What are Dark Patterns? 

Dark patterns are usually defined as user interfaces that trick or manipulate consumers into making choices that they would not otherwise have made. The California Consumer Privacy Act (CCPA) defines dark patterns as user interfaces that “subvert or impair consumers’ autonomy, decision making, or choice”.  Similarly, the Federal Trade Commission (FTC) defines unlawful dark patterns to include any online “design practices that trick or manipulate users into making decisions they would not otherwise have made and that may cause harm” and considers the use of dark patterns to be an unfair and deceptive trade practice.

Examples of dark patterns include:

• Unclear choices – Customer choices that are not presented in a clear and balanced way. For example, if a business offers an option to opt-out of sharing personal information, the option should be clear and easy to find.
• Confusing language – Choices that a business presents in technical or difficult language.
• Hidden information – Information and key terms buried in fine print or in unexpected places.
• Making it hard to cancel – Businesses should not make it difficult for consumers to cancel subscriptions or charges.

What are the Penalties for using Dark Patterns?

Federal and state regulators have adopted laws and regulations that prohibit businesses from using dark patterns, and companies that violate those prohibitions can be subject to legal and regulatory action and financial penalties.

Section 5 of the FTC Act prohibits the use of unfair or deceptive acts or practices in or affecting commerce.  In June 2023, the FTC filed a complaint in the US District Court for the Western District of Washington alleging that Amazon violated Section 5 by using manipulative, coercive, or deceptive user interface designs to trick consumers into enrolling in its Amazon Prime subscription service.  Among other things, the FTC alleged that Amazon’s use of dark patterns was a violation of the Restore Online Shoppers’ Confidence Act (ROSCA), which generally bars the sale of goods or services on the internet through negative option marketing without meeting certain requirements for disclosure, consent, and cancellation to protect consumers.

The Amazon case followed a 2023 settlement between the FTC and EPIC Games, the maker of the popular video game Fortnite, to refund $245 million to customers. The FTC claimed that the design layout of Fortnite, which included counterintuitive, inconsistent, and confusing button placements, facilitated inadvertent charges with a single button press. At the same time, Epic relocated and minimized the “cancel purchase” button and designed a confusing process for consumers to request refunds through the Fortnite app.

The CCPA prohibits the use of dark patterns to obtain consent for privacy-related choices. The CCPA’s regulations require consent to be freely given, specific, informed, and unambiguous.  On September 4, 2024, the California Privacy Protection Agency (the CPPA, which was established to implement the CCPA) issued an enforcement advisory regarding “choice architectures that have the substantial effect of subverting or impairing a consumer’s autonomy, decision-making, or choice” – in other words, dark patterns. The advisory gave notice that the CPPA is closely scrutinizing consents for dark patterns and will consider such consents invalid. If the CPPA finds that a company uses dark patterns to obtain consent, the agency may seek civil penalties of up to $2,500 per violation, and up to $7,500 for willful violations.

California isn’t the only state to act.  Both Colorado, through the Colorado Privacy Act, and Connecticut, through the Connecticut Data Privacy Act, provide that agreements obtained through dark patterns do not constitute valid consent.  Violations can lead to penalties of $5,000 per violation in Connecticut and $20,000 per violation in Colorado.

Click to Cancel

At a minimum, any company doing businesses online should review their user interfaces to ensure they offer symmetrical choices and use clear, easy-to-understand language.  Particular attention should be paid to the FTC’s new “Click to Cancel” Rule. The rule requires companies to make it as easy for people to withdraw from a program or subscription as it was to sign up. That means people must be able to the cancellation method quickly and easily. It should be offered through the same medium (online, phone, etc.) people used to sign up, and it shouldn’t be overly burdensome. Some key considerations:

• A company can’t require people to talk to a live or virtual representative to cancel if they didn’t have to do that to sign up.
• Companies can’t charge extra for that service and must answer the phone or take a message during normal business hours. Messages must receive a prompt response.
• If a customer originally subscribed in person, the company must offer them the opportunity to cancel in person and by other means, such as online or on the phone.

The Click to Cancel Rule, together with other FTC and state actions, points to one other issue:  the concept of dark patterns isn’t limited to online transactions.  Companies need to consider whether their actions constitute unfair or deceptive trade practices generally, whether undertaken online, by phone, by mail, or in person.

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in artificial intelligence implementation and other new technologies, development of cybersecurity strategies, creation of data security and privacy policies and procedures, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their privacy and cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

The post Dark Patterns and You appeared first on Cybersecurity Lawyer Forum.

California’s Trap and Trace Pen Register Litigation: Key Considerations & How to Respond to a Lawsuit
by Stuart Tubis

The California Invasion of Privacy Act (CIPA) is driving a wave of litigation that could significantly impact businesses with consumer-facing websites. Hundreds of lawsuits have been filed recently alleging that businesses operating in California violated CIPA due to very common software and business practices found on their websites. Initially intended to regulate law enforcement’s use of “trap and trace” devices, plaintiffs now argue that CIPA’s outdated language applies to website tracking tools, such as cookies, pixels, and beacons.

Background on Trap and Trace Provisions

California’s Penal Code Section 638.51 prohibits installing or using a trap and trace device without a court order. A trap and trace device identifies the origin of incoming signals, similar to caller ID but more advanced. Originally, this provision applied only to law enforcement tracking incoming telephone numbers. However, plaintiffs now claim that common online tools also violate the statute by capturing information like IP addresses, geographic data, and browsing habits—data they argue is akin to “dialing, routing, addressing, or signaling information” regulated under CIPA.

