As California Attorney General Xavier Becerra advises consumers of all their new rights under the California Consumer Privacy Act (CCPA), multiple states are introducing their own privacy acts, some of which are remarkably similar to the CCPA. The most-watched privacy legislation is perhaps in Washington State, described below, which very nearly passed its Privacy Act last year.
Posts tagged as “Data Protection”
It has been an extraordinary 365 days for consumer financial services law. I cannot recall a year where so many states introduced legislation or proposed regulations or rules impacting the credit industry. At the federal level, proposed rules for the Fair Debt Collection Practices Act were (finally) released and California also proposed regulations under the California Consumer Privacy Act.
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and introduced privacy concepts that were new to some U.S. businesses. Fortunately, the GDPR was developed over a period of time that allowed for thoughtful deliberation and careful drafting. The California Consumer Privacy Act (CCPA), on the other hand, was speedily enacted under the threat of a ballot initiative.
The U.S. Court of Appeals for the Third Circuit recently vacated an order approving the settlement of a class action certified under Rule 23(b)(2), where the only benefit to the class was the defendant’s payment of a cy pres award to organizations that promoted data privacy. In so ruling, the Third Circuit held that the trial court did not adequately scrutinize the settlement agreement’s broad release of claims for money damages, and the parties’ designation of cy pres recipients, as required by Rule 23(e). A copy of the opinion in In re Google Inc. Cookie Placement Consumer Privacy Litigation is…
The U.S. Court of Appeals for the Ninth Circuit recently held that class plaintiffs alleged a concrete and particularized harm sufficient to confer Article III standing where the defendant company’s alleged collection, use, and storage of the plaintiffs’ biometric information was the substantive harm targeted by the Illinois Biometric Information Privacy Act (BIPA), which statute protects the plaintiffs’ concrete privacy interests. The Ninth Circuit further held that the district court did not abuse its discretion in certifying the class. Accordingly, the Ninth Circuit affirmed the district court orders certifying the class, and denying the defendant’s motion to dismiss. A copy…
In a class action arising from a data breach at a retailer that resulted in the theft of millions of consumers’ credit card information, the U.S Court of Appeals for the Eleventh Circuit recently held that the fee arrangement included as part of the settlement was a fee-shifting contract and the constructive common fund doctrine did not apply, reversing as an abuse of discretion the trial court’s use of a fee multiplier in a fee-shifting case. A copy of the opinion in Northeastern Engineers Federal Credit Union, et al. v. Home Depot, Inc., et al. is available at: Link to Opinion.…
On June 25, the Illinois Legislature sent Senate Bill 1624 to Gov. J. B. Pritzker. The legislation adds a requirement to Illinois’ data breach notification law to notify the attorney general in the event of certain data breaches. The bill will become law if not returned by the governor by Aug. 24, 2019. The legislation would amend the Personal Information Protection Act, 815 ILCS 530/10, by requiring that any data collector who must inform more than 500 Illinois residents of a data breach also provide notice to the attorney general describing: the nature of the breach; the number of affected residents;…
Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council
Texas Enacts Amendments to Data Breach Notification Law; Creates Privacy Protection Advisory Council
On June 14, Texas Gov. Greg Abbott signed into law House Bill 4390 which amends the notification requirements of Texas’ data breach law and creates an advisory council to study data privacy laws generally. The provisions become effective Jan. 1, 2020. Currently, a person conducting business in Texas who “owns or licenses computerized data that includes sensitive data” must disclose the breach to any affected individual “as quickly as possible.” Tex. Bus. & Com. Code § 521.053(b). The amendments will require the disclosure “be made without unreasonable delay and in each case not later than the 60th day after the…
The U.S. Court of Appeals for the Eighth Circuit recently upheld the dismissal of an alleged data breach victim’s allegations under the Illinois Consumer Fraud and Deceptive Business Practices Act, the Illinois Personal Information Protection Act, and the Illinois Uniform Deceptive Trade Practices Act, as well as various common law claims. A copy of the opinion in Melissa Alleruzzo v. SuperValu, Inc. is available at: Link to Opinion. In June and July 2014, hundreds of retail grocery stores operated by three different entities (“grocers”) were hacked, resulting in the theft of customers’ card information, including their names, credit or debit card account…
On June 28, California passed into law the California Consumer Privacy Act of 2018, which becomes operative on Jan. 1, 2020. As with the EU’s General Data Protection Regulation, the Privacy Act gives consumers greater control over the use and sharing of their personal information. The Privacy Act allows a consumer to request that a business disclose: the categories and specific pieces of personal information that it collects about the consumer; the categories of sources from which that information is collected; the business purposes for collecting or selling the information; the categories of third parties with which the information is…
In a data breach putative class action brought by financial institutions against a retail grocery store chain, the U.S. Court of Appeals for the Seventh Circuit recently held that the economic loss doctrine prevented recovery of economic losses in tort cases. Although the financial institutions had no direct contractual relationship with the retail grocery store chain, the Seventh Circuit noted that the banks and the merchant all participated in a network of contracts that tied together all the participants in the card payment system. In so ruling, the Seventh Circuit joined the Third and First Circuits in rejecting negligence theory…
In a data breach putative class action, the U.S. Court of Appeals for the Ninth Circuit recently held that the plaintiffs sufficiently alleged Article III standing based on an alleged “increased risk of future identity theft.” In so ruling, the Ninth Circuit rejected the defendant’s argument that Clapper v. Amnesty International USA, 568 U.S. 398 (2013), in which the Supreme Court of the United States held “an objectively reasonable likelihood” of injury was insufficient to confer standing, required dismissal. A copy of the opinion in In re Zappos.com is available at: Link to Opinion. In January 2012, hackers breached the servers of…