facial recognition
11. Impacts - Actual and Potential - US States
11
● State Ballot Initiatives
○ California - Prop 24, California Privacy Rights Act
○ Recent amendments and rulemaking (October)
○ Massachusetts - wireless car data
○ Michigan - Prop 2, search warrant for electronic data and communication
● Other state privacy or security laws
○ Bills considered in 30 states for consumer privacy
■ CA - data brokers, exemption for deidentified medical data
■ MI - insurers providing privacy notices to customers
■ VA - scanning drivers’ licenses for ID verification
● Bills considered in 21 states (plus DC) to amend security breach laws
○ IL,ME, NY, SC, VT, WA, DC
○ VT significant - established CPO for state plus audit, student online privacy act
12. California Privacy Rights Act
12
● Ballot initiative - https://www.caprivacy.org/ (effective 01.01.2023)
○ Definitions
■ Consent, contractor, share, sensitive personal information, and business definition
amended regarding applicability within those sharing branding
○ Rights
■ Correction and limit use and disclosure of SPI (added definition of sensitive PI)
○ Third parties / Service Providers
■ Notice at collection, contractual obligations, requires levels or protection,
cooperation on consumer requests, flowdown provisions
○ Security
■ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit
of cybersecurity with submission to the Consumer Privacy Protection Agency
○ CA Consumer Privacy Agency
■ Explicit provisions, “reasonable” and “appropriate to the nature” of PI, annual audit
of cybersecurity with submission to the Consumer Privacy Protection Agency
13. CCPA - Litigation, will increase under CPRA
13
● Update on CCPA suits filed
○ ~50 so far
○ Valid? Little specificity on CCPA, not waiting 30 days for cure, ignore limitation on using CCPA
○ Typically are joined with cybersecurity breach, unfair competition laws, or data privacy claims
● The Private Right of Action
○ Applies to data breaches and failure to implement reasonable measures, not other CCPA provisions
■ Specifically “whose nonencrypted or nonredacted personal information . . . is subject to an
unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of
the duty to implement and maintain reasonable security procedures and practices . . . .”
○ What is reasonable will be defined by case law
○ 30 day notice and right to cure as a precondition, that is amended under CPRA
○ $100 - $750 “per consumer per incident or actual damages, whichever is greater, injunctive or
declaratory relief, and any other relief that a court deems proper.”
■ In assessing the amount of statutory damages, the court shall consider “any one or more of the
relevant circumstances presented by any of the parties to the case, including, but not limited to,
the nature and seriousness of the misconduct, the number of violations, the persistence of the
misconduct, the length of time over which the misconduct occurred, the willfulness of the
defendant’s misconduct, and the defendant’s assets, liabilities, and net worth”
14. Future CPRA Litigation
14
● The CCPA framework of providing for administrative enforcement but allowing a private
cause of action for certain security breaches (with statutory damages) largely remains in
effect + BUT the California Privacy Protection Agency is empowered to sue and courts
may be involved in enforcement of administrative enforcement actions
● Administrative litigation before the California Privacy Protection Agency with judicial
review (abuse of discretion standard)
● Litigation brought by the CPPA per new Civil Code § 1798.199.90
● Litigation over CPPA subpoenas
● CPPA collection actions per new Civil Code § 1798.199.75
● Section 3: "Businesses should be held accountable for violating the law through vigorous
administrative and civil enforcement."
15. Future CPRA Litigation
15
● New Civil Code § 1798.135(g) - no liability if a business communicates an opt-out request
to a person (per subsection f) who fails to honor it (provided no actual knowledge or
reason to believe)
● New Civil Code § 1798.140(h) - Consent does not include "acceptance of a general or
broad terms of use" that describes "personal information processing along with other,
unrelated information . . . ."
● New Civil Code § 1798.150 - implementation and maintenance of reasonable security
procedures and practices does not amount to a cure
● Litigation between and among a business, service provider, contractor and other third
parties
● Putative class action litigation
● Other claims (other than the CPRA)
17. Impacts - Actual and Potential
17
● US Federal
○ US Federal Law - potential
■ Promising privacy laws increasingly gaining traction
■ Major factors - pre-emption and right to private action
○ US Enforcement Actions
■ Agencies
○ US Supreme Court appointment
■ Replaced liberal with conservative
■ Consider Carpenter v. United States 585 US ___ (2018) 5-4 decision
● New Administration
○ Biden / Harris transition team
● International
○ Negotiations with European Union - Schrems II
○ US Agencies may have changes in priorities and personnel
○ FISA s. 702 changes?
18. Thoughts - what can we look forward to?
18
● Privacy and Digital Rights for All - A blueprint for the next administration - 10 points
https://mkus3lurbh3lbztg254fzode-wpengine.netdna-ssl.com/wp-content/uploads/Privacy-
And-Digital-Rights-For-All-A-blueprint-for-the-next-Administration.pdf
● Litigation - will we see more litigation on privacy and security?
● Enforcement - federal or state
● States - incorporating privacy into other sector laws
● California amending CPRA
● Companies leveraging privacy (adtech, identity verification, data discovery)
● The Privacy field
○ Lawyers - need to be savvier on privacy & law firms more active in building programs
○ Non-lawyers - learn privacy laws
○ Privacy falling under security professionals
○ Understand and use technology / awareness & knowledge / connections (networking)
● Companies looking for guidance - benchmarking metrics
21. Upcoming Webinars
21
Past Webinars
Building Consumer Trust through Data
Subject Rights / DSAR Management
October 14, 2020 @ 9:00
PST
The Brazilian LGPD is Here: What You Need
to Know
Free Download
How to Leverage Your GDPR Compliance for
CCPA, Privacy Shield & More New
Requirements
Free Download