Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California governor signs CCPA amendments

    State Issues

    On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert, AB 874, AB 1355, AB 1146, AB 25, and AB 1564 leave the majority of the consumer’s rights intact in the CCPA and clarify certain provisions—including the definition of “personal information.” Other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies. Notable revisions to the CCPA include the (i) “personal information” definition; (ii) FCRA exemption; (iii) employee exemption; (iv) business individual exemption; (v) verification and delivery requirements; (vi) privacy policy and training requirements; (vii) collection of information; and (viii) vehicle/ownership information exemption. The various amendments are effective on January 1, 2020, the same day the CCPA becomes effective.

    Additionally, on October 10, the California attorney general released the highly anticipated proposed regulations implementing the CCPA. See the Buckley Special Alert for details of the proposed regulations.

    State Issues Privacy/Cyber Risk & Data Security State Legislation State Attorney General FCRA State Regulation

    Share page with AddThis
  • Special Alert: California attorney general releases proposed CCPA regulations

    Privacy, Cyber Risk & Data Security

    Buckley Special Alert

    Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert), amended several times and with the most recent amendments signed into law on Oct. 11, and is currently set to take effect on Jan. 1, 2020 — directed the California attorney general to issue regulations to further the law’s purpose.

    * * *

    Click here to read the full special alert.

    If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues CCPA State Attorney General State Regulators Special Alerts

    Share page with AddThis
  • California attorney general releases proposed CCPA regulations

    Privacy, Cyber Risk & Data Security

    On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert), amended in September 2018, amended again in October 2019 (pending Governor Gavin Newsom’s signature), and is currently set to take effect on January 1, 2020 (Infobytes coverage on the amendments available here and here)—directed the California attorney general to issue regulations to further the law’s purpose. The proposed regulations address a variety of topics related to the law, including:

    • How a business should provide disclosures required by the CCPA, such as the notice at collection of personal information, the notice of financial incentive, the privacy policy, and the opt-out notice;
    • The handling of consumer requests made under the CCPA, such as requests to know, requests to delete, and requests to opt-out;
    • Service provider classification and obligations;
    • The process for verifying consumer requests;
    • Training and recordkeeping requirements; and
    • Special requirements related to minors.

    The California attorney general will hold four public hearings between December 2 and December 5 on the proposed regulations. Written comments are due by December 6.

    Notably, the Notice of Proposed Rulemaking states that “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states” and requests that the public consider, among other things, different compliance requirements depending on a business’s resources or potential exemptions from the regulatory requirements for businesses when submitting comments on the proposal.   

    Buckley will follow up with a more detailed summary of the proposed regulations soon.

    Privacy/Cyber Risk & Data Security State Issues State Attorney General CCPA State Legislation Agency Rule-Making & Guidance

    Share page with AddThis
  • EU Court of Justice: Orders to remove defamatory content issued by member state courts can be applied worldwide

    Courts

    On October 3, the European Court of Justice held that a social media company can be ordered to remove, worldwide, defamatory content previously declared to be unlawful “irrespective of who required the storage of that information.” The decision results from a 2016 challenge brought by a former Austrian politician against the social media company’s Ireland-based operation—responsible for users located outside of the U.S. and Canada—to remove defamatory posts and comments made about her on a user’s personal page that was accessible to any user. The social media company disabled access to the content after an Austrian court issued an interim order, which found the posts to be “harmful to her reputation,” and ordered the social media company to cease and desist “publishing and/or disseminating photographs” showing the former politician “if the accompanying text contained the assertions, verbatim and/or [used] words having an equivalent meaning as that of the comment” originally at issue. On appeal, the higher regional court upheld the order but determined that “the dissemination of allegations of equivalent content had to cease only as regards [to] those brought to the knowledge of the [social media company] by the [former politician] in the main proceedings, by third parties or otherwise.”

    The Austrian Supreme Court of Justice requested that the EU Court of Justice adjudicate whether the cease and desist order may also be “extended to statements with identical wording and/or having equivalent content of which it is not aware” under Article 15(1) of Directive 2000/31 (commonly known as the “directive on electronic commerce”). Specifically, the EU Court of Justice considered (i) whether Directive 2000/31 generally precludes a host provider that has not “expeditiously removed illegal information”—including identically worded items of information—from removing content wordwide; (ii) if Directive 2000/31 does not preclude the host provider from its obligations, “does this also apply in each case for information with an equivalent meaning”; and (iii) does Directive 2000/31 also apply to “information with an equivalent meaning as soon as the operator has become aware of this circumstance.”

    According to the judgment, Directive 2000/31 “does not preclude those injunction measures from producing effects worldwide,” holding that a national court within the member states may order host providers to remove posts it finds defamatory or illegal. However, the judges concluded that such an order must function “within the framework of the relevant international law.”

    Courts European Union Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • California addresses robocall spoofing

    State Issues

    On October 2, the California governor signed SB 208, the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol network. Specifically, the bill requires TSPs to implement “Secure Telephone Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) protocols or alternative technology that provides comparable or superior capability by January 1, 2021. The bill also authorizes the California Public Utilities Commission and the Attorney General to enforce certain parts of 47 U.S.C. 227, making it unlawful for any person within the U.S. to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.

    As previously covered by InfoBytes, in June 2019, the FCC adopted a Notice of Proposed Rulemaking (NPRM) requiring voice providers to implement the “SHAKEN/STIR” caller ID authentication framework. The FCC argued that once “SHAKEN/STIR” is implemented, it would “reduce the effectiveness of illegal spoofing and allow bad actors to be identified more easily.” 

