The Consumer Financial Protection Bureau announced that it was issuing a Notice of Proposed Rulemaking regarding Personal Financial Data Rights on October 19, 2023. The proposed rule would implement section 1033 of the Consumer Financial Protection Act of 2010, which gives consumers the right to access their financial data and authorizes third parties to access it on their behalf.

The Federal Trade Commission issued a supplemental notice of proposed rulemaking on February 15, 2024, in which it recommended a trade regulation rule that would (1) impose liability on businesses who provide goods or services (including artificial intelligence technology) with knowledge or reason to know they will be used to engage in unlawful impersonation of individuals, government, or businesses; and (2) prohibit impersonation of individuals.

On Friday, February 9, as the country collectively packed up and prepared to head home for Super Bowl weekend, the Third Appellate District of the California Appellate Court issued an Order granting the California Privacy Protection Agency the ability to immediately enforce regulations implementing the California Privacy Rights Act, which were finalized in March 2023.

AI-generated robocalls may trick some consumers into thinking they are being called by a human being, but the Federal Communications Commission clarified in a recent AI Declaratory Ruling that it will not be fooled.

Building off of the momentum from last year’s torrent of new comprehensive state privacy laws, 2024 has begun with a bang as two more states have now entered the picture.

The Connecticut Data Privacy Act requires the Attorney General’s Office to issue a privacy report no later than February 1, 2024, including (1) the number of notices of violation the attorney general has issued; (2) the nature of each violation; (3) the number of violations cured; and (4) any other matter the attorney general deems relevant.

On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment.

Safety risk assessments are becoming a preferred regulatory tool around the world. Online safety laws in Australia, Ireland, the United Kingdom, and the United States will require a range of providers to evaluate the safety and user-generated content risks associated with their online services.

Less than 10 days after announcing its complaint and proposed settlement against location data broker X-Mode, the Federal Trade Commission (FTC) followed its recent spate of enforcement in the location and sensitive data space with the announcement of another enforcement action and proposed settlement with InMarket Media, Inc. (InMarket).

On January 9, 2024, the Federal Trade Commission (FTC) announced its complaint and proposed settlement with location data broker X-Mode Social, Inc. and its successor Outlogic, LLC (collectively X‑Mode).

The Federal Trade Commission announced its first enforcement action alleging that discriminatory use of artificial intelligence was an unfair practice under Section 5 of the FTC Act on December 19, 2023.

The Federal Trade Commission gave privacy lawyers a long-awaited Christmas present on December 20, 2023: its notice of proposed rulemaking to amend the Children’s Online Privacy Protection Act Rule. The NPRM follows a review of the COPPA Rule initiated by the FTC four years ago and the submission of over 175,000 public comments.

The U.S. Department of Defense has issued its long-awaited proposed rule implementing its Cybersecurity Maturity Model Certification program to protect sensitive, unclassified government information in the possession of defense contractors.

After a series of intensive negotiations among representatives of the European Union’s three governing bodies, the EU has concluded its “trilogue” meetings with a “political agreement” on the terms of its forthcoming Artificial Intelligence Act.

In a politically divided 3-2 vote, the FCC updated its data breach notification rules, which had been in effect since before the release of the first iPhone.

Just a few years ago, the legal landscape governing health-related personal information was relatively simple: Protected Health Information was regulated under HIPAA. Today, by contrast, the privacy of health-related personal information is under close scrutiny by the FTC, the U.S. Department of Health and Human Services’ Office for Civil Rights and state regulators.

Last week, the UK’s Online Safety Bill received royal assent and became law. With this development, Ofcom, the regulator for the new Online Safety Act, has published a roadmap to explain how the Act will be implemented over the next two years.

The White House recently issued its most extensive policy directive yet concerning the development and use of artificial intelligence (AI) through a 100-plus-page Executive Order (EO) titled "Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” and accompanying “Fact Sheet” summary.

Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers.

The Federal Communications Commission recently adopted a Notice of Proposed Rulemaking to reestablish its authority over broadband internet access service by reinstating its net neutrality rules.

A significant number of federal legislative proposals that focus on online child safety have been introduced. If enacted, they would modify online providers’ obligations to remove and report child sexual exploitation content, as well as require providers to implement notice and takedown mechanisms for certain CSE content.

California Governor Gavin Newsom recently signed AB 1394, a law that imposes new obligations on social media platforms to prevent and combat child sexual abuse and exploitation.

The Federal Acquisition Regulatory Council published two proposed rules on October 3, 2023, that would impose significant new cybersecurity obligations on government contractors.

A flurry of legislative activity over the past year has brought meaningful changes to a variety of privacy and security provisions in state and federal law. At the state level, as in 2022, we have seen a handful of changes to generally applicable breach notification statutes, along with action on both narrower security provisions and broader omnibus privacy laws.

Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.

The U.S. Department of Homeland Security announced new policies on September 14, 2023, regarding its use and acquisition of artificial intelligence technologies, including facial recognition and face capture technologies.

The U.S. Department of Homeland Security announced new policies on September 14, 2023 regarding its use and acquisition of artificial intelligence technologies, including facial recognition and face capture technologies. DHS also appointed Eric Hysen as the department’s first chief AI officer.

The Board of the California Privacy Protection Agency held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and has not started the formal rulemaking procedures yet, the first public drafts of the regulations provide a roadmap for where the CPPA Board may likely go, and the draft regulations would impose new and detailed compliance requirements.

The UK Online Safety Bill was passed by Parliament earlier this week and is expected to soon become law through royal assent.

The U.S. Securities and Exchange Commission announced the final version of its long-anticipated cybersecurity rules on July 26, 2023.

The Global Online Safety Regulators Network (Network) issued a position statement on human rights and online safety regulation on September 13, 2023.

The U.S. Securities and Exchange Commission (SEC) adopted final rules relating to cybersecurity disclosure on July 26, 2023, which will take effect on December 18, 2023.
This blog has been republished in Insights, The Corporate & Securities Law Advisor.

Following a related request for information earlier this year, the Consumer Financial Protection Bureau announced on August 15, 2023, its intention to launch rulemaking targeting data brokers.

The Federal Financial Institutions Examination Council released the fifth phase of updates to the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual on August 2, 2023.

In the education space, the Federal Trade Commission (FTC) announced an enforcement order against edtech company Edmodo, who it alleged to have violated the Children’s Online Privacy Protection Act (COPPA). Edmodo, a business-to-consumer (B2C) online learning platform, provides K-12 teachers with tools to connect with students and parents, such as virtual classroom spaces.

The U.S. Securities and Exchange Commission adopted final rules on July 26, 2023, requiring public companies to provide current disclosure, within what may be a short time window, about material cybersecurity incidents and to include disclosure relating to cybersecurity risk management, strategy, and governance in annual reports.

The Biden Administration recently released the implementation plan for the National Cybersecurity Strategy. The Plan includes initiatives for new cybersecurity regulations, new and expanded liability regimes, broad public and private engagement, and new procurement obligations and funding opportunities. Companies should pay close attention to opportunities to help shape new regulatory and liability schemes and should also anticipate greater scrutiny of cybersecurity issues that affect customers and supply chains.

As of July 18, 2023, Oregon has joined 11 other states to pass a comprehensive consumer privacy law. The Oregon Consumer Privacy Act requires various disclosures around the collection and processing of personal data, provides consumers with rights to their data, and imposes obligations on controllers and processors, including honoring global opt-out signals.

Senate Majority Leader Charles Schumer (D-NY) unveiled his much-anticipated, bipartisan legislative framework for regulating artificial intelligence during recent public remarks. To support this new framework and the resulting policy proposals, Senator Schumer has formed a bipartisan AI working group that will work closely with the leaders of the Senate’s Commerce, Homeland Security, Antitrust, Judiciary, and Intelligence committees to shape the draft legislation.

Federal Communications Commission’s Chairwoman Jessica Rosenworcel announced the formation of a Privacy and Data Protection Task Force at the FCC during a recent speech at the Center for Democracy and Technology Forum on Data Privacy.

Washington state recently passed the My Health My Data Act, which will almost certainly lead to an explosion of consumer lawsuits and follow-on insurance coverage disputes.

Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act into law on June 18, 2023. The comprehensive privacy and data security law will go into effect on July 1, 2024.

Crafting an appropriate AUP for generative AI is a process that requires careful consideration and collaboration across multiple departments. Each policy will be different, reflecting the company’s business needs and culture, the nature of the intended uses of such tools, and the company’s level of risk tolerance in light of its industry and the applicable evolving legal and regulatory landscape.

The FTC issued a policy statement on May 18, 2023, addressing privacy and data security concerns and the potential for bias and discrimination relating to the collection and use of biometric information. In the Biometrics Policy Statement, the FTC lists specific examples of business practices relating to biometric information that it will scrutinize under Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices.

The National Science and Technology Council recently bolstered the Biden administration’s continued focus on responsible AI development by announcing an update to the National Artificial Intelligence Research and Development Strategic Plan.

