Search results for: COPPA

The Federal Trade Commission (FTC) has made it clear: data privacy and cybersecurity are now a priority, and will be for years to come. In the wake of PrivacyCon 2021, the FTC’s sixth annual privacy, cybersecurity and consumer protection summit, held this summer, the FTC finally took official and sweeping action on privacy and cybersecurity. In particular, the Commission recently designated eight key areas of focus for enforcement and regulatory action, three of which directly implicate privacy, cybersecurity, and consumer protection. Below, we discuss the FTC’s action and what it means for businesses, the three key areas of interest to consumer privacy that are now in the FTC’s spotlight, as well as their relation to state privacy legislation and their anticipated impact to civil litigation. Full details on PrivacyCon 2021 and the FTC’s resolutions following the summit can be found on the FTC’s website, linked here for your convenience.

The FTC’s Actions and Areas of Focus

In mid-September, the FTC voted to approve a series of resolutions, directed at key enforcement areas, including the following, each discussed in further detail below:

  • Children Under 18: Harmful conduct directed at children under 18 has been a source of significant public concern, now, FTC staff will similarly be able to expeditiously investigate any allegations in this important area.
  • Algorithmic and Biometric Bias: Allows staff to investigate allegations of bias in algorithms and biometrics. Algorithmic bias was the subject of a recent FTC blog.
  • Deceptive and Manipulative Conduct on the Internet: This includes, but is not limited to, the “manipulation of user interfaces,” including but not limited to dark patterns, also the subject of a recent FTC workshop.

The approval of this series of resolutions will enable the Commission “to efficiently and expeditiously investigate conduct in core FTC priority areas. Through the passage of the resolutions, the FTC has now directed that all “compulsory processes” available to it be used in connection with COPPA enforcement. This omnibus resolution mobilizes the full force of the FTC for the next ten years and gives FTC staff full authority to conduct investigations and commence enforcement actions in pursuit of this goal. The FTC has offered very little elaboration on this front, however, regarding how it will use such “compulsory processes,” which include subpoenas, civil investigative demands, and other demands for documents or testimony.

What does seems clear, however, is that the FTC is buckling down on the enforceability of its own actions. Previous remarks by Chair Lina M. Khan before the House Energy and Commerce Committee expressed frustration at the frequent hamstringing of the agency at the hands of courts in its enforcement efforts in the past. With this declaration of renewed energy, the FTC is summoning all the power it can to do its job, and we should expect to see an energized FTC kick up its patrol efforts in the near future. Businesses that conduct activities that implicate these renewed areas should be aware of the FTC’s focus and penchant for investigations and enforcement in such areas.

Children Under 18

The FTC’s mandate to focus on harmful conduct directed at children under 18 is a signal that the Commission plans on broadening and doubling down on its already active enforcement efforts in this area. Areas of the Commission’s prior and current focus on children include marketing claims, loot boxes and other virtual items that can be purchased in games, and in-app and recurring purchases made by children without parental authorization. Most importantly, the FTC is the main arbiter of children’s online privacy through its enforcement of the Children’s Online Privacy Protection Act (“COPPA”), but that law only applies to children under 13 (i.e., 12 and under).  With this new proviso to focus on children under 18, we can certainly expect the FTC to focus on consumer privacy issues, broader than COPPA, for children from ages 13 to 17 as well.

Algorithmic and Biometric Bias

The FTC already has enforcement capabilities to regulate the development and use of artificial intelligence (“AI”) and its associated algorithms. These include the Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices,” the Fair Credit Reporting Act, which rears its head when algorithms impact lenders’ decisions to provide credit, and the Equal Opportunity Credit Act, which prohibits the use of biased algorithms that discriminate on the basis of race, color, sex, age, and so on when making credit determinations. In using these tools, the FTC aims to clarify how algorithms are used and how the data that feeds them contributes to algorithmic output, and to bring to light issues that arise when algorithms don’t work or feed on improper biases.

Bias and discrimination arising from use of biometrics will also now be a focus of the FTC. Interestingly, much recent research and criticism has pointed out that algorithms and biometric systems are biased against faces of color. This has arisen in many contexts, from the iPhone’s FaceID feature to the 2020 remotely-administered bar exam that threatened to fail applicants of color because their webcams could not detect their faces. These are just some of the issues that arise when companies turn to algorithms to try to create heuristics in making business decisions. The FTC has not let these concerns go by the wayside, and after preliminarily addressing them in an April 2021 blog post, has now reestablished that algorithmic and biometric bias is a new focus for the upcoming years.

