Big Day for Big Tech: CEOs Testify in House Antitrust Hearing

On Wednesday, July 29, 2020, the House Judiciary Committee’s Subcommittee on Antitrust conducted its sixth hearing into online platforms and market power, welcoming as witnesses the chief executive officers of Amazon, Apple, Google, and Facebook. The hearing lasted more than five hours and was styled as “Examining the Dominance of Amazon, Apple, Facebook and Google.” Due to COVID-19, the CEOs testified virtually, adding an ironic digital twist with the tech titans appearing together in video tiles on a screen with no big-tobacco moment standing side-by-side to take their oath.

The Subcommittee’s hearing culminated its year-long investigation into Big Tech, and the questioning was informed by requests for information posed to each tech company last September, which generated millions of pages of documents and hundreds of hours of interviews. Subcommittee Chair Cicilline opened the hearing by describing each of the tech companies as a “bottleneck for a key channel of distribution,” whether that be a channel of retail distribution, distribution of software applications, or distribution of information. Chair Cicilline began and ended the hearing by expressing concerns about the dominance of each firm and abuse of their purported monopoly power. Continue Reading

New York Brings Long-Awaited Cybersecurity Message Case

Ever since the New York State Department of Financial Services (DFS) instituted its first-in-the-nation Cybersecurity Regulation[1] in 2017 (covered in our post here), banks, insurance companies, and others in the financial services industry wondered what would trigger an enforcement action under its broad purview. At long last, the industry now knows. On July 22, 2020, the DFS announced a statement of charges against First American Title Insurance Company (First American) alleging violations of the regulation for not properly safeguarding customer information. Because First American stated it will contest these charges at a hearing scheduled for October 2020, the industry will have to wait a little longer for more concrete guidance from this proceeding, including the potential consequences of not complying with the regulation. Nevertheless, the allegations in the statement of charges still provide the clear message that the DFS is now enforcing this regulation against perceived violators. Continue Reading

Context Matters: An ‘Established Business Relationship’ Can Be Created During a ‘Telephone Solicitation,’ Thus Preventing Subsequent Calls From Violating the TCPA

Group of people standing in line and looking at their smart phonesA federal court has ruled that an “established business relationship” can be created during a call, even if that call is a “telephone solicitation” that violates the Telephone Consumer Protection Act (TCPA). Charvat v. Southard Corp., No. 2:18-cv-190 (S.D. Ohio). A copy of the opinion is attached; the defendants in this matter are represented by BakerHostetler. Southard stands for the proposition that the context of a call is important and must be considered in determining whether the TCPA was violated. Southard appears to be the first decision that specifically addresses this issue and could impact the amenability of certain types of TCPA class actions to certification under Federal Rule of Civil Procedure 23.

For the TCPA, Congress intended a “balanced approach … [to] ensure a robust telemarketing industry while giving consumers relief from unwanted telephone solicitations.” See 137 Cong. Rec. S8784 (Daily Ed. Nov. 27, 1991) (statement of Rep. Hollings). But, as any entity operating in the digital media and advertising space can attest, the TCPA lawsuit juggernaut has undermined this balance. Even a perfunctory Internet search will reveal numerous seven-figure (or more) TCPA judgments and settlements. Southard, however, may help restore the balance that Congress sought with respect to calls to persons on the National Do Not Call Registry (NDNCR). Continue Reading

5 Key Things to Know about the Landmark Schrems II Decision

Quick Links

1. Is the EU-U.S. Privacy Shield framework dead?

Yes, the Privacy Shield framework has been invalidated. The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework based on its finding that the framework does not sufficiently protect EU personal data from U.S. national security and surveillance laws  that allow access and use of personal data by U.S. public authorities. The Court held that U.S. surveillance law does not include the safeguards required to meet EU data protection principles concerning proportionality (e.g., collection is not limited to what is necessary, no limitations with respect to non-U.S. persons). Also, the CJEU found that European data subjects do not have a meaningful remedy before a body that offers guarantees substantially equivalent to those under EU law. In particular, the CJEU reasoned that the Privacy Shield’s Ombudsperson is not sufficiently independent and is unable to adopt decisions that bind U.S. intelligence services. Continue Reading

California AG Begins CCPA Enforcement

Last week, the International Association of Privacy Professionals hosted a keynote session with Stacey Schesser, supervising deputy attorney general (AG) of the California Department of Justice, to discuss the July 1 start of the AG’s enforcement authority under the California Consumer Privacy Act (CCPA).

The deputy AG discussed the current scope of the AG’s enforcement authority and confirmed that on July 1, the Office of the Attorney General (OAG) sent businesses an initial round of letters, which included notices of alleged violations. The AG will open an investigation or file a lawsuit against companies that do not come into compliance within 30 days of receiving such notice letters. Continue Reading

Ann O’Brien, Jeewon Serrato, Alyse Stach Author Article Examining Privacy and Antitrust Issues

Partners Ann O’Brien and Jeewon Serrato and Associate Alyse Stach authored an article published by the International Association of Privacy Professionals (IAPP) on June 23, 2020. The article, “The Thin Line Between Privacy and Antitrust,” discusses how the lines between antitrust and privacy objectives and enforcement are becoming increasingly blurred. The authors describe real-world scenarios in which companies need to find ways to compete, innovate and serve customers while navigating antitrust and privacy issues.