This Update is the third installment of the ongoing series covering Washington state’s new My Health My Data Act. The original impetus for the Act was the protection of reproductive rights, and it was signed into law alongside several other pieces of legislation focused on providing abortion and gender-affirming protections. However, because of the broad and vague definition of “consumer health data” covered by the legislation and because it applies to a wide range of entities, the Act may reach much further than might be justified by its original purpose.

The Espionage Act is getting star billing this year. From an HBO movie about an old case to a newly charged case alleging a major leak of classified information to special counsel investigations of a former President and the current President, the only thing missing is a new Law & Order spinoff.

As detailed in Part 1 of this ongoing series, Washington Governor Jay Inslee signed the state’s My Health My Data Act into law on April 27, 2023. In this installment, we provide an overview of the consumer rights bestowed by the Act and the obligations it imposes upon regulated entities and small businesses.

The New York City Department of Consumer and Worker Protection adopted final rules for Local Law 144 on April 6, 2023. 

On April 27, 2023, Washington Governor Jay Inslee signed into law House Bill 1155, also known as the My Health, My Data Act. Its stated purpose is to protect “consumer health data” collected by entities not already subject to the federal Health Insurance Portability and Accountability Act, but one less obvious consequence of the Act is that it may make Washington state a new hot spot for class-action litigation involving biometric privacy.

The EU was in the process of implementing its AI Act, first proposed on April 21, 2021, before generative AI chatbots were widely released. This Update provides a fresh look at the AI Act’s legislative status and its substantive evolution before it becomes legally effective.

Creators in film, television, music, and gaming are increasingly turning to artificial intelligence and machine learning models to deliver new content and experiences to audiences. While providing many benefits, some applications of AI/ML in these contexts could potentially trigger biometric privacy laws.

Recent weeks have seen action from various European regulators regarding artificial intelligence/machine learning (AI/ML) and algorithms.

The U.S. Supreme Court ruled in two related cases that federal district courts have jurisdiction to hear structural constitutional challenges to the adjudicative authority of the Federal Trade Commission and the U.S. Securities and Exchange Commission, and that litigants need not wait until the appeal of an adverse agency decision in the adjudication to raise such arguments in court.

The California Privacy Rights Act enforcement deadline draws near, but companies can’t focus solely on consumer data. California is the first state to apply comprehensive restrictions on the collection and use of employment and business-to-business data.

The exemption for employment-related and business-to-business (B2B) data under California’s privacy law expired on January 1, 2023.

Less than one month after Utah adopted the nation’s first law restricting the use of social media platforms by minors under 18, Arkansas last week enacted its Social Media Safety Act (the Act), SB396.

The California Privacy Protection Agency (CPPA) released a statement on March 30, 2023, announcing that the California Office of Administrative Law (OAL) had approved the first substantive rulemaking package for the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA).

California’s Age-Appropriate Design Code is a first-of-its-kind children’s privacy law in the United States that is scheduled to go into effect in 2024. The CA AADC is applicable to online services, products, or features that are likely to be accessed by children.

On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections.

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

On March 24, 2023, Texas House Representative Giovanni Capriglione participated in a virtual interview with the Dallas chapter of the International Association of Privacy Professionals (IAPP) about his recently introduced bill, HB 4, also known as the Texas Data Privacy and Security Act (TDPSA).

This Update discusses a spate of recent class action lawsuits asserting claims under the Video Protection Privacy Act.

The Consumer Financial Protection Bureau announced on March 15, 2023, that it is issuing a Request for Information about the business practices of data brokers, which the agency said will assist it in “planned rulemaking” under the Fair Credit Reporting Act.

Utah state lawmakers are poised to change how (and when) minors who reside in Utah can use social media.

The U.S. District Court for the Northern District of Illinois recently found that in order for cell tower warrants to be supported by probable cause and satisfy Fourth Amendment concerns, they must include protocols limiting the government’s collection of information from individuals not involved in the underlying criminal activity.

The Federal Trade Commision announced a proposed complaint and proposed consent order with BetterHelp, Inc., an online counseling platform that allegedly disclosed consumer health data to third-party advertising platforms.

The Biden Administration released its National Cybersecurity Strategy on March 1. The Strategy breaks with past precedent and emphasizes regulatory mandates and imposing liability, in addition to enhancing voluntary information-sharing and development of best practices. The Strategy will particularly affect critical infrastructure and cloud service providers.

In a landmark decision, the Illinois Supreme Court holds that every individual scan or transmission of biometric data made without the proper disclosures amounts to a separate violation of the Illinois Biometric Information Privacy Act.

the Transportation Security Administration issued a new security directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads.

The Federal Trade Commission announced its first enforcement of the Health Breach Notification Rule against a digital health company, a case it brought against a company that shared user health data with third-party advertising platforms without the authorization of the affected users. This case signals the importance for digital health companies, whether or not covered by the Health Insurance Portability Accountability Act, of treating personal health information as sensitive and regulated by the HBNR and other FTC-enforced laws.

Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy.

The recently announced disruption of the Hive ransomware network is a significant and welcome accomplishment.

The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023.

As it did last year, the California Attorney General’s Office recognized Data Privacy Day by announcing its latest investigative sweep under the California Consumer Privacy Act (CCPA).

The European Commission released a draft adequacy decision approving the new EU-U.S. data privacy framework established in part by President Biden's Executive Order 14086.

Published over the holidays, President Biden signed the $1.7 trillion Consolidated Appropriations Act of 2023, which includes a wide range of artificial intelligence and machine learning initiatives and investments. It also directs several federal agencies to help ensure the responsible use of AI technologies, including the prevention of algorithmic bias. This Update includes a summary of the AI appropriations and initiatives.

The Federal Communications Commission published a Notice of Proposed Rulemaking that seeks to strengthen and broaden its breach notification rules arising from the unauthorized disclosure of customer proprietary network information.

Data security will be an enforcement priority for the FTC in 2023. The FTC, in its December 14, 2022, Commission meeting, highlighted four data security measures that it believes are particularly important for strong cybersecurity.

Discussions of the Espionage Act usually focus on the public’s conception of “spying.” Spies steal information that their government seeks to keep secret and disclose that information to other governments.

Last week, the period for comments closed on the California Privacy Protection Agency’s (CPPA) latest version of the draft implementing regulations for the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) (Revised Regs).

Perkins Coie’s survey of 150 industry stakeholders involved in XR and next-gen technology, which encompasses technological advancements such as Web3 and the metaverse, shows that immersive technology has reached a critical point.

The U.S. Department of Justice recently released new guidance announcing several policy changes to further strengthen and clarify its approach to prosecuting corporate crime. This guidance is applicable to all third-party text and social media messaging platforms.

This is the second in a series of updates addressing the bilateral data access agreement between the United States and the United Kingdom under the Clarifying Lawful Overseas Use of Data Act.

 

California and New York recently passed laws that seek to change how social media platforms and social media networks design and report their content moderation practices. The New York law will require a hateful conduct policy and reporting mechanism starting in December 2022. California laws will impose content moderation and transparency requirements starting in 2023 and 2024.

On Oct. 24, the U.S. Department of Justice announced charges against 13 individuals accused of acting within the U.S. as agents of the People's Republic of China, or PRC.

The Office of Science and Technology Policy, a part of the Executive Office of the President, recently published a white paper entitled “The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People.”

After more than two years of litigation, Amazon and Microsoft won summary judgment in two class action lawsuits asserting violations of the Illinois Biometric Information Privacy Act (BIPA): Vance v. Amazon.com, Inc., Case No. C20-1084JLR and Vance v. Microsoft Corp., Case No. C20-1082JLR.

Perkins Coie attorneys explain how China’s new data security laws and use of third-party apps, such as WeChat, by Chinese employees create significant obstacles for companies conducting internal investigations in the country.

As the California Privacy Rights Act replaces its predecessor, the California Consumer Privacy Act, retailers have a significant amount of compliance preparation to do—right at peak season.

After a five-day trial and only an hour of deliberation, the nation’s first trial under the Illinois Biometric Information Privacy Act ended with a bang. The jury found that the defendant recklessly or intentionally violated BIPA 45,600 times resulting in a $228 million judgment.

The Colorado attorney general’s office sent shockwaves throughout the privacy world on Friday, September 30, 2022, when it published its proposed Colorado Privacy Act draft rules.

New Jersey has become the latest state to pass a law governing some types of automatically renewing subscriptions.

President Biden signed an executive order on October 7, 2022, changing U.S. surveillance laws to address perceived deficiencies in protecting personal data identified by European Union courts.

Following the Council of the European Union's approval earlier this week, the Digital Services Act has been officially adopted, starting the countdown to the law’s entry into force later this year.

Cyberattacks continue to plague businesses, making the fallout of data breach notification and response as critical as ever. This year, like 2021, has been relatively quiet as it relates to state updates to breach notification laws.

The Cyberspace Administration of China released the Measures for the Security Assessment of Cross-border Data Transfer on July 7, 2022, to regulate cross-border data transfers in accordance with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The measures go into effect on September 1, 2022.