The recent lawsuits target businesses across sectors, asserting that website visitor tracking constitutes illegal data collection. Plaintiffs argue that the law’s broad definitions of “trap and trace” devices include online tracking technologies, even though these provisions were designed decades ago with telephones, not the internet, in mind. Many businesses argue this a misapplication of an old law that has no proper application to the internet.

Key Legal Issues and Litigation Trends

Several critical rulings highlight the evolving nature of trap and trace litigation:

1. Greenley v. Kochava: This pivotal case helped launch the new wave of litigation by allowing claims that software used to track user data (including clicks and purchase history) could be considered a “pen register” under CIPA. This interpretation emboldened plaintiffs to pursue similar cases, leading to a spike in lawsuits asserting that online tracking tools fall under the statute’s reach. 2023 WL 4833466 (S.D. Cal. July 27, 2023).
2. Licea v. Hickory Farms: In contrast, this decision dismissed a plaintiff’s attempt to apply CIPA to website analytics. The Los Angeles Superior Court rejected claims that tracking IP addresses alone constituted a CIPA violation, reasoning that such interpretation would disrupt legitimate online commerce. This ruling offers a line of hope for defendants, suggesting that not all tracking technology will fall under CIPA’s restrictions. Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024).
3. Potential Nationwide Impact: CIPA’s expansive language, combined with the possibility of high statutory damages, makes this law appealing to serial privacy litigants looking for settlement payouts or court judgments. As similar privacy laws take hold across the U.S., these novel CIPA claims could inspire related actions in other states, raising stakes for companies nationwide.

Possible Defenses for Businesses

Despite the surge in lawsuits, businesses have several potential defenses to CIPA trap and trace claims. One common defense is user consent. Many businesses argue that visitors consent to tracking through cookie notices or privacy policies. While California requires explicit disclosure, clear opt-in mechanisms may help mitigate liability.

Another defense involves public policy arguments. Courts have signaled hesitancy to interpret CIPA in a way that broadly restricts website analytics. In Licea v. Hickory Farms, the court noted that applying the statute this way could have unintended economic consequences for online businesses, a policy argument that could sway other judges. Further case law is needed to fully clarify CIPA’s application to the internet.

Jurisdictional challenges also provide a potential defense. Since CIPA primarily applies within California, businesses with limited ties to the state may contest the court’s jurisdiction over the case. Non-California companies might argue they should not be subject to lawsuits if their activities were primarily conducted outside the state.

Businesses may raise defenses based on standing and lack of injury. Plaintiffs often face difficulties in demonstrating actual harm under CIPA, especially when the data being tracked does not involve sensitive personal information. Courts may dismiss cases where plaintiffs fail to establish the required “injury-in-fact,” which is necessary to meet standing requirements under privacy laws.

Risk Mitigation Strategies

To minimize litigation risk, California-based businesses and those targeting California consumers can take proactive steps. Companies should conduct regular audits of tracking technologies to ensure their practices comply with CIPA’s evolving interpretations. By evaluating the types of tracking tools deployed on their websites or apps, businesses can stay ahead of any legal changes that may impact their operations.

Another key step is to implement enhanced privacy disclosures. Clear privacy policies and opt-in agreements, with language specifically addressing tracking practices, help businesses to ensure that consumers are fully informed of the tracking practices in place. Doing so may reduce the likelihood of claims related to unauthorized data collection.

Businesses should also consider limiting data sharing with third parties. Given concerns from plaintiffs about data being shared with entities like social media platforms, companies can mitigate risks by reviewing their partnerships and minimizing unnecessary third-party data transfers. This can help prevent potential privacy violations and related litigation.

With several high-stakes cases pending, businesses should monitor litigation trends closely. Tracking emerging court rulings to assess whether their practices align with judicial guidance on CIPA compliance helps businesses reduce the risk of legal challenges.

How to Respond to a Lawsuit

Facing a lawsuit under California’s trap and trace provisions can be daunting. Here are basic steps for businesses to respond effectively: 

1. Understand the Response Timeline
   Once a complaint is served, defendants typically have 30 days to file a response in California state court (or 21 days in federal court). Missing this deadline can result in a default judgment, which may lead to unfavorable outcomes, including penalties. Businesses should immediately review the filing and engage legal counsel to ensure a timely response.

2. Evaluate Potential Defenses
   A thorough assessment of potential defenses is critical. Key defenses to explore include:

   – Consent of the User: Many websites have privacy policies and cookie banners that users interact with, potentially signaling consent. Demonstrating user awareness and agreement to tracking practices may strengthen a defense.
   – Applicability of CIPA: Arguing that CIPA’s trap and trace provisions do not apply to routine tracking technologies or website analytics can be effective. Courts have occasionally agreed that IP tracking and website functionality fall outside CIPA’s original scope.
   – Jurisdictional Challenges: If your business is not based in California or has limited California ties, a jurisdictional defense may be available.
   – Lack of Harm: Many plaintiffs face difficulty establishing concrete harm from tracking practices, which can lead to dismissals.

If a solid defense applies or the Plaintiff’s claims are weak, you can consider filing a motion to dismiss, demurrer or motion for summary judgment to have the court throw out the lawsuit.

3. Consider Settlement Options
   Defending against class actions or individual lawsuits can be costly. Settlement is one way to resolve the case efficiently. Early settlement negotiations may include agreeing to enhanced privacy practices and a payment to the plaintiff. Businesses should weigh the benefits of an early settlement against the likelihood of dismissal based on defenses. Be sure to discuss this with legal counsel before agreeing to or signing anything.

