Colorado’s New Privacy Protection Law

Colorado has joined Vermont and California in passing recent legislation related to consumer privacy. HB18-1128 took effect September 1, 2018, and any organization that collects or maintains certain “personal identifying information” should make sure it is in full compliance.  Here are some highlights most likely to affect private entities (there are also provisions for government entities):

  • Covered entities in the state of Colorado must maintain a written policy for disposing documents – both paper and electronic — that contain personal identifying information;
  • Covered entities who maintain, own or license personal identifying information of Colorado residents must implement reasonable security procedures (including requiring reasonable security procedures from third party service providers); and
  • Covered entities who maintain, own or license personal identifying information of Colorado residents must comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by the data breach and the Colorado Attorney General (where more than 500 records are at issue).

The bill specifically spells out what constitutes personal identifying information, but the definitions are not identical for all provisions.  Note, however, that all include biometric data (as defined in the statute), which continues a trend we have been seeing to include biometric data in regulations relating to privacy and security.

Businesses subject to this statue should confirm their existing processes, policies and third party contracts are up to these Colorado requirements.

First CaCPA Amendments Emerge

The California Consumer Privacy Act of 2018 (“CaCPA”) will be implemented January 1, 2020, and as we anticipated, the regulation continues to evolve. On August 27, the California legislature published the first amendments to the pending legislation. We previously wrote a comprehensive overview of the CaCPA in its original form here.

Here are some key-takeaways from the recent substantive amendments (note that though the revised bill includes 45 amendments, many simply address technical errors):

  • Re-defining “Personal Information”: The new bill revises the definition of personal information, but it remains extremely broad by encompassing information that could be reasonably linked, even indirectly, with a particular person or household. However, the revision may slightly lighten the burden on companies because it adds language clarifying that its list of PI examples (e.g. unique identifiers, IP addresses, geolocation data) are not necessarily PI, but the type of data that is only PI “if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
  • Expanding HIPAA/Adding Clinical Trials Exemption: The revised bill now covers “business associates” as well as covered entities stating that information exempt from the law includes “protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by” the U.S. Department of Health and Human Services. The amendments also add a new clinical trial exemption that applies to data from trials that are subject to the Federal Policy for the Protection of Human subjects and follow certain leading clinical practice guidelines.
  • GLBA/DPPA Revisions: The revised bill removes the contingency that the CaCPA only exempts GLBA and DPPA data where in “conflict” with those statutes and also provides that those exemptions will not apply to the provision giving consumers the right to sue for certain data breaches. The bill also carves out a new similar exemption for data collected under the California Financial Information Privacy Act.
  • Limited Private Right of Action: The new bill adds express language to clarify the limits to consumers’ private right of action stating: ““The cause of action established by this section [1798.150] shall only apply to violations as defined in subdivision (a) [breaches] and shall not be based on violations of any other section of this title.”
  • Preempts Local Lawmaking Before 2020 Implementation Date: The bill previously preempted local laws regulating collection and sale of consumer PI, but now clarifies that this rule “shall be operative on the effective date of the act.” In other words, once the bill becomes law.
  • Limits Penalty to $7,500: Rather than referencing and incorporating Section 17206 of the Business and Professions Code to assess a civil penalty, the revised bill limits the AG’s recovery to $7,500 per violation. 
  • Revised Timing and Delayed Attorney General Regulations: The revised bill addresses some concerned raised by the Attorney General in a public letter, for example: providing that all civil penalties collected under the CaCPA will be used by the AG and courts to offset costs; deferring the AG’s obligation to adopt regulations to July 1, 2020; and delaying the AG’s right to enforce the CaCPA until July 1, 2020. It is not clear whether the AG can pursue conduct occurring between January and July or before it adopts regulations. So, these timing changes do not mean that companies should not hold out for AG guidance or otherwise delay any compliance efforts.

As we previously wrote, there still appears to be an opportunity to engage directly with the legislature process to help refine the CCPA (as groups have done to facilitate this recent amendment). And, there remains at least the possibility of pre-emptive federal legislation. As we wait and see how provisions evolve and monitor any Attorney General guidance, the CCPA will undoubtedly take significant compliance and companies should not drop this from their radar.


InfoLawGroup Partner Justine Gottshall talks data privacy on “Technically Legal” podcast

With the EU’s General Data Protection Regulation (GDPR) recently going into effect and the passage of the California Consumer Privacy Act (CCPA), which will become law in 2020, companies across the country are scrambling to understand their obligations under these new data privacy regulations and set compliance programs in place.

InfoLawGroup’s Justine Gottshall sat down with Chad Main, the host of Technically Legal—a podcast about the intersection of technology and the practice of law—to discuss who these laws apply to and the types of protections they grant to consumers.

Listen to Technically Legal: Justine Gottshall on Data Privacy Laws


ASA Decision Regarding Use Of Filters In Social Media Advertising

Recently the Advertising Standards Authority for Ireland (“ASA”) issued a decision regarding paid influencers’ use of post-production techniques (such as in-camera filters or Photoshop) that embellish an advertised product’s effectiveness or appearance (with or without the intention to do so).   The decision has broad reach to domestic advertisers, as it highlights certain tenets of U.S. advertising law.

In the case, blogger Rosie Connolly promoted Rimmel Foundation by posting a photo of herself using the make-up on social media.  The photo was filtered and altered via Photoshop and included statements about Rimmel Foundation’s effectiveness, such as, “ultra-light and flawless coverage” and “stunning finish”.  The complaint stated that people may purchase Rimmel Foundation based on Ms. Connolly’s posts, thinking they would achieve the same results if they use the product.  However, since the images were altered, this would likely not be the case.

