View as web page            Forward to a friend

In this issue of Eye on Privacy, we address some significant new data security legislation proposed
in California, cover recent updates in FCRA enforcement, and take a timely look at policy recommendations regarding big data. We also examine a number of data protection opinions recently released by EU regulators, discuss new guidance from the FCC on text messaging, and consider the effect of the New Jersey district court’s rulings in the FTC’s case against Wyndham. In addition, we provide an overview of privacy and data security risk assessments, which have become an increasing area of interest to companies large and small.

As always, please feel free to email us at PrivacyAlerts@wsgr.com if there are any topics you’d like to see us cover in future editions.


Lydia Parnes
Partner, Wilson Sonsini Goodrich & Rosati

 


Matthew Staples
Matthew Staples

Jonathan Adams
Jonathan Adams

Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

By Matthew Staples and Jonathan Adams

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710), has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target and Neiman Marcus, and aims to strengthen one of the most prescriptive state statutes already in existence. Click here to read the full article.


Matthew Staples
Wendell
Bartnick

FTC Continues Its Aggressive FCRA Enforcement and Ninth Circuit Lowers Standing Threshold in FCRA Cases

By Wendell Bartnick

Data may well be the asset of the 21st century, but selling access to certain data about individuals may raise the risk of attracting unwanted attention from both regulators and class action litigants. As organizations collect more types of data about consumers, they are more likely to have data that may constitute “consumer report” data under the Fair Credit Reporting Act (FCRA). This article discusses recent FTC enforcement actions against two background check companies that allegedly failed to avoid the FCRA trip wires and face a combined $1.5 million in fines. It also explains how the U.S. Supreme Court may review the Ninth Circuit’s recent decision to join other federal appellate courts in making FCRA class action lawsuits easier to bring for plaintiffs. Click here to read the full article.


Matthew Staples
Lydia Parnes

Matthew Staples
Sharon Lee

President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

By Lydia Parnes and Sharon Lee

In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to promote the free flow of information in ways that are consistent with both privacy and security. Two reports were published on May 1, 2014, in response to this charge, one focusing on policy and big data, and the other focusing on the technological aspects involved. Click here to read the full article.


Burton
Christopher Kuner

Burton
Cédric Burton

EU Data Protection Regulators Issue Several Opinions on Key EU Data Protection Issues

By Christopher Kuner and Cédric Burton

The body of European data protection regulators known as the Article 29 Working Party (WP29) has been exceptionally prolific lately. In April 2014, WP29 adopted no less than five opinions and issued a number of other statements and letters on various topics. While not directly binding, WP29’s publications offer insight into the regulators’ views, which are generally a good indication of how the regulators will seek to apply the law. This article provides an overview of the most important documents issued. It discusses Opinion 5/2014 on anonymization, Opinion 6/2014 on legitimate interests as a basis for processing, the letter to Commissioner Viviane Reding on data transfers from the EU to the U.S., and the letter to the Council of the EU on the one-stop-shop mechanism. Click here to read the full article.


Burton
Tonia Ouellette Klausner

Burton
Tracy Shapiro

Burton Joseph Molosky

FCC Clarifies That Consent May Be Provided by Intermediary for Informational Text Messages

By Tonia Ouellette Klausner, Tracy Shapiro, and Joseph Molosky

On March 27, 2014, the Federal Communications Commission (FCC) addressed an outstanding petition seeking guidance for compliance with the “prior express consent” requirement of the Telephone Consumer Protection Act (TCPA) for informational text messages. In a declaratory ruling, the FCC provided clarification of this requirement, and specifically addressed whether an intermediary may provide such consent. The FCC agreed with group texting service GroupMe, Inc. that, consistent with the TCPA, intermediaries may convey consent provided by others to receive informational text messages. However, the FCC made clear that companies ultimately remain liable where intermediaries fail to obtain the required consent. The ruling demonstrates a current trend at the FCC to allow businesses communicating with consumers by text message some flexibility while navigating the TCPA’s increasingly complex requirements. Click here to read the full article.


Burton
Edward Holman

Burton
Joseph Molosky

The Wyndham Rulings and the FTC’s Leadership in Data Security Enforcement

By Edward Holman and Joseph Molosky

The FTC has been attempting to regulate data security in piecemeal fashion since the late 1990s. The commission reached settlements with more than 50 organizations over data security issues, with no organization seriously challenging its authority until FTC v. Wyndham Worldwide Corp. made headlines in 2012. The case brought rampant speculation from the privacy and data security community on the likely outcome and potential impact on a number of issues, ranging from the FTC’s enforcement authority to national and state data security laws. A recent ruling rejecting one of Wyndham’s motions to dismiss may not break new ground for the FTC, but the commission’s ability to overcome the first challenge to its data security enforcement authority is significant and continues the agency’s trajectory as the country’s leading data security enforcer. Click here to read the full article.


Matthew Staples
Wendell
Bartnick


Burton
Joseph Molosky

Privacy & Data Security Risk Assessments: An Overview

By Wendell Bartnick and Joseph Molosky

Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. One of the most effective techniques for managing those risks is conducting a comprehensive privacy and data security risk assessment. Organizations use such risk assessments to maintain appropriate risk profiles based on the organization’s contractual, regulatory, and governance obligations. Regulatory schemes in some industries may require risk assessments for compliance. Organizations that collect payment information to process payments as merchants or payment processors or deal with data collected about individuals residing in specific states may also have risk assessment obligations. A comprehensive risk assessment may include considerations of scope, documentation, timing, management, and oversight. Click here to read the full article.


Tip

Have you completed your U.S.-EU Safe Harbor self-certification this year? Participating companies are required to renew their certifications annually to the U.S. Department of Commerce.

Please click here for a printable version of this edition of Eye on Privacy.


To update your preferences for the kinds of materials you'd like to receive from us, please click here to visit the WSGR Subscription Center. You also can quickly unsubscribe from all WSGR mailings by clicking here.

This communication is provided as a service to our clients and friends and is for informational purposes only. It is not intended to create an attorney-client relationship or constitute an advertisement, a solicitation, or professional advice as to any particular situation.

Wilson Sonsini Goodrich & Rosati
650 Page Mill Road
Palo Alto, California 94304