What does California’s new privacy law mean for companies and consumers?

When California Assembly Bill 375 (AB 375), also known as the California Consumer Privacy Act, goes into effect in 2020, companies stand to face the toughest privacy requirements in the United States. The purpose of AB 375 is to create transparency and control for consumers and their data, and to establish meaningful requirements for companies that collect and use that data. Some notable conditions under AB 375 include the following:

  • Companies must inform consumers of the data they collect and the purposes for which it is used.
  • Consumers can require companies to delete their data and direct companies to cease the sale of their data.
  • Companies will be required to disclose to consumers their right to request deletion of their data and their right to opt out of the sale of their data.
  • Companies that collect, sell, or disclose consumer data must disclose the categories of data that were collected, sold, or disclosed, as well as the third parties to whom the data was sold or disclosed.
  • Consumers will have the right to obtain their data in a portable format such that it may be provided to another entity.

Senators Edward Markey and Richard Blumenthal introduced a new privacy rights bill on April 10 titled “Customer Online Notification for Stopping Edge-provider Network Transgressions” (CONSENT Act). The CONSENT Act’s obligations would apply to entities known as edge providers who provide services through a software program (including a mobile application) or over the internet (1) that require its customers to subscribe to or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer provides sensitive customer proprietary information.

The CONSENT Act would require the Federal Trade Commission (FTC) to promulgate regulations to protect the privacy of customers of edge providers within one year of passage of the CONSENT Act that would take effect within 180 days of such promulgation. Specifically, the CONSENT Act stipulates that such FTC regulations must

As of this past Monday, 11 US mayors have signed a pledge defending “net neutrality” in their cities and towns. The pledge, titled “Cities Open Internet Pledge,” was introduced by Mayors Bill de Blasio of New York, Ted Wheeler of Portland, and Steve Adler of Austin at this year’s South By Southwest in Austin, Texas.

As discussed in a recent post, the Federal Communications Commission (FCC) recently published the final rule repealing net neutrality, the open internet framework that restricted internet service providers (ISPs) from prioritizing, slowing, or blocking data and information flowing through their networks. The FCC is replacing net neutrality with a network management disclosure regime that will require ISPs to disclose information about network management practices, performance characteristics, and commercial terms of service.

If you’re like most business leaders, according to a recent survey conducted by Ernst & Young, the privacy compliance elephant in the room should no longer be ignored.

As we previously discussed, the General Data Protection Regulation (GDPR) will take effect in May 2018, significantly changing how companies may collect and use personal data about web users in Europe. Although the May deadline is rapidly approaching and the penalties for GDPR violations—up to the greater of 4% of the company’s global revenue or 20 million Euros—are by no means trivial, it seems that executives around the world are perfecting their ostrich impersonations. Survey findings include that only one-third of respondents have GDPR compliance plans in place. In the Americas and the Asia Pacific, where less than 15% of respondents indicated their GDPR readiness, procrastination is astoundingly acute.

Our privacy and cybersecurity colleagues at Morgan Lewis have offered their insights into the shared responsibility of the government and the private sector in adopting effective information security practices and the need for a tailored, flexible approach to cybersecurity regulation. In their Bloomberg Law Privacy and Security Law Report entry, The Government’s Role in Promoting and Leading Effective Cybersecurity, Morgan Lewis partner Mark Krotoski and associate Martin Hirschprung highlight several recent cyberattacks, discuss cooperation efforts between the government and private sectors, provide an overview of the current US regulatory landscape, and identify their recommendations for key factors the government should consider to streamline and reduce the burden of cybersecurity regulations while still promoting effective cybersecurity.

As 2017 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner. These posts cover many different provisions and aspects of drafting commercial, outsourcing, and technology contracts:

Assignment and Delegation

As part of our Silicon Valley office’s “First Cup of Coffee” breakfast briefing series, this Thursday, November 14, Morgan Lewis partner Andrew Gray will be hosting Andrew Ray and Melissa Hall from our Washington, DC office to present an update on fintech regulatory issues.

The event, “Looking Beyond the Tech in Fintech,” will focus on pitfalls and best practices as regulatory agencies try to keep pace with technological advances in the financial services industry.

The North American Electric Reliability Corporation (NERC) recently petitioned the Federal Energy Regulatory Commission (FERC) to approve its proposed “Reliability Standards” addressing cybersecurity risks in critical infrastructure protection (CIP) supply chains. In a LawFlash from October 5, Morgan Lewis partner J. Daniel Skees provides detailed background and analysis on the proposed Reliability Standards.

On August 31, the White House released a report developed by the American Technology Counsel (ATC), Office of Management and Budget, Department of Homeland Security, Department of Commerce, and General Services Administration addressing the objectives of and a plan for the modernization of federal information technology (IT).

Historically, modernization has been a problem due to factors such as resource prioritization, the inability to procure services quickly, and technical issues. The report splits these issues into two groups—the modernization and consolidation of networks and the use of shared services to enable future network architectures.

Network Modernization and Consolidation

In the report, the ATC calls for government agencies to maximize the secure use of cloud computing, modernize government-hosted applications, and securely maintain legacy systems. In addition, the report calls for the consolidation and improvement of the acquisition of network services.

Earlier this month, the United Kingdom’s Information Commissioner’s Office (ICO) released an initial draft guide of contracting requirements and liabilities for data controllers and data processors doing business together under the General Data Protection Regulation (GDPR).

According to the ICO guide, any time a party that determines the purposes and means of the processing of personal data (Controller) uses a party that processes personal data on behalf of a Controller (Processor), a written contract between the parties is required. If a Processor uses a sub-Processor, the Processor shall be deemed a Controller and will be subject to the same requirements and liabilities as a Controller.