The broad application of California’s trap and trace provisions to website tracking tools remains a contentious issue. Businesses are advised to consult legal counsel to tailor compliance measures in light of evolving CIPA interpretations.

JMBM has defended many businesses against these lawsuits. If your business has been sued or received a complaint letter, please contact us.

Stuart Tubis is a civil litigator representing clients in a wide range of matters, particularly Americans with Disabilities Act (ADA) and Unruh Civil Rights Act claims. He counsels businesses on the full spectrum of accessibility compliance and represents their interests in civil litigation and Department of Justice investigations. Stuart has a background in technology, which helps in resolving the growing area of website accessibility issues. His experience extends to all aspects of litigation, including pleadings, discovery, motion practice, negotiations, arbitration, trial advocacy, settlement and alternative dispute resolution.
Contact Stuart at STubis@jeffer.com or 415.984.9622.

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in artificial intelligence implementation and other new technologies, development of cybersecurity strategies, creation of data security and privacy policies and procedures, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

This update is provided to our clients, business associates and friends for informational purposes only. Legal advice should be based on your specific situation and provided by a qualified attorney.

The post California’s Trap and Trace Pen Register Litigation: Key Considerations & How to Respond to a Lawsuit appeared first on Cybersecurity Lawyer Forum.

Even though artificial intelligence has been a part of our lexicon for more than seventy years, artificial intelligence remains the latest bright shiny thing. Businesses large and small feel compelled to incorporate artificial intelligence into their company descriptions even with a limited understanding of what artificial intelligence is, or how it could help their business. While incorporating artificial intelligence into a business model may be a good move, jumping on the AI bandwagon can have unintended consequences.

What is Artificial Intelligence

Most of us have an imperfect concept of artificial intelligence: we think that the title is descriptive of the product. However, artificial intelligence is not necessarily what it sounds like. IBM defines artificial intelligence as “technology that enables computers and machines to simulate human learning, comprehension, problem solving, decision making, creativity and autonomy.” But what most people think of as artificial intelligence is generative AI, technology that can create original text, images, video, and other content without human intervention.

Underlying this is a hard fact. Artificial intelligence is highly technical and exceedingly difficult. As an expert in the field, Joseph Greenfield of Maryman and Associates told me, “To understand artificial intelligence, you understand neural networks.” I don’t understand neural networks – do you?

What are the risks of Artificial Intelligence?

Some of the risks in artificial intelligence – or, more accurately, AI systems and tools – are well publicized. For example, AI “hallucinations,” a generative AI tool that creates responses to prompts that have little or no basis in fact, have become legendary. Biased or inaccurate responses are a common issue, and certain AI models have design flaws that can magnify those issues. Additionally, because of the complexity of AI systems, they cannot be treated simply as another form of software.

An AI system is not like a car, or a computer, or a lot of things we use but don’t understand. Or, more accurately, it’s like having a car without understanding what the steering wheel, accelerator and brake do. You are bound to have an accident.

The National Institute for Standards and Technology recently published a “Risk Management Framework” that identifies several risks that are inherent in AI systems. Among other things:

• Difficulty in Measurement. The risk in using AI systems is difficult to measure, making it challenging to implement a “safe” system.
• Adapting and Evolving. AI systems are, by their nature, continually adapting and evolving, which may make a risk analysis at one stage in the AI lifecycle inapplicable to a later stage.
• Lack of Transparency. AI systems are often opaque, lacking in documentation or explanation.

Moreover, a functioning AI system raises risks of inadequate compliance with laws, inadvertent disclosure of personal and business information, and a variety of ethical dilemmas. The takeaway here is that if you cannot identify or measure the risk, you might be unable to manage it.

Managing the Risk.

While eliminating risk might be impossible, it can be managed. Some steps a company can take to control the risk in AI systems include:

• Understand the system and how you plan to use it. Make sure that you understand the purpose of the AI system and how it will address your needs.
• Consider compliance. There are a variety of laws and regulations that impact the legal uses of artificial intelligence. Currently, the European Union AI Act, Utah AI Policy Act, and Colorado AI Act all stand out as specific laws geared toward artificial intelligence, but the nature of artificial intelligence is that it can trigger virtually all privacy laws as well as scrutiny by the FTC and state attorneys general. And, just as legislatures and regulators are focusing on privacy rights, they are moving into artificial intelligence regulation as well (even without fully understanding the concepts).
• Hot button Issues. Recognize that some applications of artificial intelligence are particularly sensitive, such as:
  • Employment decisions;
  • Credit scoring;
  • Training with protected or unlawfully obtained data; and
  • For those in the federal supply chain, the Biden Administration’s AI Executive Order.

There are also actions you can take to limit your risk exposure:

• Risk Analysis: Despite the challenge, understand how the AI system might create risks to your company. The risks can range from violation of specific artificial intelligence and privacy laws, intellectual property infringement, loss of trade secrets, and reputational harm.
• Vendor Assessment: Learn as much as you can about who will provide or develop the AI System – its experience, reputation, past projects, and personnel.
• Training Materials: Find out what data was used to train the AI system and where it came from. Does it include personal information, copyrighted materials, or trade secrets? Did the developer have the right to use the data?
• Review the Agreement Carefully: As noted above, artificial intelligence systems are different from other software. A careful review of the representations and warranties, indemnification provisions and limitations on liability are essential.
• Don’t skimp on the Statement of Work: The statement of work (the actual description of what the AI system will do) is key. That is challenging because it’s often the case that an AI system is developed with broad initial goals, making a continuing review of system requirements and goals essential.
• Have an AI Governance Committee and Policy: Establish a company group with meaningful authority, and with technical and legal expertise, to oversee the use of AI systems and tools.

