Abstract
Advising our shoppers on compliance with legal guidelines and laws is, palms down, a very powerful side of our position as attorneys. Along with looking for counsel on their obligations beneath legal guidelines and laws, nevertheless – motivated by {industry} traits, utilization of and dependence on third-party companies and platforms, and, this 12 months, the COVID-19 pandemic – organizations more and more search us out for recommendation on third-party necessities and nonlegal or legal-adjacent points. Whereas compliance with the California Client Privateness Act (CCPA) and addressing points arising out of the Schrems II judgment and the TikTok and WeChat government orders, amongst others, dominated 2020, organizations confronted an onslaught of different ancillary points this 12 months on which they sought our recommendation. Beneath, we’ve got summarized a listing of privateness and product counseling points on which we’ve got suggested our shoppers this 12 months. That is, in fact, not an exhaustive listing, however reasonably highlights a few of the larger privateness and product counseling points our shoppers have confronted, and on which we’ve got suggested them, in 2020.
Advising on these points is a key a part of our privateness and product counseling follow, which spans a variety of our Digital Belongings and Knowledge Administration (DADM) Follow Group groups, together with our Privateness Governance and Know-how Transactions, Promoting, Advertising and marketing and Digital Media, and Digital Transformation and Knowledge Economic system groups. This abstract additionally serves as a preview for points that organizations will proceed to face in 2021.
COVID-specific Authorized Points
As mentioned beneath, the results of the COVID-19 pandemic have been wide-ranging, spurring companies into organizational modifications, shifting state legislatures’ consideration away from privacy-related laws and virtually stopping the CPRA from making it onto the 2020 poll. Companies additionally handled the direct results of COVID-19 and compliance necessities that flowed from it. All through 2020, our shoppers turned to us, they usually proceed to show to us, as their trusted advisers to handle these points, together with state and native shutdowns, return-to-work and different employment-related compliance, chapter and reorganization counseling, and lots of different points, as highlighted in our Coronavirus (COVID-19) Resource Center. We additionally offered key recommendation to shoppers, together with concerning implementing contact tracing cell functions, promoting private protecting gear and different COVID-related merchandise, and pivoting and transforming digital assets into alternative revenue streams.
Privateness and Knowledge Safety Legal guidelines and Laws
CCPA. The California Client Privateness Act (CCPA) dominated a lot of the dialog within the privateness and product counseling house this 12 months. Jan. 1, the efficient date of the CCPA, got here and went after organizations spent a lot of 2019 addressing the CCPA’s statutory necessities and the primary spherical of laws from the Workplace of the Lawyer Basic (OAG). For the primary half of 2020, the OAG saved everybody on their toes, issuing a number of rounds of modifications to the laws earlier than submitting closing regs to the Workplace of Administrative Regulation on June 1. The regs have been then not lastly adopted till August 14. And simply once we thought the OAG was completed with the regulatory course of, his workplace launched additional regs in October and December (within the newest draft, the OAG has proposed a brand new “Do Not Promote” brand together with laws that make it unclear whether or not or not the emblem is required). Whereas there have been no public CCPA enforcement actions by the AG in 2020, we’re conscious of a number of ongoing investigations by which the OAG is inquiring about web site homeowners’ use of interest-based promoting cookies and their lack of a Do Not Promote button. It’s unclear whether or not the OAG will make any of those enforcement actions public. What is evident is that companies should tackle CCPA cookies compliance in a sturdy method in 2021, in the event that they haven’t already. BakerHostetler attorneys, lots of whom have experience in AdTech and the associated privateness points, have labored with scores of shoppers on compliance with cookies and interest-based promoting points, and have been concerned within the improvement of promoting {industry} opt-out instruments, mentioned in additional element beneath.
For a complete itemizing of our CCPA weblog posts, please go to here.