Notably, AI and other automated decision-making, particularly that which results in legal and/or discriminatory effects, will also become regulated under omnibus privacy legislation in California, Virginia, and Colorado, forthcoming in 2023.

Deceptive and Manipulative Conduct on the Internet (Including “Dark Patterns”)

The sinisterly-nicknamed practice of “dark patterns” happens constantly to online consumers, albeit in ways that tend to seem benign. For example, shoppers contemplating items in their cart may be pressured to complete the sale if they receive a notification like, “Hurry, three other people have this in their cart!” More annoyingly, online consumers who wish to unsubscribe to newsletters or email blasts may find themselves having to click through multiple pages just to free their inboxes, rather than an easily-identifiable and quickly-accessible “unsubscribe” button. “Dark patterns” is the term coined for these sorts of techniques, which impair consumers’ autonomy and create traps for online shoppers.

Earlier this year, the FTC hosted a workshop called “Bringing Dark Patterns to Light,” and sought comments from experts and the public to evaluate how these dark patterns impact customers. The FTC was particularly concerned with harms caused by these dark patterns, and how dark patterns may take advantage of certain groups of vulnerable consumers. The FTC is not alone in its attention to this issue; in March, California’s Attorney General announced regulations that banned dark patterns and required disclosure to consumers of the right to opt-out of the sale of personal information collected through online cookies. These regulations also prohibit companies from requiring consumers who wish to opt out to click through myriads of screens before achieving their goals. On the opposite coast, the weight-loss app Noom now faces a class action alleging deceptive acts through Noom’s cancellation policy, automatic renewal schemes, and marketing to consumers.

With both public and private entities turning their eyes toward dark patterns, the FTC has now declared the agency will put its full weight behind seeking out and investigating “unfair, deceptive, anticompetitive, collusive, coercive, predatory, exploitative, or exclusionary acts or practices…including, but not limited to, dark patterns…” Keeping an eye on this work will be important—just as important as keeping an eye on which cookies you accept, and which are best to just let go stale.

In addition to being in the crosshairs of the FTC, dark patterns are also a focus of regulators across the globe, including in Europe, and will be regulated under California’s forthcoming California Privacy Rights Act.

Anticipated Litigation Trends

With the FTC declaring its intent to vigorously investigate these three aforementioned areas, we now turn to what the agency’s new enforcement priorities mean for civil litigation. As practitioners in this field already know, it is unlikely that they will result in an influx of new litigations. The FTC’s enforcement authority exists pursuant to Section 5(a) of the FTC Act, which outlaws “unfair or deceptive acts or practices in or affecting commerce,” but does not contain a private right of action – so plaintiffs cannot technically bring new suits based on the new enforcement priorities, as they have no private right to enforce those priorities.

However, these areas of focus could influence broader trends in civil litigation, even if, on their own, they do not create any new liability. Successful enforcement actions by the FTC could bring about new industry standards with respect to algorithmic bias, dark patterns, and other areas of focus. These standards, in turn, could be cited in consumer privacy class action complaints. New civil actions could also stem from enforcement actions by the FTC and the information revealed in settlements resulting from such actions. For example, the FTC announced a settlement with fertility-tracking app Flo Health Inc. in January; this month, a consolidated class action complaint was filed against Flo Health, stemming from seven proposed class actions filed against it this year, alleging that the app unlawfully shared users’ health information with third parties.

Although the FTC’s new enforcement priorities seem ambitious, recent developments may impede its capability to bring enforcement actions in these areas. The agency was dealt a blow in April of this year, when the Supreme Court ruled in AMG Capital Mgmt., LLC v. FTC that the agency lacks power to seek monetary recovery under Section 13 of the FTC Act. Legislation to restore this power to the agency passed the House, but is awaiting a Senate vote. More recently, the Senate voted to advance the nomination of Rohit Chopra, currently a Democratic Commissioner, to lead the Consumer Financial Protection Bureau. The White House announced that President Biden will nominate Alvaro Bedoya, a privacy scholar and expert with expertise in surveillance and data security, to fill Commissioner Chopra’s seat. As Commissioner, likely priorities for Bedoya include the FTC’s enforcement of various privacy laws, including the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, which could further impact litigations brought under those statutes.

