Contributed By Wilson Sonsini Goodrich & Rosati
California Consumer Protection Act of 2018
In June 2018, the California state legislature passed the California Consumer Protection Act of 2018 (CCPA), a ground-breaking state privacy law that aims to give Californians more control over their personal information. The CCPA is currently set to come into effect in January 2020, with State Attorney General enforcement beginning in July 2020. It applies to for-profit entities doing business in California that collect personal information from California consumers, and either:
‘Personal information’ and ‘sale’ are defined very broadly under the statute. How these terms will be interpreted in practice will have far-reaching consequences for businesses, particularly those with ad-based revenue models.
The CCPA was originally passed on an accelerated legislative time-line in order to avoid a restrictive ballot initiative. As a result, a number of open questions remain about how it overlaps with existing laws and how it will apply to businesses. The CCPA has already been amended to clarify internal inconsistencies and errors, and the California Attorney General’s office will draft rules implementing the CCPA requirements by July 2020. The Attorney General’s office is holding a series of six public forums on its implementation, which will inform its rule-making.
Although the CCPA may not be set in stone, a number of basic requirements are unlikely to change. These include:
Federal Privacy Legislative Proposals
In the United States, there is no comprehensive privacy law that regulates the collection, use and disclosure of consumers’ personal information. The US has adopted a decentralised, sectoral approach to privacy that has resulted in a patchwork of industry- and state-specific laws, such as the Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), 50 state data-breach laws, and state biometric privacy laws, among others. In addition, the Federal Trade Commission (FTC) uses its authority under section 5 of the FTC Act to deter ‘unfair and deceptive’ acts or practices in or affecting commerce, which includes business practices relating to privacy.
The US privacy framework has come under increased scrutiny in light of recent privacy headlines and the omnibus approach to privacy reflected in laws such as the EU General Data Protection Regulation (GDPR) and the CCPA. Much of this debate focuses on how much authority the FTC should have to police privacy, whether a federal privacy law should pre-empt state privacy laws, and how to give consumers control of their privacy online most effectively. A number of Congressional hearings have been held on consumer privacy over the past few months, and at least seven bills have been introduced in Congress that, if passed, could significantly affect companies in the business of collecting personal information from consumers.
For example, in April 2018, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced the CONSENT Act (S. 2639), a bill that would require the FTC to establish privacy protections for customers of online edge providers (eg, Facebook). A few months later, Senator Ron Wyden (D-OR) released a discussion draft of the Consumer Data Protection Act of 2018, a bill that would authorise the FTC to establish minimum privacy and cyber-security standards, issue fines of up to 4% of annual revenue for first offences, and impose ten- to 20-year criminal penalties on senior executives. In January 2019, Senator Marco Rubio (R-FL) introduced the American Data Dissemination Act, a bill modelled after the federal Privacy Act of 1974 that would supersede any provision of state law to the extent it relates to the maintenance of records covered by the Act or any other personally identifiable information. Although federal privacy legislation has historically faced long odds for passage, there may be sufficient momentum now for legislation to be approved.
FTC Hearings on Competition and Consumer Protection
The FTC has held a series of public hearings on competition and consumer protection in the 21st century to examine whether changes in the economy, business practices, technologies and international developments require adjustments of the Commission’s approach to consumer protection law, enforcement priorities and policy. Topics on the agenda included privacy, big data and competition; algorithms, artificial intelligence and predictive analytics; data security; and consumer privacy. According to the FTC’s website, the hearings may identify areas for FTC enforcement and policy guidance, including improvements to the agency’s investigation and law enforcement processes, as well as areas that warrant additional study.
The data security hearings were held at the FTC on 11-12 December 2018. They included opening remarks from the director of the bureau of consumer protection, Andrew Smith, presentations and discussions on data security research and emerging threats, and panels on incentives to invest in data security, consumer demand for data security, data security assessments and enforcement and the US approach to consumer data security. The FTC accepted comments on these hearings until 13 March 2019.
FTC Data Security Orders
The FTC’s authority to issue broad-data security orders recently came into question after the US Court of Appeals for the Eleventh Circuit vacated an FTC order requiring now-defunct medical laboratory LabMD to overhaul its data security programme. Specifically, the court found that the FTC’s mandate that the company implement a comprehensive information security programme was not specific enough to be enforceable. Rather than containing any prohibitions on committing specific acts or practices, the court found that the order required LabMD to overhaul and replace its data security programme to meet an “indeterminable standard of reasonableness” that was too vague to be understood or implemented.
The court’s ruling has significant implications for businesses that are or could be subject to a comprehensive data security order. The broad requirement to implement a comprehensive data security programme has been a common fixture in FTC data security orders since the Commission first imposed such a requirement in its settlement with Eli Lilly in 2002. The FTC has imposed similar obligations in privacy cases, such as in its settlement with Facebook in 2012. As a result, the court’s decision raises questions about how the Commission may proceed in privacy and data security enforcement actions in the future and whether the Commission will need to provide more specificity in its data security and privacy orders.
In February 2018, the SEC adopted a statement and interpretive guidance to assist public companies in preparing disclosures about cyber-security risks and incidents. Although the SEC has focused on cyber-security for years, the release is the first formal guidance issued by the agency to date. The new guidance provides the SEC’s views about public companies’ disclosure obligations under existing laws with respect to matters involving cyber-security risk and incidents. It also addresses cyber-security policies and procedures, disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cyber-security context.
Just a few months after adopting this guidance, the SEC announced a USD35 million settlement with Altaba, formerly known as Yahoo! Inc, for allegedly misleading investors by failing to disclose a data breach that occurred in 2014. According to the SEC’s order, within days of the intrusion, the company’s security team learned that hackers had stolen its ‘crown jewels,’ ie, usernames, email addresses, phone numbers, birth dates, encrypted passwords and security questions and answers for hundreds of millions of user accounts. The SEC alleged that Yahoo! failed to investigate properly the circumstances of the breach and to consider adequately whether it needed to be disclosed to investors, even though information relating to the breach was reported to Yahoo! senior management and its legal department.
Most recently, in October 2018, the SEC issued an investigation report, finding that nine companies that suffered business email compromise (BEC) had insufficient internal controls to prevent such attacks. Although the Commission did not charge any of the companies profiled in the report, it is another example of the SEC's efforts to increase enforcement and oversight of public companies' cyber-security controls and governance processes.
The SEC’s active interest in this area serves as a potent reminder to companies that they should consider, among other things, whether they are sufficiently disclosing cyber-security risks and costs in annual and quarterly disclosures. They should also consider whether their incident response plans account sufficiently for disclosure obligations, the need to close trading windows, and the possibility of issuing public disclosures regarding the incident.