CPRA. On Election Day 2020, California voters accredited a poll measure, Proposition 24, referred to as the California Privateness Rights Act of 2020 (CPRA), introduced by the identical group of people that have been in the end liable for the unique introduction and passage of the CCPA. Referred to by some as CCPA 2.0, the CPRA will amend sure provisions of the paradigm-shifting 2018 California Client Privateness Act (CCPA), as firms have been simply determining tips on how to adjust to the CCPA. Among the many highlights are extension of the HR and B2B exemptions by means of Jan. 1, 2023; a brand new, stand-alone privateness company tasked with issuing laws and administrative enforcement of the legislation; vital amendments implicating AdTech and cookies compliance (together with a brand new definition of “sharing” within the context of “cross-context behavioral promoting”); limitations on and disclosure necessities regarding companies’ retention of non-public info; and new limitations on functions of processing to people who are “crucial and proportionate.” Our weblog submit discussing the numerous provisions of the CPRA may be discovered here. Like all the things in 2020, the CPRA confronted COVID-related woes with respect to assortment of the requisite variety of signatures to make it on the poll, as we talk about in a blog post.
California’s Shine the Mild Regulation. California’s Shine the Mild legislation (Cal. Civ. Code Part 1798.83) continues to exist alongside the CCPA. Corporations and attorneys alike needed to knock the mud off this early 2000s, dot-com-era legislation in an effort to harmonize positions as as to whether an organization “sells” private info beneath CCPA and shares private info for third events’ “direct advertising and marketing functions” beneath Shine the Mild (although this can be a very nuanced concern that requires evaluation on a case-by-case foundation).
Nevada’s SB-220. Taking impact in fall 2019, this modification to Nevada’s present knowledge privateness legislation features a “Do Not Promote” proper that’s way more restricted in scope than the one discovered within the CCPA. Not like the CCPA, a “sale” beneath SB-220 solely covers private info collected on-line and requires a direct fee of financial consideration, and requires that the purchaser onward promote or license the information. Furthermore, “coated info” and “operator” are narrower than the CCPA’s ideas of “private info” and “enterprise,” respectively. For our Baker Knowledge Counsel articles on SB-220, go to here.
COPPA. 2020 noticed its fair proportion of motion in kids’s privateness points, together with (1) an replace to the FTC’s Youngsters’s On-line Privateness Safety Act (COPPA) FAQs (integrating new steerage on age gates, linked toys, the Web of Issues, audio recordings and new strategies of verifiable parental consent accredited by the FTC), (2) the intersection between the COPPA and the CCPA, (3) payments that sought to extend the safety of youngsters’s privateness, such because the Mum or dad’s Accountability and Baby Safety Act launched in California (which sought to position further obligations on social media platforms gathering private info from kids beneath the age of 16, however was vetoed by the governor) and the standard annual federal payments looking for to revise COPPA, (4) enforcement motion settlements associated to misrepresentations about membership to a COPPA secure harbor program and assortment of persistent identifiers, and (5) FTC steerage on COPPA compliance for EdTech firms and colleges within the midst of a pandemic. Youngsters’s privateness and associated kids’s points, corresponding to knowledge associated to loot packing containers and improve of assortment of youngsters‘s info as distant studying and play-at-home practices proceed by means of the pandemic, will seemingly preserve regulators’ and legislators’ consideration. BakerHostetler attorneys often advise firms on tips on how to navigate such a delicate concern whereas additionally maintaining a tally of future developments to the enforcement and legislative panorama. For a listing of our weblog posts on kids’s privateness, please go to here and here.
Different State Privateness Laws. BakerHostetler attorneys routinely advise on different state privateness and knowledge safety legal guidelines, together with different California legal guidelines corresponding to CalOPPA, and Delaware and Massachusetts privateness legal guidelines.
In 2020, quite a few states launched privateness laws, and passage of those sweeping privateness legal guidelines in not less than a few these states, together with New York and Washington, appeared seemingly. A few of the payments have been CCPA or GDPR impressed; some have been as complete as these laws whereas others have been extra watered down. Following the onset of COVID-19, many state legislatures shifted their focus to the pandemic response and did not advance or go the launched privateness laws. It is going to stay to be seen if New York, Washington, New Jersey and different states decide up the place they left off in early 2021 and try to go complete privateness laws as their priorities shift away from COVID-19.