The Measures provide a six-month grace period from September 1, 2022, to March 1, 2023, for companies with previous cross-border data transfer activities to become compliant with the new standards. Companies with outbound data transfers should seek knowledgeable counsel to monitor the implementation and enforcement of the Measures by the CAC.

President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 on March 15, 2022. CIRCIA solicits public comment for 60 days, beginning September 12, 2022.

Under a new agreement between the United States and the United Kingdom, communications service providers in the United States may soon begin to receive legal process directly from law enforcement agencies in the United Kingdom.

The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act.

The Federal Trade Commission released an advance notice of proposed rulemaking on “Commercial Surveillance and Data Security” on August 11, 2022. The ANPRM, approved on a 3-2 party line vote, is the initial step in a process that could result in the adoption of the first federal regulation addressing privacy, data security, and algorithmic discrimination across broad sectors of the U.S. economy.

The U.S. Department of Justice’s Civil Cyber-Fraud Initiative, announced last October, is designed to leverage existing whistleblower incentives for employees, or other persons with inside knowledge, to identify lapses in federal contractors’ cybersecurity and privacy practices.

The Cyberspace Administration of China, the country’s internet watchdog, began collecting feedback on the draft provisions with respect to the release of its Standard Contract for Outbound Cross-border Transfer of Personal Information, which includes guidelines for the use of the Standard Contract for data processors, on June 30, 2022. An unofficial English translation of the contract is also available. The deadline for the submission of public comments is July 29, 2022.

The U.S. Court of Appeals for the District of Columbia Circuit recently denied a petition to review a 2020 Federal Communications Commission order that permitted callers to place commercial non-telemarketing robocalls to residential phone numbers and that established uniform call limits for such calls.

By a 6-3 majority, the U.S. Supreme Court in West Virginia v. Environmental Protection Agency held that the Environmental Protection Agency’s efforts to regulate greenhouse gases by making industry-wide changes violated the “major questions” doctrine.

Last week, the Consumer Privacy Protection Agency (Agency) Board rounded out the first half of 2022 by releasing draft California Privacy Rights Act (CPRA) regulations. This first set of CPRA regulations focus on updating existing California Consumer Privacy Act (CCPA) regulations to account for the new provisions of the CPRA and addressing specific areas such as Agency audits and enforcement.

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.”

In recent years, apparel and retail businesses have increasingly sought to provide customers with options to participate with the brand’s merchandise and services in virtual environments.

National Security Presidential Memorandum-33 and implementation guidance from the National Science and Technology Council direct federal agencies to standardize and enhance disclosure and security requirements that apply to federally funded research and development.

In a 5-4 decision, the U.S. Supreme Court vacated the U.S. Court of Appeals for the Fifth Circuit’s stay of a temporary injunction in NetChoice, LLC v. Paxton, a closely watched case involving a novel Texas law purporting to bar “social media platforms” from engaging in “viewpoint” discrimination.

In its most recent open meeting, the Federal Trade Commission (FTC) unanimously (1) issued a COPPA policy statement directed at ed tech providers and (2) proposed amendments to the Endorsement Guides, which address influencer advertising on social media and consumer reviews.

Alvaro Bedoya was sworn in as a commissioner of the U.S. Federal Trade Commission (FTC) on May 16, 2022.

Litigation against corporate board members and C-level executives for data privacy and security claims is on the rise. Specifically, the number of suits stemming from data breaches and other cybersecurity incidents has increased as such breaches and incidents have become more common.

As federal agencies prepare to roll out new regulations to protect government information in the possession of government contractors against cyber threats—and to accelerate the procurement of cybersecurity products and services from industry—the emerging risks of False Claims Act (FCA) investigations and qui tam cases related to cybersecurity are an increasingly important consideration for contractors.

Through its newly launched Center for Industry Self-Regulation (CISR), BBB National Programs announced the launch of the TeenAge Privacy Program (TAPP).

Perkins Coie is pleased to announce the launch of our second annual report California Consumer Privacy Act Litigation Year in Review. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, and regulates any “business” that does business in California.

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management, strategy, governance, and incident disclosure.

Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals Global Privacy Summit on April 11, 2022, in Washington, D.C.

China’s internet watchdog, the Cyberspace Administration of China, has continued to tighten its regulation of internet industries and driven the formulation of many new laws and regulations in cybersecurity and data protection in China.

President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 on March 15, 2022.

The U.S. Supreme Court ruled that federal courts cannot enforce or vacate arbitration awards under Sections 9 and 10 of the Federal Arbitration Act.

In the latest of a series of setbacks for employers facing claims under the Illinois Biometric Information Privacy Act, the Supreme Court of Illinois held last month that the Illinois Workers’ Compensation Act does not preempt BIPA claims for statutory damages brought by employees.

Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (Utah Law) into law on March 24, 2022, making it the fourth omnibus state privacy law enacted in the United States.

The U.S. government has steadily increased its warnings about malicious cyber activity by Russia and other sophisticated, persistent adversaries.

The U.S. Federal Communications Commission published a Notice of Inquiry on February 28, 2022, inviting public comment on vulnerabilities that threaten the security and integrity of the Border Gateway Protocol, which is central to the internet’s global routing system.

For many years, the most significant law governing biometric-based products and services has been the Illinois Biometric Information Protection Act. This past month, however, another biometric data privacy law woke from a long, undisturbed slumber.

In recent years, the Federal Communications Commission (FCC) has worked closely with the U.S. Department of Justice and other Executive Branch national security agencies to restrict China’s influence on U.S. telecommunications.

Businesses that allow customers to sign up for automatically renewing subscriptions must comply with a patchwork of state and federal regulations.

New cybersecurity developments and observations ... warrant prompt consideration by plan sponsors and other fiduciaries of employee benefit plans subject to ERISA.

Amid colossal pandemic-generated disruption over the past two years, the global economy has witnessed burgeoning cyber crime – a complex and fervent landscape that has become increasingly sophisticated as cyber criminals continue, and even escalate, their activity in times of crisis.

Though it was not long ago that resolutions of California Consumer Privacy Act readiness ushered in the new year, ‘tis the season once again to deck the halls with privacy compliance checklists.

Perkins Coie and XR Association survey of over 160 professionals found that immersive technology’s prospects have been strengthened by the pandemic.

Following a 3-2 vote, the Federal Trade Commission recently announced amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act.

On August 17, 2021, China released the new regulations on the Security and Protection of Critical Information Infrastructure, which became effective on September 1, 2021.

Cyberattacks continue to make the news and affect our lives in increasingly more significant ways.

Certain California licensed healthcare facilities are now subject to additional breach reporting obligations pursuant to regulations (Regulations)[1] issued by the California Department of Public Health (Department) on July 1, 2021.

With the surge of COVID-19 cases due to the Delta variant, many employers are considering whether to require employees to be vaccinated, how to encourage employee vaccinations, and the implications of vaccine policies for their businesses.

New York City’s ordinance could be the beginning of a trend, or simple an outlier, but one that every business in the city should be aware of.

New York City’s new biometrics ordinance went into effect July 9, 2021. The ordinance regulates the use of “biometric identifier information” in “commercial establishments” such as places of entertainment, retail stores, and food and drink establishments. 

Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law on July 7, 2021, making it the third comprehensive state privacy law enacted in the United States.

The European Center for Digital Rights (None of Your Business or “noyb”) launched a new campaign against the use of allegedly unlawful cookie banners by sending nearly 600 draft complaints to companies across the European Union and European Economic Area. Noyb has identified more than 15 types of alleged violations of EU privacy laws, and this update provides a summary and initial analysis of the key violation types.

The deluge of lawsuits brought under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 et seq. over the past several years has presented a challenge to companies operating in Illinois.

The Chinese Ministry of Industry and Information Technology (MIIT), together with other agencies in the Chinese government, launched a series of campaigns for the rectification of excessive personal information processing activities of mobile application developers, operators, and third-party service providers. Drawing on the insights from these campaigns, the MIIT, the Cyberspace Administration of China, the Ministry of Public Security, and the State Administration for Market Regulation jointly released the draft Interim Regulations on the Administration of Personal Information Protection for Mobile Internet Applications.

In what could be a harbinger of the future regulation of artificial intelligence (AI) in the United States, the European Commission published its recent proposal for regulation of AI systems.

On April 22, 2021, in a unanimous decision, the U.S. Supreme Court in AMG Capital Management v. FTC held that the authorization to seek a “permanent injunction” under Section 13(b) of the Federal Trade Commission Act does not permit the FTC to obtain equitable monetary relief such as restitution and disgorgement. While the FTC may still seek monetary relief under Sections 5 and 19 of the Act, those provisions can be more difficult for the FTC to pursue. FTC Acting Chairwoman Rebecca Kelly Slaughter is already calling on Congress to “strengthen the FTC’s powers” in light of the decision.