The ASA upheld the complaint, holding that the use of post-production techniques that exaggerate the effects of an advertised product could mislead consumers.  The Federal Trade Commission’s guidelines on endorsement and testimonials already prohibit influencers from making claims about products that the advertiser could not make itself.

What does this mean for advertisers? Based on this ASA decision and existing guidance in the U.S., advertisers should likely prohibit use of filters and other post-production techniques if the use of those techniques could impact a viewer’s understanding of how a product or service will work.

The New CA Consumer Privacy Act: Don’t Panic (Yet)

California has pushed through an online privacy law that is sending some shockwaves through the Internet economy. On Thursday, June 29, the legislature passed the California Consumer Privacy Act of 2018 (“CCPA”), which the Governor signed swiftly. Beginning January 1, 2020, many companies that do business in California will need to make significant changes and provide consumers, including minors, significantly more control of their personal information.

While the CCPA is in many ways a game-changer in the U.S., it is fair to anticipate that it will evolve some before the implementation date. Companies with concerns should consider how to participate in the legislative process, as California will likely amend the statute and now is the time to think through where clarifications or changes may be needed. It is also possible that there will now be a stronger push for federal legislation. Otherwise, we may see piece-meal, perhaps conflicting, state by state regulation for which it will be burdensome and potentially impossible for businesses to comply.

At its core, the CCPA gives residents of California the right to know what personal information a business is collecting, the right to access that information and request deletion (with certain important exceptions), the right to know whether their information is sold, shared or disclosed (and to generally to whom), the right to opt-out of the sale of their personal information (or the right to opt-in for users younger than age 16), and the right to receive the same service at the same price, even if they exercise their privacy rights, although certain financial incentives are acceptable. CCPA also provides a private right of action in the event of a breach or unauthorized access to personal information.

Continue Reading

Major U.S. Supreme Court Decision Allows States to Charge Sales Tax for Online Purchases

Yesterday the United States Supreme Court overruled decades of legal precedent governing taxation for online purchases. The decision, South Dakota v. Wayfair, Inc., No. 17-494 (June 21, 2018) changes the national standard on when an online business must collect and remit taxes under the states’ respective tax laws. Specifically, the Court ruled that an out-of-state seller’s “physical presence” is not necessary for the state to compel the company to collect and remit its sales tax, overruling prior cases on the matter (Quill Corp. v. North Dakota By and Through Heitkamp and National Bellas Hess, Inc. v. Department of Revenue of State of Ill.)

In a typical retail transaction, states tax the retail sale of goods and services within their state. The sellers are generally required to collect and remit the sales tax to the state, but when they do not, the in-state customers must pay a “use tax” at the same rate (consumer compliance rates are “notoriously low” which can cause states to lose billions). This model did not previously apply to businesses operated entirely out-of-state, without any physical presence, such as an office, warehouse, or any employees.

Continue Reading

InfoLawGroup LLP Continues to Grow Firm with Addition of Two Lawyers

Chicago, June 18, 2018—InfoLawGroup LLP is pleased to announce that it has hired Sara Chubb as senior counsel. Ms. Chubb joins InfoLawGroup from Winston & Strawn. She will be based in Chicago.

Ms. Chubb focuses her practice on advertising, marketing, privacy and intellectual property law. She has represented top brands across a variety of industries, handling a range of matters, including advertising clearance, marketing to children, sweepstakes and contests, licensing, sponsorship, social media, trademark and copyright issues.

In her privacy practice, Ms. Chubb helps clients build privacy into their new products, drafts privacy policies and advises on data security regulation compliance, among other matters. Continue Reading

The First Data Broker Law

Vermont is the first state to enact a law that will regulate data brokers that aggregate and sell data about consumers. The driving impetus of the legislation is to provide consumers with more information about the collection of their data and to protect consumers from data theft.

Vermont made a point of distinguishing data brokers from other types of businesses that collect information about their customers and that distinction hinges on having a direct relationship with the consumer. “Data broker means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship,” according to the legislation.

Continue Reading

The FTC’s advice for online giving portals that collect on behalf of charities

Seventy-eight percent of Americans believe companies must do more than just make money – they must also positively impact society, according to the recent 2018 Cone/Porter Novelli Purpose Study. Not only did 79% of respondents say that they are more loyal to purpose-driven companies, but 73% said they would be willing to defend those companies. As for-profit businesses continue to find ways to demonstrate their positive social impact, one recent trend is by teaming up with online giving portals. Businesses such as online retailers and crowdfunding sites (like GoFundMe) are increasingly directing consumers to online giving portals that offer lists of charities to which consumers can donate.

Continue Reading

Dropbox Settles Autorenewal Lawsuit

[Updated May 23, 2018]

File-sharing powerhouse Dropbox has agreed to pay $1.7M to settle claims brought against it by the District Attorneys of Alameda, San Diego, San Francisco and Sonoma Counties.  The regulators alleged that Dropbox violated California’s law on automatic renewals by failing to properly disclose the terms associated with its autorenewing Dropbox Pro subscriptions and by failing to get consumers’ affirmative consent to those terms. For its part, Dropbox issued the following statement through a spokesperson: “We believe that our policies have been fair, transparent, and in compliance with applicable law, but we’re pleased to have resolved this matter. Being worthy of trust is a core value of Dropbox and we’ll continue striving to earn and maintain the trust of our users.”  Continue Reading