Cybersecurity. The FTC and not less than half the states require companies that personal, license or keep private info to implement and keep “affordable safety procedures and practices.” More and more, shoppers hunt down BakerHostetler attorneys to counsel them by means of privateness and safety by designing frameworks as they construct out new merchandise and functions, and to advise on knowledge safety points arising out of vendor and different third-party relationships and in relation to improvement of inner knowledge safety safeguards.
Worldwide Legal guidelines and Laws and Geopolitical Points
Schrems II. In a carefully watched July 2020 opinion on the Schrems II case, the Courtroom of Justice of the European Union (CJEU) invalidated the EU-U.S. Privateness Protect Framework, an adequacy determination accredited by the European Fee in 2016 that had offered many firms with a mechanism for the lawful switch of EU private knowledge to the USA.
The Schrems II determination additionally referred to as into query the validity of normal contractual clauses, one other common knowledge switch mechanism, citing U.S. authorities surveillance actions usually and the dearth of efficient treatments provided to EU knowledge topics whose private knowledge was transferred to the USA. The CJEU’s opinion already has had, and can proceed to have, a wide-ranging impact on private knowledge transfers from the EU to the USA., requiring enhanced technical and organizational measures, reassessment of information flows, and the renegotiation of information switch provisions. For a number of months, firms have been left in limbo by an absence of significant steerage from EU knowledge safety authorities, together with the European Knowledge Safety Board (EDPB), on tips on how to adjust to the GDPR’s knowledge switch necessities in mild of the Schrems II determination.
Recent draft guidance from the EDPB and draft updated standard contractual clauses from the European Commission have provided some clarification, nevertheless it appears seemingly this may stay an space of intense focus all through 2021, significantly for U.S. firms engaged in cross-border knowledge transfers with the EU.
GDPR. Whereas the Schrems II determination has dominated a lot of the dialogue about EU knowledge safety within the second half of 2020, a number of different developments deserve point out.
Brexit. Whereas the UK formally left the EU on Jan. 31, 2020, a transition interval at the moment applies till Dec. 31, 2020, throughout which the UK stays topic to EU legislation for numerous functions, together with software of the GDPR. Stories on the Brexit deal point out that the European Fee continues to be engaged on a possible adequacy determination for the UK, however any adequacy determination won’t be in place when the transition interval expires. A limited-term transitional adequacy interval with regard to knowledge transfers will probably be carried out beneath the draft Dec. 24, 2020, Brexit deal. Throughout this transitional adequacy interval of as much as 6 months, knowledge transfers to the UK won’t be handled as transfers to a 3rd nation and may proceed freely.
In 2021, companies working in the UK might want to tackle the UK individually from the EU for compliance functions, understanding that, though much like the GDPR, the amended UK Knowledge Safety Act will start to use this 12 months and has some distinct necessities. Organizations that had designated the UK’s DPA (the ICO) as their lead supervisory authority beneath the GDPR should decide which, if any, EU Member State could now serve on this capability. Moreover, firms whose Binding Company Guidelines have been accredited by the UK’s ICO will want approval from a brand new (EU Member State) supervisory authority to stay legitimate, in accordance with an EDPB note published in July. Whereas we await a choice on whether or not the European Fee will acknowledge the UK as “satisfactory” for functions of non-public knowledge transfers, organizations ought to think about acceptable private knowledge switch safeguards to handle knowledge flows between the EU and the UK, in addition to onward transfers from the UK to different nations, corresponding to the USA. The implementation of other knowledge switch mechanisms has additionally been inspired by the UK’s ICO, which will probably be updating its steerage for companies to mirror modifications within the Brexit deal.