Artificial Intelligence tools are expected to transform the way we work. They have the potential to automate tasks, improve decision-making, and provide valuable insights into our operations. However, the use of AI tools also presents new challenges in terms of information security and data protection. Adopting AI systems and tools requires preparation and careful thought – don’t just reach for the brightest new penny!

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in artificial intelligence implementation and other new technologies, development of cybersecurity strategies, creation of data security and privacy policies and procedures, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

The post Managing AI Risk appeared first on Cybersecurity Lawyer Forum.

Why You Shouldn’t Pay. Even if that were the case, paying the ransom may be the wrong decision. Here’s why:

• Paying the Ransom May Be Illegal. Federal and some state and local governments have rules against paying ransom to bad actors because it funds support for illegal activities. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) oversees these incidents, and the International Emergency Economic Powers Act and the Trading with the Enemy Act have strict rules against foreign financial engagement, and it is illegal to conduct a transaction with any person on the OFAC’s Specially Designated Nationals and Blocked Persons List. As it happens, hackers are often on the list. Violations of the sanctions rules can result in civil penalties, and even jail time.

Ransom payments made to individuals and entities on the list can include cases where the victim is unaware that their payments violate these laws; the government can seek civil penalties even if the victims didn’t know the payments were illegal.

• Paying the Ransom Doesn’t Work. In the vast majority of cases, paying the ransom gives access to an encryption key that may be of limited use, or may be entirely ineffective. The data may be corrupted, and there are even cases where the encryption key gives access to the data of other parties – which means that someone else has access to your data! Studies have shown that it is easier, faster and cheaper to recreate the lost data from a backup – emphasizing the importance of having backups.

Companies should also remember that even if they recover the data, that data has been exfiltrated, and the hacker will likely extort an additional payment to agree not to resell the data. At the same time, we are dealing with criminals –what kind of promise is that? The hacker may sell the data anyway.

There’s another factor – paying the ransom is a message to the bad actor that the victim will pay again. Having proven that they will pay once, the hacker is just as likely to demand additional payments.

• Paying the Ransom is Wrong. Giving money to criminals funds and encourages criminal behavior. If hackers aren’t paid for their actions, they’ll be less likely to do it again; it impacts their business model. Conversely, ransom payments encourage the behavior.

The British Experiment. The US isn’t the only country that is grappling with the issue. British officials are evaluating mandates that would change how victims respond to these incidents. The proposal, still in its early stages, would require victims to report incidents to the government, and mandate that any victim that wants to make an extortion payment seek a license from the government to do so. This policy would help illuminate the scale of cybercrime issues; the lack of mandatory reporting makes this a matter of mystery and speculation.

Britain is also considering a complete ban on ransom payments by organizations involved with the critical national infrastructure. The stated goal of banning ransom payments is to de-incentivize cyber criminals from targeting such crucial systems and services, reducing the overall security threat to these critical infrastructures.

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

The post To Pay or Not to Pay – There Isn’t a Question appeared first on Cybersecurity Lawyer Forum.

In 2024, privacy laws adopted by Montana, Oregon, Texas and Utah will become effective. While the laws have much in common (and are similar to the laws already in effect), they each have special characteristics, and companies will need to evaluate how they impact operations, disclosures and policies.

What do they have in common?

Each of the new laws provides similar rights to consumers:

• The right to opt out of data collection and processing
• The right to correct inaccuracies in their personal data
• The right to access a copy of their data
• The right to delete their personal data
• The right to opt in, or opt out, of processing sensitive personal data
• The right to opt out of the sale of personal data, profiling, or profiling personal information for targeted advertisements

The statutes also impose similar obligations on businesses:

• Publish a privacy notice and description of business’s data collection and processing practices, and whether data is shared with third parties
• Recognize opt-out preference signals, which could allow consumers to opt out of data collection and processing without having to verify their identities
• Perform and document data protection assessments (DPAs) for high-risk processing activities

None of the new state laws provides for a private right of action like California’s (which allows users to sue violating companies), but each of them has an enforcement mechanism that includes penalties for noncompliance. Enforcement will generally be carried out by the attorney general of these states.

What’s different about the laws?

Montana

Montana’s Consumer Data Privacy Act (MCDPA) was passed in May 2023 and will take effect on October 1, 2024. The MCDPA applies to entities that:

• Operate within Montana
• Provide products or services specifically targeted towards Montana residents and meets one of the following criteria:
  • Control or process the personal data of 50,000 or more Montana residents during a calendar year; or,
  • Derive over 25 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents.

The law exempts state entities, nonprofit organizations, institutions of higher education, registered national securities associations, and entities governed by the privacy regulations of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

Note: The thresholds for coverage by the MCDPA are generally lower than other states, and have no monetary floor; companies should consider whether they might fall within the purview of the MCDPA even if they do limited business in Montana.

Oregon

Oregon’s Consumer Privacy Act (OCPA) will take effect on July 1, 2024. The OCPA applies to entities that meet the following criteria:

• Conduct business in Oregon;
• Provide products or services to Oregon residents and meet one of the following criteria:
  • Control or process the personal data of at least 100,000 consumers during a calendar year (except for purposes of completing a payment transaction); or,
  • Control or process the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

The OCPA exempts specific entities, including state government entities, certain financial institutions, insurance producers and consultants, and nonprofit organizations focused on detecting and preventing insurance fraud.