Unlike the European Union and many other jurisdictions, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (PI) (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of

Today the CPW team expanded with a three-lawyer, bi-coastal team from BakerHostetler, based in the firm’s Los Angeles, New York and Miami offices.  Their arrival comes on the heel of the firm welcoming Alan L. Friel as Deputy Chair of the Data Practice from BakerHostetler.

The new team comprises: counsel Kyle R. Fath (New York); senior associate Kyle R. Dull (New York and Miami); and associate Niloufar Massachi (Los Angeles).

“Speaking from personal experience, this is a dynamic team that will give clients a powerful advantage in creating and implementing data privacy compliance programs, commercializing data, assessing cybersecurity risk and responding to incidents and addressing regulatory changes and enforcement actions,” said Mr. Friel.  “Kyle, Kyle and Nilou, collectively, bring an enriched perspective to the table, blending industry and public sector experiences that complement the complex work the Data Practice is handling.  The team also counsels clients on advertising and sales practices, and has substantial experience with digital advertising and AdTech matters.”

Mr. Fath, CIPP/US, has developed a practice that offers a unique blend of deep experience in counseling companies through compliance with data privacy laws such as the CCPA, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of M&A and other corporate transactions.  His practice has a particular focus on the ingestion and sharing of data, the implications of digital advertising (as companies look toward the so-called “cookieless future”), and assisting clients through the build out of e-commerce and other global online platforms.

Mr. Dull, CIPP/US, draws on extensive experience investigating and prosecuting privacy and advertising law violations to advise clients on their own data privacy, cybersecurity, and advertising risks.  As a former assistant attorney general, he has a solid understanding of consumer protection laws, as well as domestic and international privacy laws, enabling him to counsel clients on technical, contractual, intellectual property and regulatory issues while balancing commercial and consumer interests.  Additionally, Mr. Dull has experience defending and resolving privacy and advertising enforcement actions throughout the country.

Ms. Massachi, CIPP/US, focuses her practice on data privacy and protection, advertising, sales and digital media practices counseling, technology transactions, cybersecurity and breach response, and consumer protection law.  Her experience includes substantive research and analysis on and application of data privacy laws, including the CCPA, CPRA, the California Shine the Light Act, the California Online Privacy Protection Act (CalOPPA), the Video Privacy Protection Act (VPPA), and the Children’s Online Privacy Protection Act (COPPA).  Ms. Massachi draws on her experience to counsel clients on the development and implementation of information governance and compliance programs, including on conducting data inventory and mapping.  She regularly drafts policies and procedures for providing consumer data privacy transparency and choice as well as drafts and negotiates privacy and data security provisions for various types of multiparty agreements.  Ms. Massachi also advises clients on digital media and advertising consumer protection programs, such as enhanced notice requirements for cross-device interest-based advertising and the collection of precise location data.

Welcome all!

Rounding out 2020 a federal court right before Christmas squelched a significant litigation concerning alleged violations of children’s privacy rights brought against the operator of a video sharing platform and channel operators (including Cartoon Network, Inc., DreamWorks Animation LLC, Hasbro Studios LLC, and Mattel, Inc., among others).  Hubbard, 2020 U.S. Dist. LEXIS 239936 (N.D. Cal. 2020).  The court held that plaintiff’s common law privacy and other state law claims were preempted by the Children’s Online Privacy Protection Act (“COPPA”).  However, it was not a complete win for defendants—the court allowed the plaintiffs “the opportunity to amend the complaint to allege facts showing that Defendants’ conduct amounts to more than solely a violation of COPPA’s requirements.”  Read on below.

Particularly with COVID-related shutdowns, the popularity of video sharing platforms has reached an all-time high this year.  For many of them, as was the case in this litigation, any individual can share videos through use of various social media accounts without registering with the video sharing platform itself.  Often, there is no age verification required to view videos.  As parents already know, it is commonplace for companies that manufacture and market products for children (e.g., toy companies) to upload content such as music videos, videos of kids unwrapping toys, and the like.  As parents may not already know, however, the operators of those video sharing platforms collect the personal information of users through the use of cookies.  These can track websites a user has visited and the amount of time spent on those websites, among other things.  This information is then utilized and sold for advertising purposes (as allegedly occurred in Hubbard with the personal information of kids viewing video content produced by defendants).