COVID-19. Balancing the safety of non-public knowledge towards the necessity to implement efficient coronavirus mitigation methods has been a key concern in debates about pandemic management efforts in Europe, with the EDPB releasing a statement confirming that “emergency is a authorized situation which can legitimize restrictions of freedoms offered these restrictions are proportionate and restricted to the emergency interval.” A follow-up statement from the EDPB emphasised the validity and applicability of the GDPR even in emergency conditions. In reference to the pandemic response, numerous DPAs and the EDPB issued steerage bearing on the safety of non-public knowledge within the context of telecommuting, health-related and speak to tracing apps, temperature monitoring, and using location knowledge. The EU’s eHealth Community in the end launched a Toolbox to be used within the improvement of contract tracing apps, which got here with European Fee steerage for safeguarding private knowledge when growing such apps.
Cookies. Google’s compliance with and adoption of the TCF 2.0 actually spurred organizations’ compliance efforts and necessities with respect to cookies in 2020. Moreover, regulators throughout the European continent made waves on the difficulty. The French Knowledge Safety Authority (the CNIL) finalized its guidelines on cookies and monitoring applied sciences, including suggestions on acquiring consent, and introduced that using cookies could be a part of its 2020 inspection plans persevering with into 2021. Part of the CNIL’s tips banning cookie partitions was struck down by a French court in July. Lately, the CNIL has issued a number of giant fines associated to the failure to acquire consent for using nonessential cookies. The Belgian DPA additionally released guidance on cookies and monitoring applied sciences this 12 months, whereas the EDPB updated its guidelines on valid consent beneath the GDPR. The German Federal Courtroom of Justice issued an opinion addressing cookie consent points within the Planet49 case, which it previously referred to the CJEU, and confirmed that consent isn’t legitimate if the consent field is prefilled.
Regulatory Enforcement. Now we have continued to see giant fines issued by numerous EU DPAs this 12 months, together with the next:
- February 2020 – the Italian DPA fined a telecommunications firm simply over €27.8 million for illegal advertising and marketing practices, corresponding to not sustaining its opt-out listing appropriately, failing to handle its advertising and marketing name facilities, and requiring consent to advertising and marketing communications for entry to sure offers and sweepstakes. The Italian DPA issued fines on different telecommunications firms in July 2020 for €16.7 million and in November 2020 for €12.2 million associated to unsolicited advertising and marketing communications.
- June 2020 – France’s highest administrative courtroom upheld the CNIL’s advantageous of €50 million on a know-how firm for failure to acquire legitimate consent and to supply a clear, simply accessible discover.
- July 2020 – the Belgian DPA fined a know-how firm €600,000 for non-compliance with a person’s requests beneath the appropriate to be forgotten. The Swedish DPA fined the identical firm €5 million for the same violation.
- October 2020 – The German Hamburg DPA fined a retailer €35.3 million for unlawful worker monitoring practices concerning detailed notes taken and saved in an internet system by managers about workers’ private lives.
- October 2020 – The UK DPA issued over €40 million in mixed fines on a number of firms associated to reported knowledge breaches.
- December 2020 – The French DPA issued €135 million in mixed fines on three firms for failing to provide satisfactory discover about using cookies, failing to acquire acceptable consent earlier than setting promoting cookies and failing to supply acceptable opt-out mechanisms for cookies.
Surveillance. In October, the CJEU decided several joined cases confirming that EU legislation precludes nationwide laws that requires “a supplier of digital communications companies to hold out the overall and indiscriminate transmission or retention of visitors knowledge and site knowledge for the aim of combating crime on the whole or of safeguarding nationwide safety.” Such surveillance is allowed solely when there’s a severe, real, and current or foreseeable nationwide safety risk. Even in such situations the retention of information have to be restricted each in scope and length to that which is strictly crucial.
As we head into 2021, firms ought to observe that the European Fee just lately issued proposals for a Regulation on European Data Governance aimed toward growing knowledge sharing throughout the EU, a Digital Services Act that may partially overhaul the eCommerce Directive and a Digital Markets Act to forestall unfair competitors in digital markets. These proposed items of laws are price watching within the new 12 months.