On April 14, 2021, the US Department of Labor (DOL) released three-part guidance on cybersecurity issues for employee benefit plans, marking its first significant commentary on the issue since its comprehensive, but non-binding, report in late 2016. The DOL’s guidance provides “tips” and “best practices” for ERISA plan sponsors, responsible fiduciaries, recordkeepers, service providers, and participants in appropriately safeguarding non-public plan and participant information against cybersecurity threats. 

In Facebook, Inc. v. Duguid et al., the U.S. Supreme Court provided some clarity that stakeholders have been awaiting since 2015 by adopting a narrower interpretation of the term “autodialer” for purposes of the Telecommunications Consumer Protection Act (TCPA). The Court reversed an expansive interpretation of “autodialer” adopted by the U.S. Court of Appeals for the Ninth Circuit that the Court noted would have prohibited many commonplace uses of cell phones by consumers. The Court found that for a dialing system to constitute an autodialer, it must have the capacity to either store or produce a telephone number using a random or sequential number generator. This narrower interpretation comes as a relief to a broad range of businesses and nonprofit organizations, among others, that believed the Ninth Circuit’s broad interpretation unfairly ensnared legitimate communications practices that did not harm consumers.

In November 2020, California voters approved a new data privacy law. Unfortunately, the law contains a provision that may threaten the future of digital content for underrepresented communities.

Shortly after his inauguration, President Biden appointed Commissioner Jessica Rosenworcel as acting chairwoman of the U.S. Federal Communications Commission.

The Federal Trade Commission announced on January 11, 2021, that it had reached a settlement with Everalbum, Inc., the developer of a now-defunct photo storage app called “Ever.” The settlement is the FTC’s first enforcement action focused on facial recognition technology, and likely signals a new era of increased regulatory scrutiny for companies involved in facial recognition.

It’s a new year and it looks like 2021 is going to be another eventful one for privacy. In the past few weeks, we’ve seen several states introduce new privacy legislation, including Washington, New York, and Minnesota.

The passage of the California Privacy Rights Act more closely aligns the consumer privacy standards of one of the United States’ most economically important jurisdictions with those of the European Union.

The Communications Decency Act, 47 U.S.C. § 230 (CDA) establishes that entities known as interactive computer service providers are not liable for (1) communications or content posted by people who use their services, (2) their services’ design or structure, or whether and how to allow people to have accounts, and (3) discretionary decisions about removing or restricting access to certain objectionable content.

Companies that do business in Portland, Oregon may need to add one more item to their holiday to-do list: disable face recognition technologies in Portland.

In the 2020 Augmented and Virtual Reality Survey conducted by Perkins Coie LLP, Boost VC, and the XR Association, nearly three-quarters of industry leaders polled indicated that they expect immersive technologies to be mainstream within the next five years. 

Internet of Things (IoT) devices have the potential to transform our home and work environment by integrating a growing range of “smart” wirelessly connected sensors into our daily lives.

The COVID-19 pandemic and the resulting need for patient access to remote healthcare, as well as the development of contact-tracing apps, have spotlighted the importance of health-focused mobile applications (mHealth apps).

What can we expect from the Federal Communications Commission from the incoming administration of President-elect Biden?

In this two-part Insight series, James Snell, Marina Gatto, Zachary Watterson, Nathan Duletzke and Kayla Lindgren, of Perkins Cole LLP, provide an overview of the evolution of consumer privacy legislation in 2020, including a recap of the bills that failed, and an overview of the privacy-related bills that remain pending.

After undergoing several rounds of revisions to the 2019 draft specifications, the new Information Security Technology-Personal Information Security Specifications (GB/T35273-2020) (New Personal Information Specifications) were released jointly by the State Administration of Market Regulation and the Standardization Administration of China on March 6, 2020.

Hundreds of COVID-19-related class action claims have been filed in state and federal courts throughout the country.

On June 13, the Federal Trade Commission held a virtual workshop on proposed changes to the Gramm-Leach-Bliley Act safeguards rule.

Marijuana businesses, especially those in the medical marijuana industry, often have access to sensitive consumer information.

In Privacy Versus the Pandemic, Perkins Coie Privacy attorneys take a trip around the world to explore the interplay between privacy and public health during the COVID-19 outbreak.

The Court of Justice for the European Union (CJEU) on July 16, 2020, invalidated the EU-U.S. Privacy Shield as an approved mechanism for transferring personal data from the European Union to the United States.

This update provides some recent lessons learned with remote depositions that apply to both those who take and defend remote depositions.

States continue to enhance and expand their breach notification requirements, increasing the scope of breaches that require notice as well as the complexity of compliance.

A key area of focus in the Department of Defense’s (DoD) gradual rollout of its Cybersecurity Maturity Model Certification (CMMC) is the training and accreditation of third-party assessors that will be responsible for reviewing some 300,000 defense contractors’ cybersecurity practices for compliance with applicable controls.

Today commercial landlords and tenants are preparing to safeguard their employees and customers from Covid-19 risks.

Although many businesses are finding themselves in new and challenging times due to the impacts of COVID-19 and the related shelter-in-place orders, it is important to keep in mind that compliance with applicable privacy laws is still required, and attorney general enforcement of California’s newest privacy law is on the horizon and set to begin July 1, 2020. In this article we provide insight on what is required of businesses subject to the CCPA, what trends we have seen in CCPA-related litigation thus far, and the impending enforcement of the CCPA by the California attorney general. Read more.

Perkins Coie, XR Association, and boost VC surveyed nearly 200 professionals representing startups, enterprise technology firms, and investors for their insights on the trajectory of the immersive technology industry.

In response to great interest from Silicon Valley, Federal Communications Commission Chairman Ajit Pai has released draft rules that would make valuable spectrum available for unlicensed wireless broadband services (i.e., Wi-Fi) in the 6 GHz band (5.925-7.125 GHz).

Recognizing the high volume of COVID-19 content being published, Perkins Coie developed a one-stop, integrated resource page that addresses key legal and business considerations for companies across essential business areas, from insurance coverage and labor and employment, to privacy and security, corporate governance, tax, construction, supply chain, and more.

COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1.

Companies that deal with biometrics are likely aware of Illinois’ Biometric Information Privacy Act (BIPA), which regulates the collection, storage, and use of biometric data, including, for example, fingerprints, voiceprints, and scans of “face geometry.” 

This update was republished in The Journal of Robotics, Artificial Intelligence & Law (September / October Edition).

The U.S. Department of Defense’s (DoD) new cybersecurity verification regime is moving into a new phase, with major implications for contractors.

The U.S. Department of Defense (DOD) is forging ahead in its plan to adopt a new framework for cybersecurity, with significant ramifications for all defense contractors, including subcontractors.

Beginning January 1, 2020, companies doing business in California that meet certain criteria will be subject to a new regulation, as the sweeping California Consumer Privacy Act (CCPA) goes into effect.

The California Attorney General’s Office released for public comment the long-awaited proposed regulations for the California Consumer Privacy Act (CCPA) on October 10, 2019.

On 10 October 2019, after much anticipation, the California Attorney General, Xavier Becerra, held a press conference and announced the release of proposed regulations, intended to further the purposes of the California Consumer Privacy Act of 2018 (CCPA).

This article was republished in the November 2019 issue of Data Protection Leader.

A new California privacy ballot initiative has been introduced by real estate developer and privacy rights advocate, Alastair Mactaggart.

While privacy laws are proliferating globally, the California Consumer Privacy Act (the CCPA) is California’s comprehensive and landmark legislation that seeks to give California consumers expanded rights to learn about and control certain aspects of how a business handles “personal information” collected about its consumers.

The Standing Committee of the National People’s Congress released the Encryption Law of the People’s Republic of China (Draft) for public comment on July 5, 2019 (the “2019 Draft”).

States across the country are enacting or proposing legislation to regulate the collection, storage, use and disclosure of biometric data.

The Cyberspace Administration of China (i.e., the Office of the Central Cyberspace Affairs of China) promulgated the draft Measures for Data Security Management (the Measures) for public comment on May 28.

This update has also been published in the February-March 2020, Vol. 6 No. 2 issue of Pratt's Privacy & Cybersecurity Law Report.

In recent years, the use of artificial intelligence (AI) solutions in every sphere of the economy has increased dramatically.

As more and larger data breaches come to light, states continue to update and expand their breach notification statutes, adding to the patchwork of notification obligations that now exists in every state.

The Federal Communications Commission recently adopted new measures to combat unwanted robocalls in a unanimous Declaratory Ruling and Further Notice of Proposed Rulemaking.

As if businesses did not have enough on their plates as they prepare for the California Consumer Protection Act and similar privacy laws in other states, manufacturers of Internet of Things (IoT) devices (objects that connect to the internet and collect and transmit data) must also comply with California and other states’ new IoT device security laws.

Nevada is the latest state to strengthen privacy laws to address the perceived need for more oversight of how companies handle personal data. On May 29, 2019, Nevada’s governor signed into law Senate Bill 220, which amends the state’s online privacy notice statute, Nev. Rev. Stat. Ann. § 603A.300 et. seq. The amendments provide consumers with the right to restrict an entity’s “sale” of covered information while also excluding certain entities from the statute’s application. The amendments become effective October 1, 2019.

