Back in July, we shared some good news out of California when a state court judge ruled that the newest regulations under the California Consumer Privacy Act (“CCPA”) could not be enforced until March 2024.  But last week, the agency charged with enforcing the CCPA – the California Privacy Protection Agency (with the confusingly similar abbreviation of the “CPPA”) – won reversal of that opinion on appeal.  The ruling now gives the CPPA the authority to begin enforcing immediately the regulations that it enacted in March 2023.Continue Reading Delay Lifted in CCPA Regulations Enforcement

Phone and gavelThe first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”).  But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims.  Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook.  And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology.  Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality

Business man on laptopLast month, the California Attorney General approved the final set of regulations interpreting the requirements of the California Consumer Privacy Act (Cal. Civ. Code Sections 1798.100 et seq.) (the “CCPA”).

What does it include?

The final CCPA regulations include a number of points of clarification such as what it means to provide “notice at collection,” the methods to provide a consumer with access to a business’s privacy policy and what content is required to be disclosed in that privacy policy, and the methods by which a company must provide consumers with a right to opt out from the sale of their personal information.
Continue Reading What do the final CCPA regulations mean for you?

GavelOn April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.

The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers.  Among those 1,300 workers was Frank Varela, the named plaintiff.  Id. at *2.  Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name. 
Continue Reading SCOTUS Catapults Class Arbitration Onto the Endangered Species List

Business man on laptopOne of the most common things we discuss with clients is the need to ensure that privacy policies accurately reflect the actual procedures in place for handling confidential information.  The SEC reiterated that point last week in a Risk Alert that encouraged SEC-registered companies to review their written policies and procedures to ensure adequate implementation and compliance with the law.  In the Risk Alert, the Office of Compliance Inspections and Examinations (“OCIE”) published a list of issues under Regulation S-P (the privacy rule) it has seen in the context of exams.
Continue Reading SEC: Practice What You Preach on Privacy

Overview of the Ruling

On March 16, 2018, just before tip-off in the first round of the NCAA tournament, the D.C. Circuit provided the TCPA defense bar with a new playbook of sorts, in the form of a decision that will surely change the game for TCPA litigation. The case, of course, is ACA International v. FCC, and the ruling came down nearly 18 months after oral arguments. ACA Int’l et al. v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). It appears to be worth the wait as the D.C. Circuit slam dunked the former definition of automated telephone dialing equipment (“ATDS”) and the “one-call safe harbor” rule for reassigned numbers.Continue Reading ACA v. FCC Close to a Slam Dunk for TCPA Defendants

GDPR CalendarWhat Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.Continue Reading 100 Days Until GDPR … Are You Ready?