Which is where COPPA comes in.  What is COPPA?  Generally speaking, it provides that “[i]t is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed [by the Federal Trade Commission].”  15 U.S.C. § 6502(a).  COPPA applies to any operator of a commercial website or online service directed to children under thirteen years of age that collects, uses, and/or discloses personal information from children.

Additionally, the FTC has interpreted COPPA’s definition of “website or online service” to include individual channels on a general audience platform—according to the FTC, “content creators and channel owners” are both “standalone ‘operators’ under COPPA, subject to strict liability for COPPA violations.”  (emphasis added).  In order to determine whether a website or online service is “directed to children” the FTC is to “consider [the website’s or online service’s] subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.”  16 CFR § 312.2.

COPPA contains a preemption provision: “[n]o State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.”  15 U.S.C. § 6502(d) (emphasis added).

Well, in Hubbard the parties agreed for purposes of defendants’ motion to dismiss that all of plaintiffs claims are premised on violations of COPPA (although plaintiff argued that their claims allege independent state law violations fully consistent with, but not identical to, COPPA).  Defendants contended that plaintiff’s claims were preempted under Section 6502(d) of COPPA.

While plaintiff asserted that: (1) COPPA’s statutory text only preempts state laws that are “inconsistent” with COPPA, (2) the application of the state laws claims brought by plaintiff was not “obstacles” to the enforcement of COPPA, and (3) the state laws at issue did not make it “impossible” for defendants to comply both with COPPA and the state laws, the court disagreed.  The reason for this was simple: the court held that the plain text of the statute “clearly indicates Congress’s desire to expressly preempt plaintiffs’ state law claims.”

Another day, another privacy litigation bites the dust at the pleadings stage (although stay tuned to see if plaintiff amends the complaint).  While there is not yet a broadly applicable federal privacy law, the patchwork of federal privacy laws (including COPPA) will continue to impact the course of privacy litigations involving state law claims.  CPW will be there.  Stay tuned.

Lydia de la Torre is a frequent CPW contributor with deep insight and knowledge on cutting edge developments in data privacy and cybersecurity.  For some of the fantastic pieces she has co-authored recently, see here and here.  Well, we are very pleased to share that the legal publication Daily Journal has selected Lydia among California’s top cybersecurity lawyers. She is one of only 20 named to the list, recognizing individuals at the “cutting edge of cybersecurity who advise companies on best practices and on navigating legal and regulatory mandates on privacy and data security.”

In her profile, the Daily Journal highlighted Lydia’s work in conducting assessments of the applicability of the CCPA for mid-sized and larger law firm clients, and evaluating the role they should take under the act. The publication also noted her work for US K-12 schools, advising on the applicability of and compliance with the FERPA and other relevant state laws, including the establishment of “viable processes to obtain verifiable parental consent where applicable” and drafting contractual language with respect to the Children Online Privacy Protection Act (COPPA).  Dual-qualified in California and Madrid, Spain, Lydia brings a unique expertise and enhanced ability to advise clients on compliance strategies in regard to US federal and state privacy laws – particularly CCPA and CPRA – while drawing on her GDPR knowledge to serve as a bridge to the EU for clients with global requirements.  Lydia has been called to testify before the California Senate Judicial Committee and consulted in regards to the drafting of privacy laws and several of suggestions have been incorporated into the text of these laws, including into CCPA and CPRA.

Congratulations Lydia, for this well-deserved recognition.  CPW is proud to have you as a colleague.

Yesterday the Federal Trade Commission (“FTC”) issued its Fiscal Year 2020 Agency Financial Report (the “Report”) which describes the agency’s key program performance for FY 2020.  As readers of CPW already know, the FTC is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy.  The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act (“FTCA”), which prohibits unfair or deceptive practices in the marketplace.

