Privacy & Data Protection

The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”

Continue Reading California AG Interprets “Inferences” Under CCPA

On February 23, join Crowell attorneys Preetha Chakrabarti and Suzanne Trivette and Gail Gottehrer of Gail Gottehrer LLC for “Lawyers in the Metaverse.” Hosted by the National Association of Women Lawyers’ Women in Intellectual Property & Tech Law affinity group of which Preetha and Gail are co-chairs, this timely webinar will help lawyers understand how

The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
Continue Reading Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations

Monday, October 18, 2021

Deceptive or Misleading Conduct & Protecting Older Consumers

  • The FTC issued its latest report to Congress on protecting older consumers, which highlights updated findings from the Commission’s fraud reports showing trends in how older adults report being affected by fraud with the most frequent type of fraud reported by older adults

As the world continues to settle into its new normal regulators have so too. Recently, State Attorneys General (AGs) are increasingly focused on several specific enforcement priorities, including (1) price gouging; (2) privacy concerns; (3) antitrust litigation; and (4) harmful substances in products and environmental issues. Many of these priorities have gained prominence in the midst of the COVID-19 pandemic.
Continue Reading Enforcement in the New Normal: Recent Trends in State AG Enforcement

On August 20, 2021, China’s national legislature passed the Personal Information Protection Law (“PIPL”), which will become effective on November 1, 2021. As China’s first comprehensive system for protecting personal information, the PIPL is an extension of the personal information and privacy rights enshrined in China’s Civil Code, and also a crucial element of a set of recent laws in China that seek to strengthen data security and privacy. Among other things, the PIPL sets out general rules for processing and cross-border transfer of personal information. A number of provisions, notably various obligations imposed on data processors, restrictions on cross-border transfer, and hefty fines, will have significant impact on multinational corporations’ HR activities, including recruitment, performance monitoring, cross-border transfers, compliance investigations, termination of employment relationships, and background checks.

This alert will highlight specifically how the PIPL will apply to workplace scenarios in China and provide suggestions to help ensure data privacy compliance for multinational corporations’ China labor and employment operations.

Employee Consent and Exceptions to Consent

Under Article 4 of the PIPL, “personal information” is defined broadly as information related to natural persons recorded electronically or by other means that has been used or can be used to identify such natural persons, excluding information that has been anonymized. Specific types of personal information have been noted for additional protection under Article 28 of the PIPL as “sensitive personal information”. Sensitive personal information is defined under the law as personal information that is likely to result in damage to the personal dignity, physical wellbeing or property of any natural person, and includes, among others, information such as biometric identification, religious belief, special identity, medical health, financial account, physical location tracking and whereabouts, and personal information of those under the age of 14.
Continue Reading Employee Personal Information Protection in China – Are You Up to Speed?

Could the end of Section 6(b) of the Consumer Product Safety Act (CPSA) actually be near?  Time will tell.  But last week’s development on Capitol Hill in the saga of “Section 6(b)” is noteworthy, and, one day in the not-so-distant future, may be recognized as the beginning of the end for this controversial provision of the law.

On April 22, Senator Richard Blumenthal (D-CT) and Representatives Jan Schakowsky (D-IL) and Bobby Rush (D-IL) introduced legislation—the Sunshine in Product Safety Act—to fully repeal Section 6(b) of the CPSA.  This is the first time in recent memory that Members of Congress have introduced legislation to do away with Section 6(b) altogether.  For example, in the last Congress, Representative Rush introduced the “SHARE Act,” which sought primarily to scale back one of Section 6(b)’s most important protections for firms—allowing a company to judicially challenge the U.S. Consumer Product Safety Commission’s (“CPSC” or “the Commission”) decision to release information about a firm, or one of its products, prior to its disclosure.  But that legislation left the rest of Section 6(b)’s procedures and protections intact.  This current bill, therefore, is much more ambitious, and stakeholders should take note.

By way of background, Section 6(b) requires the CPSC to engage in certain procedural steps before publicly disclosing information from which the identity of a manufacturer of a product can be readily ascertained.  Those include taking reasonable steps to ensure that the information to be disclosed publicly is fair, accurate, and reasonable related to effectuating the purpose of the product safety laws.  Practically speaking, this means notifying the manufacturer of the potential disclosure, providing either a summary of what the agency intends to disclose, or the actual disclosure itself, and providing the company with the opportunity to comment, typically 15 days, though that time period can be shortened by the CPSC with a “public health and safety finding.”  Other regulators, like FDA and NHTSA, do not have similar statutory constraints on the release of product information nor do they have due process protections around data release, whether those be adverse events or vehicle accidents.
Continue Reading New Bills Seek to Repeal Controversial Provision of Product Safety Act

Last week the Supreme Court unanimously held that §13(b) of the Federal Trade Commission Act does not give the Federal Trade Commission the power to seek equitable monetary relief such as disgorgement or restitution. The Court’s opinion in AMG Capital Management LLC v. Federal Trade Commission removes a powerful tool that the FTC has long relied on to pursue monetary relief for consumers in both consumer protection and competition matters.