Read the article.

CPRA Moves Forward Despite COVID-19 Woes, Will Be on November Ballot

This blog post has been updated to account for additional information related to the California Privacy Rights Act (CPRA) ballot initiative released following original publication of this post.

On Friday, June 19, 2020, the Superior Court of California issued a ruling that paved the way for Californians to see the CPRA on the ballot in November. In its ruling, the court recognized that Alastair Mactaggart, the individual responsible for both the CCPA and the CPRA, sometimes referred to as “CCPA 2.0,” was “confronted with numerous obstacles unique to the COVID-19 pandemic.”

As a result, the ruling will allow Mactaggart to remedy certain procedural deficiencies related to a random sampling process by certain counties that were not met, which would have jeopardized the ability for the CPRA ballot initiative to be included on the November ballot.

As of the publication of this blog post, the CPRA needed fewer than 50,000 signatures to meet the certification requirement and automatically be qualified on the November ballot, and three counties still have not reported their signature counts (San Diego, San Mateo and Placer). On the evening of June 24, the California secretary of state confirmed that the CPRA ballot initiative garnered enough signatures to remedy the procedural deficiencies and will be on the ballot in November.

If passed, the CPRA will amend certain sections of the CCPA in phases, starting Jan. 1, 2021.

We will continue to provide updates on the CPRA on BakerHostetler’s Data Counsel blog. We previously reported on some of the CPRA’s notable provisions here.

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process as the ability to cloak an investigation in privilege and work product. So there have been surprised reactions to recent decisions finding that work product did not apply to a report written by a forensic investigation firm that had been engaged by a law firm on behalf of the organization. There are legitimate grounds for criticizing the analysis used to reach those decisions based on the facts of each case. But the decisions reveal a path for steering through the process. And for organizations that have taken thoughtful measures to prepare to respond to security incidents, such as working with external counsel and building a relationship with a forensic firm, it does not mean they need to abandon their plans and start over. There is not an approach that works in all incidents. That is where the value of experienced counsel is most evident – in the ability to provide advice that generates an incident-specific response plan to help an organization meet its legal obligations and operational needs. Continue Reading

Welcome to Data Counsel

Dear Friends,

In January, we announced the creation of the firm’s 6th practice group—Digital Assets and Data Management. Since September 2010, members of our group have been covering privacy and security topics through our Data Privacy Monitor blog. Today, we are excited to launch our rebranded blog – Data Counsel – to more fully capture our group’s commitment to “everything data and technology”. BakerHostetler’s elevation of the importance of this practice reflects the significance our clients associate with these issues.

The Data Counsel blog now addresses all of the issues important to our clients related to all things data and technology. The content and commentary will be expanded to include enterprise risks, disputes, compliance, and opportunities through the lifecycle of data, technology, advertising, and innovation, including brand strategies and monetization. Yes, we will continue to cover privacy, data security, CCPA updates—and a lot more! For example, our newest team, Digital Transformation and Data Economy, is hard at work keeping up with demands related to interacting with customers, structuring businesses, and delivering goods and services in a post-COVID-19 world.

Thank you for subscribing. If you have suggestions on content, let us know!

CCPA Final Regulations Published in Advance of July 1 Enforcement Date

On June 1, 2020, the Office of the California Attorney General (OAG) submitted the final proposed regulations (final regs) under the California Consumer Privacy Act (CCPA or the Title) to the California Office of Administrative Law (OAL). OAL now has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the regs for procedural compliance with the Administrative Procedure Act. Although we do not expect OAL to make any substantive changes to the regs, we are still one procedural step away from the regs being filed with the secretary of state by OAL and becoming enforceable by law. Noting the July 1, 2020, statutory mandate for the regulations, the OAG petitioned OAL for expedited review and submission to the secretary of state prior to that date and for effectiveness upon submission to the secretary. As we have previously explained, there is a legal basis for this approach.  BakerHostetler and several industry groups filed comments with the OAG in mid-March, as the pandemic was breaking, asking for a continuation of delay in the enforcement of the CCPA until six months after the regs become final, in part to help companies focus on COVID-19. Those comments now have been rejected by the OAG, and enforcement of the CCPA will begin on July 1, 2020, regardless of when final regulations are promulgated, absent action by the governor or the Legislature. The final regulations remain unchanged from the third version published for comment in March. Businesses should complete their CCPA compliance work based on these proposed final regulations in advance of July 1.

The final regulations provide guidance on certain key requirements under the CCPA, including definitions (Article 1), notice requirements (Article 2), businesses’ obligations in handling consumer rights requests (Article 3), requirements for verification of consumers making requests (Article 4), special rules regarding minors (Article 5) and use cases for applying the CCPA’s non-discrimination mandate (Article 6). The regs also flesh out what service providers can and must do (Section 999.314), expand on training and record- keeping requirements (Section 999.317), and explain what businesses can and must do in response to a request putatively made by an agent acting on behalf of a consumer (Section 999.326). Notably absent are guidance on the design of a standard “do not sell” opt-out button, guidance on the meaning and scope of “sell,” and information about how to treat third-party cookies. An analysis of the regulations with practical takeaways is available here.