Because the Report highlights FTC activity aimed at protecting privacy and promoting consumer data security (with resulting impacts on data privacy litigation), CPW covers key takeaways below.  They include:

  • Classifying data privacy and cybersecurity as “agency mission challenges”: The Report states that “[i]n today’s increasingly complex economy, the FTC stands as a champion for competition and consumers.”  The Report cautions that the FTC is “prepared to respond with vigorous law enforcement” to “unfair or deceptive practices related to privacy and data security.”  The Report affirms that the “FTC will continue to prioritize . . . protecting consumer privacy and improving data security, including combating identity theft”.
  • Continuing scrutiny of unfair and deceptive practices relating to the security and privacy of consumer personal information: The Report cautions that “[t]he FTC will continue to take a leading role in efforts to protect consumers from unfair or deceptive practices related to the security and privacy of their personal information, while preserving the many benefits that technological advances offer.  The agency will stop unfair and deceptive consumer privacy and data security practices through law enforcement and will promote strong and balanced privacy and security protections through policy initiatives”.
  • Potential future focus on health apps and COPPA enforcement: The Report also highlights that the FTC this year hosted its fifth annual PrivacyCon.  The event focused on the privacy of health data collected, stored, and transmitted by mobile applications.  Going forward, the Report also provides that the FTC will bring “appropriate enforcement actions” against entities that violate the Children’s Online Privacy Protection Act (“COPPA”) Rule.  [Note: the COPPA Rule imposes certain requirements on operators of websites or online services directed to children under 13 years of age, in addition to other requirements].

The future is uncertain-but at least insofar as the FTC is concerned it is clear data privacy and cybersecurity will remain top of mind going into 2021.  For more developments in this area, stay tuned-CPW will be there to keep you informed, in real-time.

 

Part I:  First, Check Your Rear-View Mirror

[M]odern enterprise and invention have, through invasions upon . . . privacy, subjected [people] to mental pain and distress, far greater than could be inflicted by mere bodily injury.”[1]

Legal commentators today commonly characterize data privacy and cybersecurity litigation as a “tidal wave”[2] approaching the proportion of a “tsunami.”[3]  But consumer privacy litigation is nothing new and recent legislation has so far not meaningfully altered much other than the zeitgeist.  Privacy litigation in the United States was borne from the Supreme Court’s recognition that certain privacy rights are fundamental.  Indeed, as far back as 1890, Justices Warren and Brandeis predicted that modern advancement and technology would necessarily invade basic privacy interests in ways that would demand legal intervention.[4]

Protection of an individual’s expectation of privacy is a bedrock principle upon which the United States was founded.  Americans have always valued and sought to shield their privacy in a variety of contexts.  This encompasses the varied privacy rights protected by the Bill of Rights, including the First Amendment (protecting every citizen’s privacy of beliefs), the Third Amendment (protecting privacy of the home), the Fourth Amendment (protecting the privacy of the person from unreasonable searches and seizures) and the Fifth Amendment (with the bar on self-incrimination protecting the privacy of personal information).

The Supreme Court has upheld and reinforced these protections with the recognition of privacy as a fundamental constitutional right, most notably during the Warren Court.  In Griswold v. Connecticut, the Court observed “zone of privacy created by several fundamental constitutional guarantees” including those referenced in the Bill of Rights.  381 U.S. 479, 485 (1965).  The Court reiterated a similar sentiment in Stanley v. Georgia, declaring that “also fundamental is the right to be free, except in very limited circumstances, from unwanted governmental intrusions into one’s privacy.”  394 U.S. 557, 564 (1969) (citing Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting) (“The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness . . . They conferred . . . the right to be let alone—the most comprehensive of rights and the right most valued by civilized man.”)).

The Court further embraced and entrenched the right to privacy in the seminal case, Roe v. Wade, announcing that “a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution.”  410 U.S. 113, 152 (1973).  Of course, the Supreme Court has continued to develop and refine notions of privacy well into the modern era, including as to informational privacy, and the Roberts Court. See, e.g., Carpenter v. United States, 138 S. Ct. 2206 (2018) (holding that collecting extensive, historical cell phone location information by the government is a search requiring a warrant).