Businesses that use chatbots to interact with customers online may be affected by California’s new Autobot Law (SB 1001) that goes into effect July 1, 2019.

The consequences of a data breach can be far-reaching. While the initial issues in the wake of a breach often involve investigation into the cause of the breach and sending notification to those affected (both of which are covered by most cyber insurance policies), coverage for certain types of third-party claims stemming from cyber breaches may be available under Commercial General Liability (CGL) insurance policies.

Perkins Coie surveyed 200 startup founders, technology company executives, investors and consultants on key challenges and opportunities in the immersive technology space.

The European Parliament approved several amendments to the European Commission’s proposed Regulation on preventing the dissemination of terrorist content online on April 17, 2019.

On April 9, 2019, the California Senate Judiciary committee voted to advance SB 561, which would expand the private right of action to any violation of the CCPA (not just for negligent breaches) and would eliminate a business’s 30-day right to cure.

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented.

After conducting a data inventory a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps.

To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.

Often called the “wild west,” the cyber insurance marketplace offers a wide variety of policy forms that vary drastically in the scope of coverage provided.  This is further compounded by the relatively small amount of case law analyzing cyber policies and the quickly-evolving cyber risks that companies face.  Insurers are quick to deny coverage based on the many exclusions in cyber policies, often leaving policyholders with the option of either spending money to fight their insurer in court or accepting the carrier’s denial. 

The FAA published proposed rules on the Operation of Small Unmanned Aircraft Over People on February 13, 2019.

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do?

Recent privacy laws and standards promote, and in some cases require, privacy by design. Simply put, companies are to incorporate privacy principles in and throughout all its products and services.

Washington state has joined the growing ranks of states considering data privacy legislation in the wake of the European General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.

The California Office of the Attorney General (“OAG” or “Office”) held the first two of its six public hearings on January 8, 2019 in San Francisco and on January 14, 2018 in San Diego to solicit public comments and feedback in preparation for its rulemaking efforts under the California Consumer Privacy Act (“CCPA”).

As of January 3, 2019, the Federal Communications Commission (FCC) has suspended most of its operations for the duration of the government shutdown due to the agency’s exhaustion of available funds. This alert summarizes how and the extent to which the shutdown affects FCC operations, based on the FCC’s plan for orderly shutdown released on December 18, 2018 and Public Notice released on January 2, 2019.

Google won summary judgment in Rivera v. Google, a privacy class action alleging violations of the Illinois Biometric Information Privacy Act (BIPA). The case involved “face grouping,” a feature that enables Google Photos to automatically sort and group the photographs in a user’s private account, based on visual similarities between the images of faces in the photos. The court held that any alleged collection of “biometric information” or “biometric identifiers” stemming from this feature did not cause an injury-in-fact sufficient to confer Article III standing. This update summarizes the decision, which may be relevant to clients involved with biometric technology, as well as other clients facing litigation where a no-injury defense may be applicable.

There is often an upsurge in hacking and online scams during the holidays, and businesses are not always prepared to respond. This tip includes five key steps you can take immediately to protect and defend against breaches.

Privacy policies are meant for a host of audiences, including consumers, regulators and advocates. One way to make your privacy policy more accessible to consumers is to include a short form privacy notice at the start of a policy.

The CCPA creates eight consumer rights, eight corresponding business obligations and three independent business obligations.

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations (Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). 

Beyond preparing for this year’s holiday rush, retailers around the country have started thinking about potential changes to their operations in response to California’s sweeping new consumer privacy law.

Known by many names, including business email compromise fraud, CEO or CFO fraud, impersonation attacks, or “Man-in-the-Email” scams, cyber-related frauds involving spoofed or otherwise compromised business electronic communications continue to be an increasingly pervasive threat to businesses of all sizes, including public companies.

The European Commission recently published its draft “Regulation on preventing the dissemination of terrorist content online.”

The United States Department of Transportation recently released its latest policy statement on automated vehicle technologies, Automated Driving Systems 3.0: Preparing for the Future of Transportation. 

On September 24, 2018, the French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), became the first data protection authority to issue written guidance on the intersection of the use of blockchain technology and the General Data Protection Regulation (GDPR).

The FTC announced settlements with four companies last month of the FTC’s claims that the companies engaged in deceptive trade practices by falsely claiming to be certified under the EU-U.S. Privacy Shield.

Does your company handle data analytics to target California consumers? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA goes well beyond the General Data Protection Regulation (GDPR); however, if you’ve achieved compliance with the GDPR, you are well on your way to achieving CCPA compliance.

On October 3, 2018, the Senate passed a bipartisan bill that will reauthorize the Federal Aviation Administration (FAA) for five years. The bill, which is referred to as the FAA Reauthorization Act of 2018 (H.R. 302), was previously passed by the House of Representatives. 

On June 28, 2018, California adopted the strictest general privacy and data security law in the country, called the “California Consumer Privacy Act” (codified in Assembly Bill 375), which will come into effect on January 1, 2020.

The Federal Communications Commission (FCC) recently adopted a number of orders and proposed rules affecting the availability and use of millimeter-wave spectrum for advanced fifth generation (5G) wireless networks.

This spring has brought a particularly active round of revisions to state data breach notification laws.

The European Union’s top court ruled last week that the operator of a Facebook fan page is a “joint controller,” along with Facebook, with respect to personal data collected on such pages.

Perkins Coie surveyed 140 startup founders, technology company executives, investors and consultants on key challenges and opportunities in the AR/VR space.

It would be unusual these days to find a hotel, coffee shop, cruise line or airline that doesn’t offer some form of internet access to its customers. It’s unlikely, however, that those businesses have had occasion to give much thought to the Stored Communications Act.

The American Bar Association’s 66th Antitrust Law Spring Meeting held earlier this month included many sessions on consumer protection.

The General Data Protection Regulation (GDPR), which is effective May 25, 2018, requires notification to European regulators within 72 hours of the discovery of many types of data breaches. This deadline requires speed and organization that no other jurisdiction currently requires, especially in the United States. Organizations that hold personal data of EU residents and do not have an incident response plan should promptly develop one so they can comply with the GDPR’s requirements.

Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses computerized data that includes an IA resident’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security.

Last Friday, the U.S. Court of Appeals for the District of Columbia Circuit (D.C. Circuit) issued its long-awaited decision in ACA International v. Federal Communications Commission, No. 15-1211 (D.C. Cir. Mar. 16, 2018).

At this year’s PLI “SEC Speaks” conference held February 22-23, 2018, in Washington, D.C., the U. S. Securities and Exchange Commission’s senior leadership showcased its 2017 accomplishments, and previewed priorities for 2018 and beyond.

Highlighted in  Law360's: "In Case you Missed It:  Hottest Firms And Stories On Law360," on 03.02.2018.

The U.S. Securities and Exchange Commission (SEC) issued its first formal interpretative release on public company disclosure obligations relating to cybersecurity since the SEC Division of Corporation Finance’s guidance in 2011.

This update was republished in Bloomberg BNA's White Collar Crime Report on 03.16.2018, "New SEC Cybersecurity Guidance Reflects Clayton's 'Light Touch'," and Bloomberg's Big Law Business on 03.13.2018, "SEC on Cybersecurity: Jay Clayton’s “Light Touch."

Artificial Intelligence (AI) refers to a machine's ability to simulate human intelligence to perform tasks like planning, decision-making, and recognizing objects or sounds. Its use is not always obvious, but AI is now present in nearly every aspect of our lives—from our "smart" home products to our medical care, jobs, and businesses.

Last week, three U.S. Department of Transportation agencies issued requests for comment on ways to update federal regulations and policies to allow for the safe testing and deployment of autonomous vehicles.

In a sweeping deregulatory measure, the Federal Communications Commission (FCC) recently adopted a final order to repeal most of the net neutrality rules, known as the “Restoring Internet Freedom order”

On the eve of Thanksgiving, the FCC released a draft order to repeal its own net neutrality rules.

The Trump administration took its first major step to facilitate the deployment of automated vehicles with the Department of Transportation’s release of “Automated Driving Systems 2.0: A Vision for Safety,” an update to the 2016 Federal Automated Vehicle Policy.

2017 has reminded us that data security threats continue to evolve and that the stakes for companies can be very high if their data security programs fail to evolve as well.

Last year, the contentious net neutrality debate appeared to be finally settled when the U.S. Court of Appeals for the District of Columbia Circuit affirmed the FCC’s 2015 Open Internet Order.

Unsolicited robocalls are the top consumer complaint made to the Federal Communications Commission, which receives over 200,000 complaints a year.

New Mexico became the 48th state to enact data breach notification legislation with the Data Breach Notification Act, signed in April and effective as of June 16, 2017.

The House Subcommittee on Digital Commerce and Consumer Protection reached bipartisan agreement on July 19, 2017, regarding major aspects of legislation to address the testing and deployment of autonomous vehicles.

Since we published our previous update, the FCC has adopted a Notice of Proposed Rulemaking to begin the process of rolling back the rules and regulatory framework for net neutrality. 