Businesses must also must obtain affirmative consent to collect and process sensitive information (an “opt-in” mechanism).

Note: the opt-in mechanism is more restrictive than many other states that have an opt-out requirement.

Texas

The Texas Data Privacy and Security Act (TDPSA) will take effect on July 1, 2024. The TDPSA uses a unique standard to determining coverage and generally applies to any that:

• Conducts business in Texas or produces a product or service consumed by Texas residents
• Processes or engages in the sale of personal data
• Is not a small business as defined by the United States Small Business Administration

The TDPSA also has several entity-level exemptions, including: nonprofits, state agencies and political subdivisions, financial institutions subject to GLBA, covered entities and business associates governed by HIPAA, and institutions of higher education.

Unlike the privacy laws in many other states, the TDPSA has no specific thresholds based on annual revenue or volume of personal data processed.

Business Obligations. The TDPSA imposes specific obligations on data “controllers”—those that determine the purposes and means of processing personal data, including: limiting collection of personal data to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection; prohibiting controllers from processing personal data in violation of state and federal antidiscrimination laws or discriminate against a consumer for exercising any of the consumer’s rights under the TDPSA, including by denying goods or services, charging different prices, or providing different quality of goods or services; giving consumers’ right to opt out of the sale of personal information by the controller; obtain consent from a consumer prior to processing sensitive personal data; and “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”

Utah

Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) in March 2022. The law will take effect on December 31, 2023. The UCPA applies to entities that:

• Conduct business in Utah;
• Target Utah residents as consumers; or,
• Generate annual revenue of $25 million or more and either control or process personal data of 100,000 or more Utah consumers or derive more than 50% of gross revenue from the sale of personal data and processing data of 25,000 or more Utah consumers.

Like other states, the UCPA has exemptions, including institutions of higher education, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, organizations covered by HIPAA, and financial institutions governed by the GLBA.

The UCPA does not require consent for processing sensitive personal data, but controllers do have to clearly notify consumers and provide them the opportunity to opt out of having their sensitive personal data processed ahead of time.

What Should You Do?

In addition to the laws described above, more statutes will go into effect in 2025, and states (like New Jersey) are actively pursuing their own variations of data privacy laws. These laws will create challenges for companies as they seek strategies to comply with laws and, just as importantly, to protect the personal information of their employees, customers, clients and other stakeholders. The JMBM Cybersecurity and Privacy Group works with clients to develop and implement policies and procedures to achieve these goals.

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post Time to Update your Privacy Policy appeared first on Cybersecurity Lawyer Forum.

Breach Notifications for the Past 20 Years.  Ever since California became the first state to require companies to notify their customers of data breaches in 2003, the time between the date a breach was discovered and the time the breach was reported has been an issue of contention. Early reporting gives consumers a leg up in protecting their personal information, and lets investors, vendors and customers of companies know if key business information has been compromised. At the same time, companies want as much time as possible to investigate a breach, understand what happened, and provide accurate information – companies that give early notice often have to give multiple notices as more information becomes available, and may even find that the original notice wasn’t necessary. Regardless, lawsuits against companies that have suffered data breaches almost universally point to the gap in time between the discovery and notification of a breach.

The SEC Acts.  Regulators have stepped in and identified time frames for public notification of a data breach. Most recently, the Securities Exchange Commission issued a final rule that reduces the time for reporting companies (companies whose securities are registered with the SEC) to disclose cyberattacks publicly. As has been widely reported, with some exceptions, a company that is the victim of a cyberattack now has four days to publicly disclose the impact of the attack. Cyberattacks that involve the theft of intellectual property, a business interruption or reputational damage will likely require disclosure under the regulations.

The rules were proposed last year and contested by trade organizations and businesses, arguing that four days is inadequate to identify the nature and scope of a breach, and would be as likely to disclose inaccurate information as it would to benefit consumers and shareholders.

In contrast, the SEC, in adopting the new regulation, cited the new rule as enhancing transparency into cyber threats after years of attacks against businesses by criminal gangs and, most significantly, groups backed by nation states. The SEC also saw this as an opportunity to address gaps in existing cybersecurity disclosures.

Gaps in Disclosure.  Because there are a wide variety of laws and rules governing disclosure, there is little consistency in the timing or content of breach notifications. Companies that report incidents provide different amounts of detail about the impact and their response to it. Some cyber incidents aren’t reported in a timely manner, while others aren’t disclosed at all. Christopher Hetner, a former cybersecurity adviser at the SEC who provides guidance to the National Association of Corporate Directors, said, “The outcome of this rule will be to create more normalcy across disclosures.”

Arguments against the Regulation.  The tight timeframe for disclosure raises concerns. The brief period for making incident disclosures could leave investors with information that isn’t accurate. The rules allow a company to update its incident disclosure with added information that was unavailable at first, but that also could create consumer and shareholder confusion.

The regulation is also unclear in defining how an incident would become material and how much detail will be required in public filings. This is a particular issue, since four days is unlikely to be adequate to collect and verify meaningful information about a security incident.

Third Party Risks.  The regulation also will require companies to create stronger reporting relationships with vendors.  Over the past several years, the cyberattack risks raised in the supply chain of information management has become key, and unless vendors (and all of the parties in the vendors’ supply chain) cooperate promptly, a reporting company may be unable to meet the requirements of the new rule.