Numerous federal and state statutes followed the Supreme Court’s early recognition of individual privacy rights to specify the prevention of such things as the mishandling and misuse of certain types of personal information and to decry the surreptitious intrusion into private communications.  This is in addition to many states (including California) that specifically recognize the right to privacy in their constitutions.  The California Consumer Protection Act (“CCPA”) is just the most recent example.  Although some herald the CCPA as marking a new era, many privacy statutes long predate the CCPA and current notions of so-called “data” privacy rights.  Exemplary of this earlier lawmaking includes the Fair Credit Reporting Act (“FCRA”), which became effective five decades ago, in 1970.

The FCRA was the first federal law enacted to regulate the privacy of personal information compiled by businesses, specifically credit reporting agencies.  Other statutes followed and expanded this statutory protection to ensure the privacy of various additional categories of information ordinarily held in confidence by individuals.  Among other things, laws were passed to protect private information in the context of healthcare (the Health Insurance Portability and Accountability Act (“HIPAA”)).  In the present context of discussing data privacy rights, it is also especially noteworthy that more than two decades ago Congress passed the Children’s Online Privacy Protection Act (“COPPA”) to protect data accessible online relating to users aged children 13 and under.

States have also enacted special protections of privacy rights, with some predating even early federal action, such as the California Confidentiality of Medical Information Act (“CIMA”) and the California Invasion of Privacy Act (“CIPA”) passed in 1967.  Like the CCPA garnering so much attention today because of its purported novelty, these laws enacted more than 50 years ago were passed to protect against the “invasion of privacy resulting from the continual and increasing use of [modern] devices and techniques” that were perceived to “create[] a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.”   Cal. Pen. Code § 630.

The CCPA may be a new statute targeting data privacy, but its future enforcement and the anticipated strategies for handling it in litigation can be relatively easily divined by those who are knowledgeable about and fluent in the decades-old privacy laws that have already been litigated and shaped by the courts.

History teaches us that the enactment of privacy laws precedes the birth of novel consumer privacy litigation.  In this context, the identification of the CCPA as preordaining a tidal wave of data privacy litigation is unsurprising and no different from how other privacy laws greeted the courts.  For example, after the passage of the FCRA in 1970, individual plaintiffs promptly invoked the statute to seek relief in court.[5]  Since its early beginning, FCRA litigation has since grown from single-plaintiff actions to a class-action machine with nearly 5,000 FCRA cases filed in federal court in 2019 alone—an 8.9 percent increase in filings over 2018.[6]  Although many ambiguities and legal questions lurk in corners of the CCPA, a good student of history enjoys superior tools to predict, prepare and pivot in the face of litigation premised upon this new statute.

In Parts 2 and 3, we will discuss the evolution of some of these defense theories in consumer privacy litigation—both successful and unsuccessful—and what types of defense theories can be expected in the years to follow this evolving “data” privacy litigation battle.  We will also discuss novel prosecution theories that could surface in the coming years, especially from competitors.

[1] Barren, Warren and Brandeis, The Right To Privacy, 4 Harv. L. Rev. 193, 196 (1890) (advocating for tort relief for individuals whose private affairs were disclosed without consent).

[2] https://www.law.com/thelegalintelligencer/2020/01/27/a-tidal-wave-of-change-plaintiffs-firms-are-tapping-data-analytics-but-some-are-still-reluctant/

[3] https://www.jdsupra.com/legalnews/the-coming-wave-of-california-consumer-13751/

[4] See supra note 1.

[5] See, e.g., Rasor v. Retail Credit Co., 87 Wash. 2d 516, 520 (1976) (confronting allegations by a small business owner against a consumer reporting company that purportedly failed to follow reasonable procedures under FCRA, and prompting the court to note that “[t]his important federal program for the protection of consumers was a Congressional response to documented abuses in the previously self-regulated credit reporting industry”).

[6] See https://webrecon.com/webrecon-stats-for-dec-2019-and-year-in-review-how-did-your-favorite-statutes-fare/

On October 10, 2019, the California Attorney General (California AG) issued the long-awaited California Consumer Privacy Act (CCPA) Regulations (Proposed Regulations), along with an Initial Statement of Reasons (ISOR) explaining the Proposed Regulations. These Proposed Regulations not only fill in statutory gaps, but also create several substantive new requirements. Companies may submit comments through December 6, 2019, and several public hearings will be held in the first week of December. Our Data Privacy & Cybersecurity Practice can assist you in drafting comments to the California AG during this public comment period. Continue Reading Proposed CCPA Regulations: Initial Overview and Highlights