Computer systems around the world have been impacted by the largest cyber-extortion attack in history.

This update has been republished in Computerworld on 05.30.2017, "Answering the WannaCry Wake-up Call."

New development: President Trump signed the Congressional Review Act (CRA) resolution of disapproval on April 3, 2017.

This update was republished in Cyberspace Lawyer.

As anticipated, the Republican members of the Federal Communications Commission are taking steps to pare down the 2016 Broadband Privacy Order now that they are in the majority.

Roughly two weeks since President Donald Trump’s inauguration, the new Chairman of the Federal Communications Commission, Ajit Pai, has taken steps providing further evidence that he plans to roll back FCC actions taken under former Chairman Tom Wheeler, including net neutrality and broadband privacy.

This update was republished in Law360 on 02.13.2017, "The Future Of Net Neutrality Under The New FCC."

In the days since the recent election, many tech, media and telecom industry observers remain unsure of what to expect from the Federal Communications Commission under the Trump administration.

Bluetooth beacons can be a powerful tool for customer engagement.

This year brought a wave of class action complaints alleging that national retailers are violating the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA), N.J.S.A. §§ 56:12-14 et seq., by including certain provisions in their online terms and other consumer-facing notices and agreements.

The FTC has no jurisdiction over common carriers even when they engage in non-common carrier activity, according to a recent U.S. Court of Appeals for the Ninth Circuit opinion.

The Federal Trade Commission unanimously (3-0) ruled on July 29, 2016 that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act, reversing a decision of its Administrative Law Judge.

The spring legislative sessions this year brought a now-familiar round of revisions to data breach notification laws, with states broadening their laws in often divergent ways.

Perkins Coie’s Privacy & Security and Class Action Defense groups defend Telephone Consumer Protection Act (TCPA) cases throughout the country. This newsletter provides updates on litigation and regulatory developments regarding the Telephone Consumer Protection Act (TCPA).   View the full newsletter.

For two decades, the Federal Communications Commission (FCC) has relied on an inter-agency consulting process to evaluate matters before it that potentially raise issues of national security, foreign policy and trade policy.

On its third try, the Federal Communications Commission finally got the sweeping net neutrality court victory it had been seeking for years.

Consensus was reached in a proceeding of the NTIA of the U.S. Department of Commerce on a set of privacy best practices for the commercial and recreational use of unmanned aerial systems (UAS), more commonly referred to as “drones.” 

In a 6-2 decision, the Supreme Court held that the mere allegation of a statutory violation is not necessarily enough to create Article III standing.

Perkins Coie and Upload surveyed more than 650 startup founders, executives with established technology companies and investors on the future of augmented and virtual reality.

The American Bar Association held its 64th annual Antitrust Law Spring Meeting April 5–8, 2016, in Washington, D.C.  Over 3,000 practitioners, enforcers, economists and academics from around the world came together to discuss and share views on the hottest antitrust topics of the day.

As previously promised in last year’s Open Internet Order, the Federal Communications Commission (FCC or the Commission) has released a Notice of Proposed Rulemaking (NPRM) seeking comment on proposed privacy requirements for broadband internet access service providers.

Recently, the U.S. Supreme Court held in Campbell-Ewald Co. v. Gomez, 577 U.S. --- (2016), that a lawsuit is not moot after a plaintiff declines to accept an offer of judgment made by the defendant pursuant to Federal Rule of Civil Procedure 68.

Two days after the expiration of the informal deadline to replace the Safe Harbor Framework  invalidated by the Court of Justice of the European Union in October 2015, the EU and US have come to terms on a new framework—the “EU-US Privacy Shield.”

In four of the last five years, California’s legislature has updated its data breach notification law, expanding its scope and making the required notifications more specific.

After nearly four years of amendments and negotiations, the European Parliament, Council of the European Union and European Commission reached a political agreement on the proposed General Data Protection Regulation (GDPR) on December 15, 2015.

In what could be a major setback for the Federal Trade Commission (FTC) in the data security arena, an Administrative Law Judge (ALJ) has ruled that an unfairness claim brought by the FTC under Section 5 of the FTC Act requires a showing that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury.

The Department of Defense (DoD) issued an interim cybersecurity rule in August 2015 that, among other things, revises the existing Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause and increases security and reporting obligations for DoD contractors.

Many of the largest retailer data security breaches have been caused or enabled by the acts or omissions of retailers’ vendors, such as the widely publicized incident at Target Corporation.

The Court of Justice of the European Union (CJEU) issued its landmark decision in Maximillian Schrems v. Data Protection Commissioner on October 6, 2015, ultimately invalidating the U.S.-EU Safe Harbor Framework.

The SEC’s recent activity is part of a larger regulatory enforcement trend that should serve as a warning to all public companies that they would be wise to review and revise their cybersecurity policies, procedures and practices to ensure that they are adequate in today’s changing environment.

Since at least 2005, the Federal Trade Commission has asserted that it may regulate lax data security practices as an “unfair” business practice under Section 5 of the FTC Act. The Wyndham hotel chain was the first to challenge this authority in court. In a highly anticipated opinion, the U.S. Court of Appeals for the Third Circuit resoundingly agreed with the FTC that a failure to implement reasonable data security measures may constitute an unfair business practice under Section 5.

In a July 14, 2015 letter to PayPal, the FTC indicated that consent language buried within a “lengthy user agreement” does not satisfy the requirement under the Telemarketing Sales Rule (TSR) that companies obtain prior express consent before making automated or prerecorded calls (robocalls) for telemarketing purposes.

In last Friday’s long-awaited TCPA Omnibus Declaratory Ruling and Order (Order), the Federal Communications Commission (FCC or Commission) may have dramatically altered the landscape for TCPA class action defense.

The Bureau of Industry and Security (BIS) recently issued a proposed rule that would require an export license for specified cybersecurity items to all destinations, except Canada.

Four state legislatures closed their sessions with changes to their data breach notification laws, potentially imposing significant new compliance burdens.

Last week, an FCC divided on partisan lines adopted a Notice of Apparent Liability for Forfeiture and Order (the NAL) against AT&T with an unprecedented proposed penalty of $100 million as well as numerous other compliance obligations, marking the first time the agency has enforced its net neutrality transparency rule.

A simple yet highly effective and increasingly common cyber scam, based on social engineering and playing on fear, the desire to be helpful and other emotions, has caused U.S. companies of all sizes to lose millions of dollars in recent months.

During their spring 2015 legislative sessions, Washington, Wyoming, Montana, and North Dakota expanded their data security breach notification laws.

To improve customer experience and understand customers’ movements and interactions on their premises, retailers, hotels and other brick-and-mortar businesses increasingly use signals from mobile devices to observe their customers’ movements.

Privacy and data security are high priorities of the Federal Communications Commission (FCC) under the leadership of Chairman Tom Wheeler. In addition to significant enforcement actions against AT&T and TerraCom/YourTel that take a page out of the playbook of the Federal Trade Commission (FTC), the FCC’s recent Open Internet Order for the first time imposes the privacy obligations of Section 222 of the Communications Act of 1934, as amended (the Act) on broadband Internet service providers.

President Obama recently issued Executive Order 13694 (EO 13694 or EO), “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” EO 13694 is aimed at deterring cyber attacks, cyber espionage and cyber thefts, which have become increasingly common in recent years.

On February 15, 2015, the FAA issued its long-awaited notice of proposed rulemaking on small unmanned aerial vehicles (UAVs). Currently, federal law prohibits commercial use of UAVs without advance approval, typically through the so-called Section 333 approval process.

Target’s 2013 data breach has generated over 100 consumer lawsuits, which were consolidated last year before the U.S. District Court for the District of Minnesota. On December 18, 2014, Judge Paul A. Magnuson issued a decision on Target’s motion to dismiss the consolidated consumer cases.

During this busy holiday shopping season, retailers may end up facing litigation under the Telephone Consumer Protection Act (TCPA) for sending advertisements to consumers’ cell phones.

In this installment of “Perkins Coie Wrapping Papers,” we take inspiration from “The Twelve Days of Christmas” to provide an overview of the top twelve privacy and data security issues retailers should consider as the year comes to a close.

There isn’t an official Privacy Person of the Year award.  If there were, Edward Snowden almost certainly would have won it last year.  Instead, he finished in second place, behind Pope Francis, as TIME Magazine’s 2013 Person of the Year.  The honor goes to the person whom the editors of TIME believe has most influenced the news that year, whether for good or bad.  

The holidays are quickly approaching, and shoppers are expected to spend in excess of $600 billion this season. The holiday season is shaping up to become a winter wonderland for retailers.

California, Florida, Kentucky, and Iowa have changed their security breach notification requirements in the past few months.

As retailers prepare for the upcoming holiday shopping season, Perkins Coie’s Retail & Consumer Products industry group is proud to introduce its 9th annual “Perkins Coie Wrapping Papers.” These updates will highlight some of the legal issues retailers face during this critically important holiday shopping season.