    State Issues State Legislation State Attorney General FCC Robocalls Federal Issues Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • Pre-checked box does not give consent to cookies under EU privacy directive and GDPR

    Privacy, Cyber Risk & Data Security

    On October 1, the European Court of Justice held that, under the Privacy and Electronic Communications Directive (ePrivacy Directive), a website user does not “consent” to the use of a cookie when a website provides a “pre-checked box” that needs to be deselected for a user to withdraw consent. According to the judgment, a consumer group brought an action in German court against a German lottery company, challenging the website’s use of a pre-checked box allowing the website to place a cookie—text files stored on the user’s computer allowing website providers to collect information about a user’s behavior when the user visits the website—unless the consumer deselected the box. The consumer group argued that the pre-selection of the box is not valid consent under the ePrivacy Directive. The lower court had upheld the action in part, but, following an appeal, the German Federal Court of Justice stayed the proceedings and referred the matter to the EU Court of Justice.

    The Court agreed with the consumer group, concluding that the practice violated the law by not requiring users to give active, express consent to the use of the cookies. Specifically, the Court noted that the 2009 amendments to Article 5(3) of the ePrivacy Directive, which requires the website user to give “his or her consent, having been providing with clear and comprehensive information,” must be interpreted literally “to which action is required on the part of the user in order to give his or her consent.” Because the box allowing the use of cookies was checked by default, “[i]t is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited,” and therefore, it would “appear impossible” to determine whether a user gave consent to the cookies by not “deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed.” The Court noted that “[a]ctive consent is thus now expressly laid down in [the EU General Data Protection Regulation (GDPR)],” and that it “expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent.’” Moreover, the Court held the ePrivacy Directive also requires that, among other information, “the service provider must [disclose] to a website user . . . the duration of the operations of cookies and whether or not third parties may have access to those cookies” to give effect to “clear and comprehensive information.”

    Privacy/Cyber Risk & Data Security European Union Consent Of Interest to Non-US Persons

    Share page with AddThis
  • New York AG sues national coffee chain over data breach

    State Issues

    On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.

    State Issues State Attorney General Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • Ballot initiative seeks to expand CCPA, create new enforcement agency

    Privacy, Cyber Risk & Data Security

    On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others

    • Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
    • Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
    • Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
    • Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
    • Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
    • Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
    • Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
    • Definition of business.  The Act revises the definition of “business” to:
      • Clarify that the time period for calculating annual gross revenues is based on the prior calendar year; 
      • Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
      • Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
      • Provides a catch-all for businesses not covered by the foregoing bullets.
    • The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.

    If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.

    As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.

     

     

    Privacy/Cyber Risk & Data Security State Issues State Legislation State Attorney General CCPA

    Share page with AddThis
  • EU's “right to be forgotten” law applies only in EU

    Courts

    On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the European Union. The decision results from a challenge by a global search engine to a 2015 order by a French regulator, Commission Nationale de l'Informatique et des Libertés (CNIL), requiring the search engine to delist certain links from all of its global domains, not just domains originating from the European Union. The search engine refused to comply with the order, and the CNIL imposed a 100,000 EUR penalty. The search engine sought annulment of the order and penalty, arguing that the “right to be forgotten” does not “necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.” Moreover, the search engine asserted that the CNIL “disregarded the principles of courtesy and non-interference recognised by public international law” and infringed on the freedoms of expression, information, and communication.

    The Court of Justice agreed with the search engine. Specifically, the Court noted that while the “internet is a global network without borders” and internet users’ access outside of the EU to a referencing link to privacy infringing personal information is “likely to have immediate and substantial effects on that person within the Union itself,” there is no obligation under current EU law for a search engine to carry out the requested deletion on all global versions of its network. The Court explained that numerous nations do not recognize “the right to be forgotten” or take an alternate approach to the right. Additionally, the Court emphasized that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The Court concluded that, while the EU struck that balance within its union, “it has not, to date, struck such a balance as regards the scope of a de-referencing outside of the union.”

    Courts Privacy/Cyber Risk & Data Security European Union Of Interest to Non-US Persons

    Share page with AddThis
  • District Court dismisses investors’ data breach claims

    Courts

    On September 18, the U.S. District Court for the Northern District of California dismissed with prejudice a class action suit brought against an online payments firm and associated entities and individuals (collectively, “defendants”) for allegedly misleading investors (plaintiffs) about a 2017 data breach. The court stated that the plaintiffs plausibly alleged the defendants’ November 2017 announcement about the data breach was misleading because it “disclosed only a security vulnerability, rather than an actual security breach that potentially compromised” 1.6 million customers, which the plaintiffs contended was not actually disclosed until a month later when a follow-up statement was released. However, the court argued that the plaintiffs failed to show under the loss-causation theory that the defendants knew the breach affected 1.6 million customers when the company made its first statement, and contended that confidential witness statements provided by the plaintiffs from three former employees did not credibly support allegations that the defendants and its executives knew the full extent of the breach when they warned of potential vulnerabilities or “used that knowledge (or recklessly disregarded it) to deceive the market.” Furthermore, the court determined that while both parties agreed that a plaintiff can support a securities fraud claim with expert opinions, the plaintiffs in this case failed to allege that the cybersecurity expert they hired was familiar with, or had knowledge of, the defendants’ specific security setup or that he actually talked to the defendants’ employees about the breach. According to the court, the expert provided an opinion on “what likely would have happened in the event of any breach.”

    Courts Class Action Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis

Pages

Upcoming Events