TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

A recent ruling by the Court of Justice of the European Union (CJEU) established that companies seeking to store “cookies” that are used to track online browsing behavior must obtain “active consent.” The ruling is likely to cause angst among companies, which often maintain websites that are not set up to obtain active consent, as well as with internet users who are increasingly frustrated by having to continually provide consent while visiting websites.

As our loyal Tech & Sourcing readers know, we have been doing our best to keep you informed about the requirements of the California Consumer Privacy Act (CCPA) and what you can do to prepare as its January 1, 2020, effective date draws near. Continuing that vein, we invite you to an upcoming webinar wherein Morgan Lewis partners Reese Hirsch, Mark Krotoski, and Carla Oakley and associate Kristin Hadgis will provide an overview of the latest amendments to the CCPA, the state of the law and related regulations, and practical perspectives on CCPA compliance.

The Morgan Lewis team will discuss the following topics:

  • The new one-year exemption for employee data*
  • The new one-year exemption for B2B communications*
  • Other new amendments, including those related to the use of toll-free numbers and verifiable consumer requests*
  • Failed amendments and other issues to watch
  • Status of California attorney general regulations and a possible new ballot initiative
  • Other state laws influenced by the CCPA
  • Preparing for the January 1 effective date and 2020 enforcement date

We hope you will join us for the one-hour webinar on Tuesday, October 22 at 1:00 pm ET.

Register for the webinar now >

For a primer in advance of the webinar, catch up on our previous posts on the CCPA and recently proposed amendments, and check out the Morgan Lewis CCPA Resource Center for more.

*Indicates an amendment to the CCPA that has passed the California Legislature but, as of this writing, has not yet been signed into law by Governor Gavin Newsom.

The California legislature passed five bills on September 13 to amend and clarify the scope of the California Consumer Privacy Act (CCPA). If the amendments are signed by the California governor by the October 13 deadline, they will become part of the CCPA, set to take effect on January 1, 2020. A LawFlash by Morgan Lewis partner Reese Hirsch and associates Kristin Hadgis, Lauren Groebe, and Terese Schireson discusses the key proposals in each amendment, such as:

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into New York law by Governor Andrew Cuomo on July 25, after passing the New York State Assembly on June 17. The SHIELD Act takes effect on March 21, 2020, and will modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections.

Read our previous post on the SHIELD Act for more information.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.

In this month’s Contract Corner, we are highlighting considerations for drafting an up-to-date privacy policy. In Part 1 of this series, we provided background on the general legal landscape for privacy policies in the United States and general issues that need to be addressed for an up-to-date policy. In this Part 2, we will provide some specific pointers on drafting, updating, and disclosing such policies.

Additional Information to Include

In addition to the list of items that should generally be covered in every privacy policy we provided in Part 1, the following are additional items you may need to set out in your specific privacy policy:

  • Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
  • Contact details or other means of reaching persons in your organization that can address user queries or concerns
  • Information regarding notifications when the privacy policy is updated (see below for considerations when reviewing and updating your policy)
  • Mechanisms for users to agree to and accept the terms of the privacy policy, as well as means for users to opt out

Drafting and posting a clear, concise, and accurate privacy policy is one of the most important tasks when creating a company’s website, particularly given today’s legal and regulatory environment. Privacy policy legal requirements are becoming more stringent and shortcomings less tolerated, and consumer sensitivity to privacy concerns are at an all-time high.

Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.

In this month’s Contract Corner, we will highlight considerations for drafting an up-to-date privacy policy. Part 1 of this month’s Contract Corner will provide background on the current legal landscape for privacy policies in the United States and general issues that need to be addressed.

Does your website or application collect user data? Does your company sell that user data to other third parties, such as advertisers? Does your company disclose this practice to your users in a privacy policy or terms or use? If you answered yes to these questions, you are most certainly not alone. But is your disclosure sufficient? That is the question a new challenge is poised to answer.