Many small or solo franchisees, subsidiaries, and affiliates of larger businesses may think the California Consumer Privacy Act (CCPA), does not apply to your separate business entity because it does not meet one of the three threshold criteria for CCPA coverage: (1) your annual revenue is under $25 million; (2) you do not annually collect the personal information of 50,000 or more California residents, households or devices; and (3) you are not in the business of selling information. But upon closer inspection, you may be disappointed to learn that California’s groundbreaking new privacy law, which became effective January 1, 2020, may yet still apply to you based on a potentially broad "control" test.
Governor Gavin Newsom just signed into law two amendments to the California Consumer Privacy Act (CCPA) that will have a direct impact on employers doing business in the state. The new amendments, signed on October 11, 2019 and taking effect on January 1, 2020, require covered businesses meeting a certain revenue threshold or other criteria to implement policies and procedures that provide consumers – which includes employees – certain privacy rights not previously available under existing law.
As we are early into the new year, for many, hope springs eternal to get in shape during 2018. Many of us wear some kind of fitness activity tracker that monitors steps, heart rate, calories, sleep patterns, etc. Recent news coverage of Strava, the running and cycling fitness tracking app, has caused concern for the United States military. But might it cause concerns for some businesses that operate under high levels of security, as well?
The EU’s General Data Protective Regulation (“GDPR”) goes into effect on May 25, 2018. It is a mammoth regulation and perhaps the most significant European data protection legislation in more than 20 years. In fact, the European Commission just released a new website to help stakeholders, including businesses, with implementation. With its global reach, applying to any organization that processes the personal data of individuals within the EU regardless of where the data lands, GDPR compliance is top-of-mind for executives of multinationals. Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for GDPR since it was announced two years ago, a recent survey by MediaPro reveals that more than half of U.S. employees have never heard of the regulation.
A bi-partisan privacy and data security bill, which will significantly impact companies with North Carolina employees, is in the works. North Carolina State Representative Jason Saine (R), Appropriations Chairman of Information Technology, has joined with North Carolina Attorney General Josh Stein (D) to strengthen protections against identity theft in North Carolina. The unique pair are co-authoring a bill titled, “The Act to Strengthen Identity Theft Protections” (the “Bill”). Through the Bill, the authors desire to provide stronger protections, while at the same time avoid hampering innovation in the private sector.
In today’s world, where lots of sensitive data are stored electronically, prudent companies utilize sophisticated computer cyber security systems to prevent the hacking of such data. They likely also require employees to password-protect their phones and, perhaps, even download security software applications on them for added protection. But how many companies have considered and addressed potential data vulnerabilities posed by company and employee cars? Likely not many, but it appears many should.
On Friday, July 21, users of the “married dating” website, ashleymadison.com, received preliminary approval of an $11.2 million class action settlement. This settlement seeks to resolve a number of consolidated lawsuits against Avid Life Media, some of which also named the owners and operators of the website. This settlement will conclude all the civil claims against Avid Life Media and a number of individually named owners and operators of the business arising from the data breach that brought the website to heightened notoriety in 2015. This $11.2 million class action settlement is separate from the Federal Trade Commission’s $1.6 million settlement with Ruby Corp., Avid’s parent company, which resolved charges that customers had been misled, not only with regard to the retention of private information, but also with regard to alleged fake profiles of female users made to attract new users.
This is the first post in a three-part series.
May 25, 2018. If you are a company that comes into contact with European data, whether you are operating in Europe or elsewhere, and you have not taken note of this date yet, you should. That is when Europe’s new data protection framework – the General Data Protection Regulation (GDPR) – will enter into force, replacing Data Protection Directive 95/46/EC (the “Directive”).