Annual Reporting.  An issue that has not been widely reported is the requirement that companies must describe in their annual report what processes, if any, a company has in place to assess, identify and manage material risks from cybersecurity threats “in sufficient detail for a reasonable investor to understand those processes.” Combined with the SEC’s “plain language” mandate, this requirement alone might be a significant task.

Companies can deal with these new regulations by creating, implementing, testing and updating strong cybersecurity incident response plans. When a company has 96 hours to report publicly a cybersecurity incident, it cannot waste time trying to create a playbook to respond; the playbook must be in place and accurate. The necessary parties must have the “muscle memory” to know how to respond, not only to respond directly to the breach, but to comply with new and potentially burdensome regulations. The JMBM Cybersecurity and Privacy Group works with hospitality clients to achieve these goals and prepare them for the challenges of an ever-changing cybersecurity landscape.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels’ clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post Time is Short – Reporting your Data Breach appeared first on Cybersecurity Lawyer Forum.

We now have, however, ten state privacy laws – five adopted in just the past two months. While the laws have commonalities, none of them are entirely consistent with each other; businesses, particularly those with operations in multiple states, will have to consider how to comply in an efficient and effective manner. This will be no easy task, since in addition to the ten existing state laws, there are nine additional states with active bills. When state legislatures return, it is entirely likely that we will need to revisit this issue.

Creating a privacy regime requires an individual analysis of each company, including the data it collects, how it uses it, and who has access to it. Ten separate laws make the job much more difficult, but we start here on three points – who is covered, what rights are granted, and key similarities and differences.

Who is covered?

The states each vary as to whether a company is covered under the laws.

• The California Consumer Privacy Act applies to any for profit company that does business in California, collects personal information from at least one California resident, and meets one of three thresholds:
  • Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year);
  • Annually buys, sells, or shares the personal information of 100,000 California consumers or households; or
  • Derives 50% or more of its annual revenue from selling or sharing personal information.
• Colorado, Connecticut, Indiana, Iowa, Montana, Virginia, and Utah privacy laws apply to businesses that:
  • Conduct business or produce goods or services that are intentionally targeted to state residents, and
  • Either: (A) control or process personal data of more than 100,000 resident’s data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents.
  • Utah also includes a revenue threshold of $25,000,000 or more.
• Tennessee’s law impacts businesses conducting business in Tennessee or producing products or services that target Tennessee residents and that:
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information, or
  • During a calendar year, control or process personal information of at least 175,000 consumers.
• Texas has a unique, three-prong applicability standard. Texas law will apply to any company that:
  • Conducts business in Texas or produces products or services that target Tennessee residents,
  • Processes or engages in the sale of personal data, and
  • Is not a small business as defined by the Small Business Administration.

Each of the laws also excludes information collected and processed under the Health Insurance Privacy and Protection Act and the Gramm-Leach-Bliley Act.

What rights are granted?

All states that have adopted state privacy laws grant certain rights:

• The right to access;
• The right of portability; and
• The right to opt out of sales of personal information.

In addition, each state requires covered companies to be transparent in their privacy practices. Beyond this, the states begin to differ:

• Except for Iowa, all of the states include the right to correct personal information.
• California, Iowa, and Utah do not include a right to opt-in to a company’s processing of sensitive personal information; these states have opt-out provisions instead.
• Only California has a clear right to opt-out of automated decision making; Iowa does not include the right at all, and the remaining states have qualified rights to opt-out.
• Only California has a private right of action, which is limited to data breaches involving a breach of the CCPA.

Key Similarities and Differences

• California has a broad expansion of the law to cover employees. Most states focus on “true consumers,” not employees or business contacts. This impacts notice requirements, privacy policies, and responding to consumer requests. However, even states that do not include employee or business contact information within their privacy laws should consider whether personal information might be collected in more than one context (for example, as both an employee and a customer).
• California has a broad expansion of the law to cover employees. Most states focus on “true consumers,” not employees or business contacts. That is a key distinction and complicates compliance in California.
• As noted above, some states are more restrictive than others with respect to requiring sensitive data consent in advance. “Sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a person; personal data collected from a known child; and precise geolocation data.
• California law, meanwhile, addresses “cross-context behavioral advertising,” and treats sharing of personal information for that advertising in the same way as a “sale” of personal information under the CCPA.
• Each of the ten states, except for Iowa and Utah, require businesses to perform and document a privacy impact assessment that weighs the benefits of processing for the business against the potential risks for the individual prior to selling personal data, processing personal data for targeted advertising, or processing sensitive data. This is a new and challenging task, with little to guide companies.

The Devil is in the Details

From this brief discussion of only a few aspects of the existing state privacy laws, it should be clear that companies collecting personal information – which covers almost all companies – will be challenged to comply with a multitude state laws (and with more to come). The burden on middle market companies will be particularly acute, since they have limited resources to address these issues (but face the same kind of liability as large firms). And companies that do business overseas can face even more significant challenges to comply with European, British, and other data protection laws. The JMBM Cybersecurity and Privacy Group provides current, impactful, and effective advice on all aspects of data security and privacy and works with clients daily to address the challenges of new and developing laws and regulations.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels’ clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post State of Play – State Privacy Laws in the United States appeared first on Cybersecurity Lawyer Forum.