In its newly published Fact Sheet on the Right to Be Forgotten, the European Commission has tried to dampen the negative reaction to the European Court of Justice (ECJ) Right to Be Forgotten decision by noting that the right is not absolute and that careful consideration of each case will be necessary before search engine operators will be required to censor search results:

While most people have focused on the free speech and implementation difficulties of the “right to be forgotten” announced by the European Court of Justice (ECJ) in Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos [google.com] (Mario Costeja González), there are serious jurisdictional implications for the Internet, intermediaries and content publishers that largely have been ignored.

Google has taken the first step  to implement the “Right to be Forgotten” decision by the European Court of Justice (ECJ). It has provided individuals a form to complete to request that their personal information be removed from Search or Image Search results.

On April 22, the U.S. Department of Health and Human Services (HHS) announced settlements with both Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA).  Through these latest settlements, HHS is reiterating its message to covered entities and business associates that laptops and similar devices containing electronic protected health information (ePHI) should be encrypted.

In a closely watched and first-of-its-kind case, the U.S. District Court for the District of New Jersey rejected, for purposes of a motion to dismiss, a defendant company’s argument that the Federal Trade Commission (FTC) lacks authority to regulate data security practices under Section 5 of the FTC Act.

The FCC last week issued two declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA).  While the rulings in each are limited to the specific requests set forth in the petitions, they include broad language and reasoning that will be helpful for businesses looking for ways to reach their customers without running afoul of the TCPA.

The Southern District of California last month let 8 out of 51 claims survive in a putative class action arising out of the 2011 breach of the Sony PlayStation network.  In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL 11MD2258 AJB MDD, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (Sony II).

November 1, 2013 marks the start of new restrictions on Seattle employers’ use of criminal background checks for employment purposes.

Effective January 1, 2014, California residents must be notified when the information used to access their email or other online accounts is compromised in a data security breach incident.

On October 16, 2013, new rules promulgated by the Federal Communications Commission on June 11, 2012 implementing the Telephone Consumer Protection Act of 1991 go into effect regarding the requirements for prior written consent necessary to send text/sms marketing messages.

The final regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act were issued in January and compliance is required by September 23, 2013.

The Department of Health and Human Services (HHS) announced a settlement on August 14, 2013, with Affinity Health Plan (Affinity), a not-for-profit managed care plan, which included a payment of $1,215,780, for a HIPAA security violation caused by Affinity’s failure to remove Electronic Protected Health Information (EPHI) from the hard drive of a leased photocopier that was returned to the leasing company.

In December 2012, the Federal Trade Commission (FTC) adopted final amendments to the Children's Online Privacy Protection Act (COPPA) Rule, which regulates how companies may collect information online from children under 13.  Last month, the FTC also issued an updated set of Frequently Asked Questions regarding the revised COPPA Rule.  The revised COPPA Rule went into effect today, July 1, 2013, and will impact "operators" of certain websites and online services for a long time to come.

This is the latest opinion in the ongoing litigation arising out of a massive data breach suffered by Hannaford Bros. grocery stores. In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013).

On April 3, 2013, the New York Times published an article about commercial databases that contain reports from retail employers about employees who were accused of stealing from their workplaces.

The U.S. Supreme Court unanimously ruled in Standard Fire Insurance Co. v. Knowles, 568 U.S. __, No. 11-1450, 2013 WL 1104735 (Mar. 19, 2013), that plaintiffs attempting to bring a class action lawsuit cannot escape federal jurisdiction by agreeing to seek less than $5 million in damages.

The Supreme Judicial Court of Massachusetts recently held that collecting a consumer's ZIP code at the point of sale may violate Massachusetts General Laws Chapter 93, Section 105(a) (Section 105(a)), which restricts the ability of retailers to collect personal identification information (PII) from consumers in connection with a credit card transaction.

A federal judge in the Northern District of California recently added to the growing list of cases rejecting attempts to recover damages resulting from data breaches.  In In re LinkedIn User Privacy Litigation, Case no. 5:12-CV-03088 EJD (March 6, 2013), the court dismissed a lawsuit brought by LinkedIn users who were upset over the June 2012 posting of 6.5 million stolen LinkedIn user passwords.

The California Supreme Court recently issued a landmark ruling in Apple Inc. v. Superior Court (formerly Krescent v. Apple Inc. in trial court proceedings), a case with wide-reaching implications for consumer privacy in e-commerce. The issue before the Court was whether California’s Song-Beverly Credit Card Act (the Act), which generally prohibits retailers from collecting or requesting personal identification information (PII) as a condition of accepting credit card payments, should apply to online retailers.

Federal law and most states only require one party to a phone call to consent to recording it, which means the person recording the call doesn’t need anyone else’s permission; however, a minority of states, including California, require all parties to a call to provide consent.  While you might think you are safe if you do the recording in a one-party consent state, like Georgia, California’s highest court has made clear that California law will apply no matter where you are located if you do business in California and record a call with a California client.  Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006).

Final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act) were issued by the Department of Health and Human Services recently, and will appear in the Federal Register on January 25, 2013. Informally referred to as the Omnibus Rule, the regulations address a number of changes to the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA breach notification rule, HIPAA privacy and security enforcement provisions, Business Associate definition and agreement requirements, and the interaction between HIPAA and the Genetic Information Nondiscrimination Act.

Companies that accept online credit card payments should be keeping an ear very close to the ground for the California Supreme Court’s decision in Apple v. Superior Court (Krescent), expected within the next few weeks.  Depending on how the court rules, the case has the potential to spawn a flood of class actions against online retailers and change the way web payments are processed.

On December 19, 2012, the Federal Trade Commission (FTC) finalized amendments to the Children's Online Privacy Protection Rule (the Rule), which applies to operators of commercial websites or online services that (1) are directed to children under the age of 13 or (2) have actual knowledge that they are collecting personal information from a child under the age of 13.

Mobile point-of-sale payment terminals have experienced explosive growth over the past year.  Unlike a traditional point-of-sale terminal, a mobile terminal communicates wirelessly when processing payment cards.  There are different types of solutions in the market, but one popular type is an application within a mobile device, like a smartphone or tablet, that uses a hardware attachment to swipe payment cards.

On December 6, 2012, the California attorney general filed suit against Delta Airlines for failing to provide mobile application users with adequate notice of its privacy practices.

In a ruling that will impact certain aspects of how companies handle their SMS/text message promotional programs, on November 29, 2012, the Federal Communications Commission released a Declaratory Ruling regarding the Telephone Consumer Protection Act (TCPA) pursuant to a request by SoundBite Communications, Inc.

For the first time, online retail sales exceeded $1 billion on Black Friday and reached nearly $1.5 billion on Cyber Monday this year.  Analysts expect this increase in e-commerce to continue, and Forrester Research estimates that online sales this holiday season will exceed $68.4 billion—a 15 percent increase over 2011.

A Supreme Court decision long-awaited by the class action bar and businesses was a surprise non-event last Thursday when, seven months after hearing oral arguments in First American Financial Corp. v. Edwards, the Supreme Court issued an order dismissing the writ of certiorari in the case as improvidently granted.  The Supreme Court's per curiam order, presented without reasoning, left intact the Ninth Circuit's holding that a plaintiff who pled a statutory violation but not actual damages had standing under Article III of the U.S. Constitution, which requires that a plaintiff has suffered a concrete “injury in fact.”  The Supreme Court's decision means that, at least in the Ninth Circuit “[t]he injury required by Article III can exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing.’”

A small cardiac surgery practice (two owners; currently five physicians) is the latest covered entity to enter into a settlement agreement and Corrective Action Plan (CAP) with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), to resolve alleged violations of the HIPAA privacy and security regulations.  In announcing the $100,000 settlement OCR Director Leon Rodriguez stated, "OCR expects full compliance no matter the size of a covered entity."

Several class action complaints filed in recent months take a novel approach regarding the requirements for website privacy policies under California's "Shine the Light" law.

BlueCross BlueShield of Tennessee (BCBST) has agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) and enter into a Corrective Action Plan (CAP) to settle alleged violations of the HIPAA privacy and security regulations. The enforcement action arose from the theft of 57 hard drives that contained audio and video recordings of customer service calls and included electronic protected health information (ePHI) of over one million individuals. The settlement resolves HHS’s first enforcement action in connection with the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.  The CAP also provides insight into the kinds of security measures HHS expects companies in possession of ePHI to have in place.

The European Commission's proposed "Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" offers a significantly higher level of legal harmonization and predictability across Europe, but at the price of more stringent requirements and availability of stricter sanctions.

Just as more professionals have started taking advantage of social media to develop and grow their business, the financial services industry is following suit.  However, given the highly regulated nature of this industry, financial services professionals must be aware of special regulatory considerations when utilizing social networking tools.

On January 6, 2012, the U.S. District Court for the Central District of California dismissed with prejudice Mehrens v. Redbox Automated Retail, LLC, a putative class action against Redbox alleging that Redbox violated California's Song-Beverly Credit Card Act by requesting ZIP codes and email addresses in connection with credit card transactions.

