Podcast: AD-ttorneys@law: Marketing a Subscription-Based Service? Beware

We used to think of subscriptions as mostly for newspapers and magazines, but today you can subscribe to get cosmetics, cars, clothes, mental health counseling – even a curated selection of cat toys and treats that will show up on your doorstep every month. Is your brand offering a subscription-service? Linda Goldstein explains how to mitigate your legal risk.

Questions and Comments: lgoldstein@bakerlaw.com

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Privacy-Forward California AG Xavier Becerra Confirmed as Next HHS Secretary

On March 19, 2021, Xavier Becerra was confirmed as the secretary of the U.S. Department of Health and Human Services (HHS). HHS is the federal regulatory body that oversees the Office for Civil Rights (OCR), which is the primary federal enforcer of the Health Insurance Portability and Accountability Act (HIPAA).

The secretary oversees 11 operating divisions and 15 offices (including OCR), and as a result, he is not solely focused on HIPAA and privacy issues. However, if Becerra maintains his California state of mind, we can reasonably anticipate that privacy reform will be a high-ranking item on his federal agenda. Continue Reading

Private Right of Action May Again Poison Washington Privacy Act

On March 26, with less than a month left in the Washington Legislature’s 2021 session, the House Civil Rights and Judiciary Committee (CRJC) passed the Washington privacy act (2SSB 5062), with amendments, on a straight party-line vote of 11-6 (with all six Republican committee members voting no). As the act gets closer to passing, we’ll revisit the bill to highlight how it compares to its predecessors in California and Virginia. For now, this post focuses on differences between the Senate and House versions and how those might affect its passage.

The amended bill, which now includes a private right of action, moves next to the House Appropriations Committee before moving to the full House for consideration. If passed by the House (as currently amended or with other amendments), the amended bill must then be reconciled with the Senate’s version. Which puts us in about the same place we were in last year before the Washington privacy act failed – but with a few notable differences discussed below. Continue Reading

International Data Protection Update – First Quarter 2021

This quarterly update highlights some of the international data protection issues that have caught our attention, and the attention of our clients, in the past three months.

Europe, the Middle East and Africa

Cookies and Tracking Technologies – On March 31, 2021, the revised guidelines on cookies and trackers from the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), will be fully enforceable. The CNIL has already handed out serious fines for violations of France’s law implementing the ePrivacy Directive, and it indicated earlier this month that cookies violations remain a priority enforcement area in 2021, along with cybersecurity and health data protection. Businesses active in France should be prepared to comply by auditing their use of cookies, ensuring they obtain appropriate consents for nonessential cookies and modifying cookie banners in light of the CNIL’s recommendations, including through the use of a second-level cookie banner with granular cookies preference options. FAQs and other information published on the CNIL’s website offer additional clarity about what is needed for compliance. Adding to the already complex European cookies requirements, in February, the Danish data protection authority released its quick guide for the use of cookies, which generally tracks the French guidance. Continue Reading

Welcome to the Digital Transformation and Data Economy Newsletter – March 2021 Issue

Across the economy, businesses are using digital technology to pivot into innovative service lines, accelerate growth and transform their businesses altogether. These businesses’ digital strategies and data assets play important roles in their success. Since the advent of the COVID-19 pandemic in the United States in March 2020, companies that had the technology to enable their employees to work from home have shut down their offices, in some cases forever. In this issue, we are highlighting Jerel Pacis Agatep and how his privacy practice, and background in labor and employment law, intersects with digital transformation and data economy.

Read more

New Taxes on the Digital Economy: A Closer Look at the New York Data Tax Proposal

Over the last year, state and local governments have proposed a variety of novel taxes on the digital economy, including taxes on digital advertising and social media platforms. Two factors have motivated these proposals: (1) closing budget gaps by taxing out-of-state companies and (2) addressing perceived public policy concerns with out-of-state companies profiting on information of in-state residents. The latest in this line of tax proposals has been a New York proposal to impose an excise tax on companies that collect data from New York consumers.