More than that, analytics have become a security issue. The tools used to collect visitor data – cookies, pixels, beacons, and other technologies – have created a risk surface that can allow bad actors to identify targets and breach defenses. At the same time, the nature of these tools makes them one of the risks that companies can manage, allowing them to comply with privacy mandates and reduce cyber risk.

In the Beginning . . .

Originally, analytics were limited. Cookies and other devices allowed a website recognize a user, and to smooth the operations of the website. This little piece of code on your computer made it easier to log on to a website, to complete a purchase, and to see the information you look for. Although cookies did allow the website to recognize a user – essentially, to collect personal information – they were generally limited to the website; they were also typically “session cookies” used to facilitate a single user session, or “persistent cookies,” allowing the site to differentiate a new visitor from a prior visitor.

Since then, the tools used to identify website visitors and their actions have exploded in both numbers and potency, creating opportunities and challenges for website owners.

How do Analytics Work?

The point of website analytics is to collect, report and analyze data generated by visitors who interact with a website. This allows website owners to measure user behavior, optimize the user experience, and gain insights to meet business objectives – most often, increasing engagement, conversion, or sales.
A good example is the Facebook (Meta) Meta Pixel. As Facebook describes it:

“The Meta Pixel is a piece of code on your website that can help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart. You’ll also be able to see when customers took an action after seeing your ad on Facebook and Instagram, which can help you with retargeting. And when you use the Conversions API alongside the Pixel, it creates a more reliable connection that helps the delivery system decrease your costs.”

This is a long road from the session cookie. Now, analytics can be deeply intrusive and collect significant data: operating system, browser type, geolocation, internet protocol addresses, first- or third-party cookie IDs, proprietary digital identifiers, bounce rates, page views, e-mail open rates and links clicked, actions taken on pages, referring/exit pages, user agent string, and other device metadata.

What are the Risks?

When a website collects data, that data is often “shared” and “sold” (under the broad definitions of the California Consumer Privacy Act). Website owners are required to disclose that fact and give consumers the tools to opt out of the sale and sharing of personal information. When a website owner fails to do so, they face potential exposure to claims by consumers and regulatory authorities.

Regulators and plaintiffs’ attorneys are increasingly creative in making claims where information is collected and shared without appropriate disclosure and consent. And, even where the claim may be invalid, the website owner will be forced to spend time and money to defend their actions.

What’s on Your Website?

To be clear, there is no prohibition against collecting and sharing data, so long as the website owner complies with laws and rules governing the use of personal information. Some website owners are deliberate about their use of analytics, and take steps to manage and actively disclose their use of the information they collect.

Many website owners, however, aren’t aware of what’s happening on their sites, and they might not know all of the data collection tools embedded in them. Website designers often include analytic tools that help the function of the site without the website owner’s knowledge, and when a website adds links to other, third-party sites (including social media sites), the result can include placement of third-party pixels, cookies, and beacons for the benefit of others.

Because of this, website owners should monitor their websites; there are a variety of tools that identify the data collection tools on their site, their function, and what is being done with the information. With that knowledge, the website owner will know how to control and use the tools and to minimize their exposure to legal claims.

Website owners also often advertise on social media, and those advertisements collect data for the website owner – that has to be accounted for, both in privacy policies and in compliance with data.

Action Items

Website owners should take action to address both regulatory changes addressing the collection and use of analytics data, and technological changes in how data is collected, aggregated, and shared:

• Put your house in order. Identify the cookies on your site and your agreements with analytics firms like Google. Understand what information is being collected, the purpose of collection, and how the information is shared. Remember that analytics firms give you choices, and you can modify what information is collected and shared.
• Disclosure. Review and revise your privacy policies to describe accurately and completely how you collect and use the personal information you obtain through analytics. This is more than just a “cookie policy” – it involves understanding, in full, all of the uses you make of this information.
• Analytics Agreements. Review agreements with analytics companies to ensure that they are not misusing data and that they fall within the safe harbors provided under the various state privacy laws.
• Do Not Sell/Do Not Share. Consider whether you need a “do not sale/do not share” option – if your use of analytics does constitute sharing or selling, you’ll need to offer opt-out and consent options to comply with state law.
• Cookie Banners. Cookie banners – the initial statement letting website visitors know you use cookies to collect data – are an essential “notice at collection” required under most state privacy laws. Review them carefully to ensure they meet the requirements of state law and regulations. For companies subject to the CCPA, the recent regulations adopted by the California Consumer Privacy Agency have specific requirements that need to be addressed.

Michael A. Gold is the Chair and Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Mike and Bob help clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. They develop and implement data breach response plans, and respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331 and Mike at MGold@jeffer.com or +1 310-201-3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post Is it Time to Analyze Analytics? appeared first on Cybersecurity Lawyer Forum.