On September 15, 2011, the Federal Trade Commission (FTC) released the changes it is proposing to make to the Children’s Online Privacy Protection Rule (required by the Children’s Online Privacy Protection Act, or COPPA), which has been in effect since 2000. To address technological developments in the past decade, the FTC is recommending a number of changes.

Following the recent California Supreme Court’s decision in Pineda v. Williams-Sonoma Stores, Inc., 2011 WL 446921 (Cal. Feb. 11, 2011), numerous class action lawsuits have been filed under the Song-Beverly Credit Card Act of 1971, Cal. Civ. Code §§ 1747 et seq. ("Credit Card Act"), a state statute designed to protect the personal privacy of credit card users.  These lawsuits expose California businesses to considerable defense costs and the potential for substantial damages.  Law360 reports that in the wake of this ruling at least 30 proposed class actions have been filed in California, and many more are on the way.  That’s the bad news. The good news is that these claims may be covered under your Commercial General Liability ("CGL"), Errors and Omissions ("E&O"), or Directors and Officers ("D&O") Liability insurance policies.

On February 10, 2011, the California Supreme Court held that a customer's ZIP code is "personal identification information" ("PII") under the California Song-Beverly Credit Card Act of 1971 and that businesses cannot request and record a customer's ZIP code during a credit card transaction.

On December 18, 2010, President Obama signed the Red Flag Program Clarification Act of 2010.  Effective immediately, the act changes the definition of the word “creditor” in the FTC Red Flags Rule to exclude most professionals that take payment after rendering services.

The Federal Trade Commission (FTC) issued a staff report last week that calls on companies to more effectively protect consumer privacy. Stressing that current models for consumer privacy protections have failed to keep pace with technological growth and consumer expectations, the FTC proposes a framework intended to inform future laws and policies.

The U.S. District Court for the Western District of Washington granted Amazon.com's request for  declaratory judgment that the North Carolina Department of Revenue’s (the Department) information requests for the production of customer purchase records violated the First Amendment and the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710.  Amazon.com LLC v. Lay, No. C10-664-MJP, 2010 WL 4262266 (W.D. Wash. Oct. 25, 2010).

Employers are learning the hard way that gaining access to private employee information during workplace investigations can lead to lawsuits, liability and headaches.

In the featured article in E-Commerce Law Reports, Volume 9, Issue 4, Seattle associate Ryan Mrazik published an article examining Cohen v. Google Inc., in which a trial judge in New York state ordered Google to identify an anonymous person who had posted allegedly defamatory statements on a blog. Mrazik argues that the case was more about New York state civil procedures and the pleading requirements for defamation and less about the right to anonymous speech on the internet.

The FTC recently extended the enforcement deadline for the Red Flags Rule until November 1, 2009. The Rule was originally scheduled to go into effect on November 1, 2008, but on Wednesday, July 29, 2009, the FTC announced that it was delaying enforcement for the third time because a number of industries and entities within the FTC’s jurisdiction still expressed confusion and uncertainty about what types of entities would be subject to the Rule and what the Rule actually required of covered entities.

(republished by CIO, InfoWorld and IT World)
(The attached article/editorial reflects the personal opinions of its author(s) and does not necessarily represent the views of Perkins Coie.)

The recently enacted My Health, My Data Act (MHMD) will regulate the collection, use, sharing, analysis, and sale of health-related data of individuals in Washington state and beyond.

As technology continues to advance, the risk of cyber threats and information security breaches continues to rise. Businesses should stay current on cybersecurity and related class-action litigation developments, and take essential steps to protect themselves and consumer data.

Multidisciplinary panel of lawyers from Perkins Coie’s White Collar & Investigations, Privacy & Security, Labor & Employment, and Corporate & Securities practices discussed recent changes to the DOJ corporate criminal enforcement policies and their impact on business organizations and their compliance operations.

The conference’s stellar faculty—including senior government cybersecurity officials and nearly two dozen other legal and consulting luminaries in the field of ransomware response—will discuss the most important issues now facing attorneys and professionals who work in this area.

California was the first state in the country to provide a private cause of action to consumers whose sensitive personal information was exposed by data breaches.

California was the first state in the country to provide a private cause of action to consumers whose sensitive personal information was exposed by data breaches.

A webinar discussing recent legislative developments at state and federal level in the U.S., including recently introduced bills, the status of bills currently in the legislative process, and the continued prospect of a federal privacy law.

The U.S. International Trade Commission (ITC) can stop the importation of goods that infringe on U.S. intellectual property rights. With its expedited schedule and specialized procedures, the ITC resolves disputes quickly and issues remedial orders enforced at U.S. ports of entry by U.S. Customs and Border Protection (CBP) agents.

This Privacy for Retail roundtable discusses the new California Privacy Rights Act (CPRA) and its impact on the retail industry.

This webinar discussed managing company data privacy programs in a rapidly changing legal and regulatory environment, providing in-house and outside counsel perspectives on developing and handling the phases of compliance for a data privacy program and practical guidance on complying with the California Consumer Privacy Act (CCPA).

Customers today expect services and products to be personalized and relevant, which makes AI and machine learning in advertising even more important.

In this webinar, experts from across the industry discussed highlights from the survey findings and their expectations for the future of XR technology.

Amelia Gerlicher and Alexandria Bradshaw will explore trending attacks, review U.S. breach notification law, as well as share insight into recent legislative updates and the trends that continue to drive changes to state law.

Chinese businesses operating in the United States are subject to a variety of laws concerning the collection, use, and protection of customer information. An important recent law in this area is the California Consumer Privacy Act (CCPA).

Leading during a health pandemic requires strength, vision, and an ability to look around corners. Join us for a two-part webinar series that will highlight a variety of risks and opportunities that company leaders should be aware of as we navigate through major business changes.

Perkins Coie’s CCPA Week
This webinar will address enforcement risks under the CCPA, and how to manage compliance obligations to minimize litigation risk. Our speakers are class action litigators actively consulting clients in CCPA compliance. The topics will include, among other things, a discussion about the various enforcement mechanisms, notice and operational strategies to minimize risk, third party contracts, and exceptions and defenses to CCPA claims.

This webinar explores the steps policyholders can take now to address coverage issues presented by the CCPA. Topics include the types of policies that may respond to CCPA claims, how to negotiate favorable terms in your insurance policies and tips on loss management strategies.

Perkins Coie’s CCPA Week
This webinar will explore how the CCPA differs from the GDPR, how retailers can leverage existing compliance initiatives and governance programs to prepare for the CCPA and the unique challenges and opportunities retailers are likely to face in compliance efforts.

Partner John Roche provides an introduction to legal process issued under the Electronic Communications Privacy Act (ECPA), including a broad overview of the appropriate approach to requests for user data and content from governmental entities, as well as civil and criminal litigants.

A presentation with Perkins Coie LLP and the Zhonglun W&D Law Firm on key legal issues faced by companies doing business in the U.S. We shared practical insights based on our deep experience and understanding of the complex legal and business issues facing Asia-based companies doing business abroad.

A presentation with Perkins Coie LLP, Zhonglun W&D Law Firm and China Chamber of International Commerce on key legal issues faced by companies doing business in the U.S. We shared practical insights based on our deep experience and understanding of the complex legal and business issues facing Asia-based companies doing business abroad. 

A presentation with Perkins Coie LLP, Shanghai L&W Intellectual Property Law Office, Zhonglun W&D Law Firm and Shanghai Pudong Association for Investment & Financing on key legal issues faced by companies doing business in the U.S. We shared practical insights based on our deep experience and understanding of the complex legal and business issues facing Asia-based companies doing business abroad.

A presentation on the increasing prevalence of data security breaches and how discovery technology can expedite efficient and compliant response.

The 2016 Privacy + Security Forum breaks down the silos of privacy and security by bringing together seasoned thought leaders, regulators and consumer advocates for workshops and intensive deep dives into the cutting-edge issues involving data collection, use and management. Forum speakers, including Perkins Coie attorneys Tom Bell, Meredith Halama and Janis Kestenbaum, will engage the highly experienced audience in discussion, scenarios, and hands-on activities exploring new threats, laws and challenges. To learn more, visit www.privacyandsecurityforum.com. 

A presentation on the increasing prevalence of data security breaches and how discovery technology can expedite efficient and compliant response.

We will discuss the increasing prevalence of data security breaches and how discovery technology can expedite efficient and compliant response.

In this program, we discussed the increasing prevalence of data security breaches and how discovery technology could expedite efficient and compliant response.

Many interactive gaming platforms and sites provide users the ability to communicate with other users through chat or other messaging systems, or allow their users to store and process data in the service. The Electronic Communications Privacy Act ("ECPA") is the federal law that regulates how these types of services can access, use, and disclose information about their users and the communications users send through or store in the service. This session will provide a high-level overview of ECPA.

In the last decade, the business world has been transformed by the availability of an overwhelming amount of information. The collection of personal information and dependence on systems creates an obligation of companies to protect the personal information of their customers, employees, and partners.