Data Security Law Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

The Minted Complaint: Another Case Brought Under the CCPA’s Private Right of Action

by Jonathan (Yoni) Schenker and Michael F. Buchanan on July 23, 2020

Well before the California Attorney General’s power to enforce the California Consumer Privacy Act (CCPA) commenced on July 1, 2020, as we have recently reported, private plaintiffs had already jumped into the fray, suing companies like Zoom and Houseparty for alleged violations of the CCPA. We noted that if one of these private lawsuits were to survive a motion to dismiss, it could lead to a substantial increase in class action litigation under the CCPA. Another putative class action under the CCPA that was filed on June 11, 2020 against Minted, Inc.—the popular online stationery, art, and home décor company—joins the growing list of private CCPA lawsuits and adds another wrinkle to this new area of law.

Privacy Suits Against Zoom and Houseparty Test the CCPA’s Private Right of Action

by W. Scott Kim, Jonathan (Yoni) Schenker and Alejandro H. Cruz on April 28, 2020

Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.

Consumer Reports Opposes Efforts to Delay CCPA Enforcement Due to COVID-19

by Jonathan (Yoni) Schenker and Alejandro H. Cruz on March 25, 2020

Businesses, consumers, and regulators continue to grapple with balancing privacy, cybersecurity, and the response to the COVID-19 pandemic. Last week, this blog explored the increased cyber risks that the pandemic poses to businesses, providing guidance on how businesses can navigate that risk. Yesterday, we reported on a joint letter filed by more than 30 industry groups to the California Attorney General (“AG”) requesting a delay in enforcement of the California Consumer Privacy Act (“CCPA”) due to the burdens that COVID-19 is placing on businesses. Enforcement of the CCPA is currently scheduled to commence as early as July 1, 2020. Earlier this week, Consumer Reports, a consumer advocacy group, urged the AG to reject industry efforts to delay enforcement of the CCPA.

Industry Groups Request Delay in CCPA Enforcement Due to COVID-19

by Jonathan (Yoni) Schenker on March 24, 2020

On March 17, 2020, a group of thirty-two trade associations and two corporations formally requested that the California Attorney General (AG) delay enforcement of the California Consumer Privacy Act (CCPA) until January 2, 2021, due to the ongoing COVID-19 pandemic. The trade associations represent leading companies in a wide range of industries, including healthcare and pharmaceuticals, transportation, logistics, advertising, insurance, entertainment, real estate, banking and finance, and technology.

CCPA Update: California AG’s Modified Proposed Regulations

by Jonathan (Yoni) Schenker on March 13, 2020

This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.

The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.

CCPA Update: Key Proposed Regulations on Verification of Requests & Non-Discrimination

by Jonathan (Yoni) Schenker on December 20, 2019

On January 1, 2020, the California Consumer Privacy Act (CCPA) becomes operative. As we reported last month, the California Attorney General (AG) released long-awaited draft regulations to the CCPA. This is the third installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses the key regulations on business verification of requests made by consumers and the non-discrimination provision of the CCPA.

CCPA Update: Key Proposed Regulations for Business Practices for Handling Consumer Requests

by Jonathan (Yoni) Schenker on November 21, 2019

As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”

CCPA Update: Key Proposed Notice and Privacy Policy Regulations

by Jonathan (Yoni) Schenker on November 7, 2019

As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.

CCPA Update: California Attorney General Releases Proposed Regulations

by Jonathan (Yoni) Schenker on November 5, 2019

On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.

A Closer Look at the CCPA’s Private Right of Action and Statutory Damages

by Jonathan (Yoni) Schenker, Michael F. Buchanan and Alejandro H. Cruz on August 22, 2019

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

Part III: Our Last Look at the CCPA’s Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 24, 2019

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

Part II: A Closer Look at the CCPA’s Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 16, 2019

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.”

Part I: A Closer Look at California’s New Privacy Regime: The Definition of “Personal Information”

by Jonathan (Yoni) Schenker on April 9, 2019

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.

A Closer Look at California’s New Privacy Regime: Two Critical Definitions

by Jonathan (Yoni) Schenker on January 8, 2019

Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.

New Year’s Resolution 2019: Compliance with California’s Consumer Privacy Act

by Jonathan (Yoni) Schenker on December 19, 2018

With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.

Obsolete Device Woes: What To Do?

by Jonathan (Yoni) Schenker on August 27, 2018

It seems like a victimless crime. Toss out an old computer or post it for sale on the Internet for a few bucks. Not a big deal, right?

Not so fast.

U.S. Supreme Court Watch: Whether to Resolve Circuit Split on Standing for Data Breach Plaintiffs

by Jonathan (Yoni) Schenker on February 1, 2018

At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.

More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification

by Jonathan (Yoni) Schenker on January 30, 2018

In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.