While the proposed regulations are still in draft form and are likely to go through additional changes – the proposal itself identifies additional areas for the CPPA Board to consider, there are a few clear takeaways from the most recent draft:

• Notice at Collection. Businesses will need to review and update notices at collection; a simple statement that personal information is being collected in accordance with a privacy policy will not be adequate. In particular, the proposed regulations emphasize that references to the collection and use of information in a notice at collection must be specific; the link should direct the reader to the specific provision, not just to the first page of the privacy policy.
• Contract Requirements for Service Providers and Contractors. The proposed regulations carry over and emphasize the contractual requirements for Service Providers and Contractors. The importance of incorporating these provisions into vendor agreements, whether directly into an agreement or through an addendum is essential, as is implementing the guardrails described in the regulations. The recent settlement between Sephora and the California Attorney General is a direct result of the failure to address this issue.
• Limits on Selling and Sharing Personal Information. Covered businesses will need to look carefully at how their vendor relationships could be construed as selling or sharing personal information and be ready to include a “Do Not Sell/Share” link, not just where data is collected, but also on the home page of the business’ website.
• B2B and Employee Data. Most companies should, by now, be aware that personal information gathered from business contacts and employees will be subject to the CCPA beginning January 1, 2023. For companies that have not had to comply with these requirements before, this will impose a significant burden to implement effective procedures and policies addressing these needs.
• Regulators (and others) are Looking. Finally, companies should be aware that the CPPA and the California Attorney General (along with plaintiffs’ counsel and even some consumers) are watching. Businesses that don’t make a good faith effort to comply can expect to be called out, and often in public and expensive ways.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post The CPPA Speaks Again – Five Takeaways appeared first on Cybersecurity Lawyer Forum.

Employee and Business Personal Information

While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.

The Exemption and its Demise

The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.

The expiration of the exemption will be challenging. While many consumer-facing companies have adopted policies and procedures that can be adapted to employee and B2B personal information, many companies that have little or no consumer contact will be particularly impacted by the significant disclosure, policy and procedure issues that need to be addressed by the end of 2022.

For all businesses, employee information will raise issues, since employers are obligated to collect vast amounts of personal information, including sensitive personal information (such as financial, health and intimate personal characteristics) to conduct businesses. These businesses will need to address the information they collect, where it is held, who has access to it and how it is used. Businesses will need to determine how consumer rights apply to employee and B2B personal information, and prepare to provide employees and B2B contacts with CCPA rights, including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to limit use and disclosure of sensitive personal information, and the protection against retaliation following the exercise of opt-out or other rights.

Business Challenges

Personal information obtained from employees presents particular significance. California businesses need to evaluate the differences and similarities between the rights afforded to employees under the CCPA (including how the exemptions from disclosure and deletion apply), and those provided under the California labor laws. California employers have, or should have, adopted many of the processes required under the CCPA. For example:

• Right to Know – The CCPA gives consumers the right to request that a business disclose (i) the categories of personal information collected, (ii) the sources of such personal information, (iii) third parties to whom the business disclosed the personal information, and (iv) what personal information was sold/shared and to whom. California law has several laws affording employees the “right to know” certain types of information the employer has collected, including the employee’s personnel file, documents signed by the employee, and payroll records. In contrast, the CCPA is broader in scope and requires employers to disclose geolocation, biometric, internet activity, inferences drawn, and other information that employers might collect. Additionally, the timelines for compliance with a request are different under the CCPA from California labor laws.
• Right to Delete – The right to request that a business delete personal information collected from the individual. Employers should assess federal, state and local retention requirements pertaining to employment records, including but not limited to the Age Discrimination in Employment Act, the Americans with Disabilities Act, the Civil Rights Act of 1964 (Title VII), the Fair Labor Standards Act, the Family Medical Leave Act, the Occupational Health and Safety Act, California Government Code Section 12946, and California Labor Code Section 226 to determine potential exemptions to a deletion request under CCPA Section 1798.105(d)(8), which exempts a business from deleting information necessary “to comply with a legal obligation.” These exemptions may also apply to B2B personal information.
• Right to Opt Out of Sale or Share – Under the CCPA, consumers have the right, at any time, to direct a business that sells or shares personal information not to sell or share such information. Employers should not only reassess their disclosure agreements with vendors but also ascertain whether their vendors are service providers, contractors or third parties under the CCPA, since the disclosure of an employee’s personal information to a vendor may be viewed as a “sale” under certain circumstances.
• Right to Limit Use and Disclosure of Sensitive Personal Information – Employers should assess whether they are processing an employee’s personal information, and whether that includes sensitive personal information. For example, if an employer is processing sensitive personal information (such as racial or ethnic origin) for diversity and inclusion purposes, it may be permitted under an exception. However, if an employer is processing sensitive personal information for purposes of inferring characteristics of its employees and using artificial intelligence to assist with hiring, including using automated decision systems, this right may be triggered.

B2B Implications

While the emphasis of this development has been the impact on employers, B2B personal information is now subject to the same regime as employee personal information. Businesses need to analyze their collection and use of B2B personal information, as well as provide the same rights as the rights to a consumer under the CCPA, including the right to know, right to delete, right to opt out of sale or share, and right to limit use and disclosure of sensitive personal information.

Next Steps

Businesses subject to the CCPA should immediately take steps to comply with these new requirements, including:

• Update CCPA processes and controls to address employee and B2B data.
• Conduct a review and inventory HR processes to see where employee data may exist, what data the business maintains and whether such data is subject to the CCPA.
• Update notices at collection and privacy policies for employees, applicants, and contractors.
• Update existing processes to respond to employee requests under the labor code and engage stakeholders to design new policies and procedures for responding to privacy rights requests in 2023, including the treatment of potential exemptions under the CCPA.
• Review and update contract terms with service providers, contractors and third parties to incorporate new required terms under CPRA and mitigate the risk.

Jeffer Mangels Butler & Mitchell, working through its Cybersecurity and Privacy Group, address privacy and security issues and assist with compliance, both with state, federal and international data protection laws. For more information, contact Robert Braun (RBraun@jeffer.com) or Michael A. Gold (MGold@jeffer.com).

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jeffer.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The post California Consumer Privacy Act and Employee Personal Information appeared first on Cybersecurity Lawyer Forum.