By way of background, the FTC has authority to protect consumers from unfair or deceptive acts or practice (“UDAP”) and unfair methods of competition (“UMC”) with an overlapping but distinct set of tools it can use to pursue its dual consumer protection and competition missions:

  • Administrative Proceeding: The FTC can initiate an administrative proceeding to seek a cease and desist order for either a UDAP or UMC violation from an administrative law judge. If necessary, the FTC can later bring a contempt proceeding in federal court seeking to enforce the terms of an administrative order. A defendant may respond by arguing that it has “substantially complied” with the terms of the order. If the FTC prevails in such a case, it can seek civil penalties and other equitable relief necessary to enforce the order (however monetary relief only applies to UDAP violations).
  • Rulemaking: The FTC has authority to promulgate rules that define UDAP with specificity. Generally, this requires a lengthy, formal rulemaking process that allows for public comment, and a final rule can be challenged in federal court. If a defendant later violates a duly enacted UDAP rule, the FTC can seek civil penalties for a knowing violation. The FTC can also file suit in federal court and obtain monetary relief “to redress consumer injury,” including an order compelling “refund of money or return of property,” but only if “a reasonable man would have known under the circumstances [that the challenged conduct] was dishonest or fraudulent.”
  • Federal Court: The FTC can sue in federal court under §13(b) of the FTC Act to enjoin a defendant when the defendant “is violating, or is about to violate” a law that the FTC enforces and such an injunction is in the public’s interest. While courts have historically read §13(b) as giving the FTC an implied right to recover equitable monetary relief in addition to injunctive relief, the Supreme Court’s ruling now limits the FTC to seeking injunctive relief only.


Continue Reading The Supreme Court Limits FTC’s §13(b) Powers

The Virginia Consumer Data Protection Act (CDPA) has become the next major U.S. state privacy law, after being signed into law by Virginia Governor Ralph Northam on Tuesday, March 2, 2021. The new law amends Title 59.1 of the Code of Virginia with a new chapter 52 (creating Code of Virginia sections 59.1-571 through 59.1-581).

Who is covered?

Per Section 59.1-572, the bill applies to “persons that conduct business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth” who “control or process personal data of at least 100,000 consumers” or those who “control or process the data of at least 25,000 consumers” AND “derive at least 50% of their gross revenue from the sale of personal data.”

As defined in Section 59.1-571 the bill, “[c]onsumers” are any “natural person who is a resident of the Commonwealth acting only in an individual or household context. [Consumer] does not include a natural person acting in a commercial or employment context.”

Both covered entities and “consumers” are defined more narrowly than under other general data privacy laws such as the California Consumer Privacy Act (CCPA). For example, in contrast to the CCPA’s application to any California business with more than $25 million in annual revenue, the CDPA does NOT apply on a blanket basis to any Virginia business above a specified revenue threshold. To be covered under the CDPA, a person must always process the data of a minimum number of Virginia residents “acting only in an individual or household context.” Additionally, the exemption for individuals acting in “commercial” or “employment” contexts is a complete one, and does not have a “sunset” date where the exemption will expire like the California law.

Notably, the CDPA follows the model established under the EU General Data Protection Regulation and categorizes relevant businesses as “controllers” and “processors.” “Controllers” are “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data,” while “processors” are “a natural or legal entity that processes personal data on behalf of a controller.” Similar to the controller/processor relationship created by the GDPR and the business/service provider relationship created under the CCPA, a CDPA processor must be engaged by a controller via a written agreement that governs the processor’s data processing and provides specific instructions for the processing of data, as well as the nature and purpose of the processing.
Continue Reading Virginia Consumer Data Protection Act (S.B. 1392)

On December 15, 2020, the European Commission (EC) presented its long-awaited proposal for a Digital Services Act (DSA), together with a proposal for a Digital Markets Act (DMA), which we discussed in a previous alert. Whereas the DMA aims to promote competition by ensuring fair and contestable markets in the digital sector, the DSA proposal intends to harmonize the liability and accountability rules for digital service providers in order to make the online world a safer and more reliable place for all users in the EU.

Most notably, the DSA would impose far-reaching due diligence obligations on online platforms, with the heaviest burdens falling on “very large” online platforms (i.e., those with more than 45 million average monthly active users in the EU), due to the “systemic” risks such platforms are deemed to pose in terms of their potential to spread illegal content or to harm society. In this day and age when the perceived power of online platforms to independently control content publication and moderation is headline news daily, with governments throughout the globe grappling with different legislative and regulatory proposals, the DSA stands out as an ambitious effort by the EC to create a consistent accountability framework for these platforms, while striking a balance between safeguarding “free speech” and preserving other values and interests in a democratic society. Like the parallel DMA proposal, the DSA proposal has been criticized for targeting mainly U.S.-based companies, which would make up most of the “very large” platforms. Given the huge commercial interests at stake, the passage of both laws will no doubt be the subject of intense debate and lobbying, including with respect to the asymmetric nature of the proposed regulation and the powerful role that the EC reserves to itself in both proposals.
Continue Reading Digital Services Act: The European Commission Proposes An Updated Accountability Framework For Online Services