On Feb. 19, 2021, Sen. Liz Krueger, who chairs the Senate Finance Committee, introduced Senate Bill 4959, which would impose an excise tax on commercial data collectors. The tax is intended to be an alternative to digital advertising taxes, which are likely to be struck down as violative of the Permanent Internet Tax Freedom Act. Continue Reading

Congratulations to Casie Collignon for being named one of the “Top Litigators 2021” by Law Week Colorado!

With a practice focused on privacy class-action defense, Casie Collignon’s career takes her to courts across the country, through daily challenges of chess-like proportions and debate in advocacy for her clients. She has had a growing practice throughout the pandemic with multiple wins in 2020 alone, but she still finds time to be a mother, mentor, wife and camper. Read more.

Virginia Becomes the Second State with a Comprehensive Privacy Law

Governor Ralph Northam has signed the Consumer Data Protection Act (CDPA), making Virginia the second state with a comprehensive privacy law. The CDPA is inspired by both the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation and takes effect Jan. 1, 2023 (the same date as most of the provisions of the California Privacy Rights Act (CPRA)). As we outlined in our analysis of the CDPA, the law grants consumers rights to access, correct, delete and obtain a copy of personal data and to opt out of the sale of personal data, the processing of personal data for the purposes of targeted advertising and profiling (automated decision-making).

In the meantime, Virginia will be busy ironing out all the details “regarding the implementation of this act” through a “work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates … to review the provisions of this act and issues related to its implementation.” The “findings, best practices, and recommendations” of this work group are due Nov. 1, 2021.

For additional articles covering state privacy legislation updates, the CCPA, the CPRA or the recent Schrems II decision, including our 2020 year-in-review article, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.

New EDPB Draft Guidance Provides Practical Scenarios for Data Breach Notification Analysis Under the GDPR

In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory authorities — previously endorsed the February 2018 guidelines on personal data breach notification. On Jan. 19, 2021, the EDPB published draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “draft Guidelines”) to complement the initial notification guidelines. The draft Guidelines provide 18 sample data breach scenarios and offer guidance as to how data controllers should respond to such incidents and analyze potential notification obligations.

The draft Guidelines begin by reiterating core notification principles from the 2018 guidelines. Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Three types of personal data breaches trigger a notification obligation: (a) “confidentiality breaches,” which occur when there is an unauthorized or accidental disclosure of, or access to, personal data; (b) “integrity breaches,” which involve the unauthorized or accidental alteration of personal data; and (c) “availability breaches,” which involve the unauthorized or accidental loss of access to, or destruction of, personal data. Notice is required to be given to appropriate supervisory authorities within 72 hours after controllers become aware of a personal data breach, unless the breach is unlikely to create a risk to a data subject’s rights and freedoms. The draft Guidelines state controllers should make this risk assessment when they become aware of the breach and should not wait for a detailed forensic examination before assessing the breach’s impact. Continue Reading

Virginia Poised to Enact the Consumer Data Protection Act, the Nation’s Second Comprehensive Consumer Privacy Law

Having passed both houses of the Virginia General Assembly, the proposed Consumer Data Protection Act (CDPA) may become the second comprehensive consumer privacy bill to be enacted in the United States. However, to reach the governor’s desk, it would need three more readings in the Senate and two more readings in the House, prior to the end of the session, which will be no later than March 1. If the CDPA reaches Governor Northam this session, he will have seven days to approve, amend or veto the bill. Should he take no action, the bill would become law at the end of seven days per the Virginia Constitution, but would not become effective until Jan. 1, 2023, the same day as the operative date of the California Privacy Rights Act (CPRA), which substantially amends the California Consumer Privacy Act (CCPA).

Alternatively, the governor could return the bill to the Legislature for reconsideration on April 7, 2021, when it reconvenes for the purpose of considering bills that may have been returned by the governor with recommendations for their amendment and bills and items of appropriation, including the general appropriation act, that may have been returned by the governor with his objections. We will be watching Richmond to see what happens.

Read an in-depth analysis of the bill here.