As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.

On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019. 
Continue Reading

On September 5, 2019, the federal district court for the Northern District of Illinois issued an order that denied a motion to dismiss a class action brought under the Illinois Biometric Information Privacy Act (“BIPA”). Although the claims in Rogers v. CSX Intermodal Terminals, No. 19-2937, 2019 U.S. Dist. LEXIS 151135 (N.D. Ill. Sept. 5, 2019) largely survived a motion to dismiss, the district court did hand the defense bar a small—but potentially significant—victory.

The plaintiff in Rogers is a former truck driver.  His duties included visiting CSX facilities to pick up and deliver freight. The plaintiff was required to scan his fingerprints to gain entrance to the facility. The plaintiff filed a BIPA class action based on CSX’s failure to provide the required disclosures before collecting his fingerprints and to maintain a publicly available policy on CSX’s retention of biometric data. The complaint also alleged that CSX’s violations were intentional and reckless, an allegation which if proven would result in a $5,000 per violation penalty. 
Continue Reading

After a busy year of legislative activity that brought forth many proposed amendments to the California Consumer Privacy Act (CCPA), Governor Gavin Newsom will be presented with six bills that will alter and/or clarify the scope of the CCPA. He is expected to sign all of them into law in October.

Employee Data:  The original version of the CCPA did not contain an exemption for employees’ personal information. Assembly Bill 25 brings needed clarity to the question of whether employee data will fall under the CCPA. This is a critical issue, given that certain personal information is necessarily used on a daily basis for business. Under AB 25, employees and prospective employees are excluded from most of the CCPA’s protections, which include: the right to request deletion of personal information; the right to inquire about what personal information is collected; the right to inquire about the sources of personal information; the right to inquire about the purpose for collecting or selling personal information; and the right to inquire about the categories of third parties with whom the employer or prospective employer shares their personal information. 
Continue Reading

On August 22, 2019, the Substance Abuse and Mental Health Services Administration of the United States Department of Health and Human Services (“SAMHSA”) issued a proposed rule amending the Confidentiality of Substance Use Disorder Patient Records regulations set forth at 24 CFR Part 2.  These regulations were initially implemented to provide heightened protection of patient records covering the treatment of substance use disorder (“SUD”) provided by certain federally funded programs (“Part 2 programs”).

The proposed regulations do not modify the general requirements for the confidentiality of SUD patient records created by Part 2 programs.  Part 2 continues to prohibit the disclosure of SUD records without patient consent except as specifically permitted in situations such as in the case of a bona fide medical emergency, for purposes of scientific research, audit or program evaluation, or with an appropriate court order after showing good cause. 
Continue Reading

Following a security incident involving its website’s chat function, Delta filed suit in the Southern District of New York against its tech vendor, [24]7.ai. Delta alleged fraud, negligence and breach of contract. A consumer class action lawsuit had already been filed against Delta in the Northern District of Georgia, related to the same incident.

According to the Complaint, on March 28, 2018, Delta was notified by [24]7.ai that a security incident had potentially compromised personally identifying information and payment card data of up to 825,000 of Delta’s customers. Delta alleges that “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…” Delta engaged a forensics team and began working with federal law enforcement upon receiving notice from [24]7.ai. Delta then publicly announced the breach, notified its customers, launched free credit monitoring services, and filed a lawsuit against [24]7.ai. Delta is seeking reimbursement of all breach-related costs. 
Continue Reading

This blog post is the third in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). The statute takes effect on January 1, 2020–which is less than six months away. Please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first and second posts here and here.

Thanks for reading!


Continue Reading

Over the last few months, we have been presenting and reporting on the California Consumer Privacy Act (CCPA), the county’s first comprehensive state law designed to give consumers significant control over the personal data that companies collect. Not to be outdone, New York is working on data privacy legislation that imposes even heavier burdens on companies that collect consumer information.

The proposed New York Privacy Act (NYPA), Senate Bill S5642, sponsored by Democrat Kevin Thomas, has not yet been passed. If it passes in its current form, however, it would impose the strictest requirements in the country relating to companies’ collection, maintenance, use, and disclosure of consumer information. 
Continue Reading

April was another busy month for legislative activity on the California Consumer Privacy Act (CCPA), following a very busy February [see our prior post here]. A proposed sweeping revision to the CCPA, AB 1760, was withdrawn, while three key amendments, AB 25, AB 873, and AB 874, are up for a floor vote. Meanwhile, SB 561, which greatly expands the private right of action under the CCPA, is now in the Senate Appropriations Committee’s Suspense File awaiting a May 17, 2019 deadline for a vote as to whether it makes it out of the Suspense File. 
Continue Reading

After the Illinois Supreme Court’s decision in January holding that a plaintiff need not show actual harm to be an “aggrieved person” under the Illinois Biometric Information Privacy Act (“BIPA”), parties litigating under BIPA have been testing other defenses. One of those defenses is whether BIPA matters can be compelled to arbitration pursuant to an arbitration provision set forth in the parties’ agreement.

On Tuesday, April 9, the First District Appellate Court of Illinois issued its decision in Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1st) 182645, holding that a BIPA claim could not be compelled to arbitration based on the language of the employment agreement at issue. Specifically, the employment agreement provided that a dispute was subject to mandatory, binding arbitration if it “is based on one of the following types of claims as defined by law:  (a) employment discrimination; (b) harassment as it relates to my employment; (c) a wage or hour violation; (d) or termination of my employment from the Hotel.” Defendant argued that plaintiffs’ BIPA claim was a “wage or hour” dispute because the scans of plaintiffs’ fingerprints were used to track the hours the plaintiffs worked and therefore, it was an “hour” violation claim. The appellate court disagreed. 
Continue Reading

This blog post is the second in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”).  We received questions both before and during the webinar, and over the coming weeks we will be posting our responses. We will answer the most commonly-asked questions first, so please stay tuned if you don’t see your question in our first few posts. And, of course, please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

You may see our first post here.

Thanks for reading!


Continue Reading