Chinese language-based Enterprise Govt Orders. In August 2020, the U.S. authorities issued prohibitions towards sure actions associated to TikTok and WeChat and their Chinese language homeowners, based mostly on nationwide safety considerations that the Chinese language Communist Occasion might entry the huge quantities of U.S. citizen knowledge these apps accumulate. Whereas these prohibitions are being hotly contested in courtroom and should not seemingly to enter impact till early 2021 on the earliest, if ever, they might ban a variety of actions and can goal a variety of information (e.g., geolocation knowledge, communications, monetary info and well being info). Corporations that accumulate, keep or use U.S. citizen knowledge ought to due to this fact fastidiously assessment present and potential enterprise partnerships that straight or not directly contain Chinese language individuals. BakerHostetler attorneys have been advising such firms on these dangers and others, together with these associated to overseas funding from China – in 2020, an inter-agency nationwide safety assessment of overseas investments in the USA required TikTok’s Chinese language proprietor to divest from the app, and the U.S. authorities carried out a brand new legislation considerably increasing the manager department’s authority to assessment and probably block overseas investments that would lead to overseas entry to the delicate private knowledge of U.S. residents. Corporations doing enterprise with Chinese language entities or people ought to proceed to pay shut consideration to this concern.
Non-Privateness and Knowledge Safety Legal guidelines and Laws
Digital Millennium Copyright Act (DMCA). As an increasing number of shoppers develop interactive net companies, the DMCA is extra related now than ever earlier than. Companies that host and publish user-generated content material on their digital properties should designate a DMCA agent to obtain notifications of claimed infringement and put in place a sturdy DMCA coverage. Having an entire DMCA coverage and responding to takedown requests “expeditiously” is essential to guard a enterprise from probably large copyright infringement judgments on account of user-generated content material. BakerHostetler attorneys present product counseling on the DMCA to firms starting from startups to large tech.
Communications Decency Act (CDA). Alongside the DMCA stands the opposite bastion of the Web: the CDA. Though at the moment within the highlight politically because of the present administration’s concentrate on Part 230 and the immunity for giant social media platforms, the CDA continues to supply sturdy safety from legal responsibility for what a web site’s customers say and do on the web site, and BakerHostetler attorneys have been there to defend our shoppers utilizing the legislation every time attainable. Whereas we’re monitoring the developments with respect to the CDA, it appears unlikely that the present dialog about limiting on-line platforms’ immunity will proceed past the present administration.
Phone Client Privateness Act (TCPA). Because of the personal proper of motion, the TCPA could be a minefield for companies that perform textual content messaging campaigns or in any other case make automated calls or textual content messages. In response to COVID-19, extra companies have turned to textual content to facilitate curbside pick-up and deliveries, and to achieve out to prospects to advertise gross sales. Pharmacies and medical services are planning to make use of textual content to help with vaccine rollout. We incessantly counsel shoppers by means of numerous features of the TCPA, together with procedures and disclosures for acquiring consent, advising on conditions the place exceptions to the consent necessities apply, drafting cell phone opt-in and opt-out disclosures, partaking distributors, and revising on-line phrases to use class motion waivers and limitations of legal responsibility to SMS packages. Like a few years, 2020 was rife with TCPA litigation. On Dec. 8, the Supreme Courtroom heard oral arguments in a case over the definition of “auto-dialer,” on which the federal circuits are cut up. The Courtroom’s holding, forthcoming in 2021, will definitely have long-standing results with respect to TCPA jurisprudence usually in addition to firms’ compliance with the legislation.
Trade and Platform Instruments, Initiatives and Self-Regulation.
Key to our product counseling follow is knowing the technical and authorized intricacies of developments in and updates to {industry} and platform instruments, initiatives and necessities. Furthermore, lots of our shoppers are topic to promoting {industry} self-regulation.
Digital Promoting Trade CCPA Choose-Out Instruments. To deal with the CCPA’s novel “Do Not Promote” proper, two {industry} organizations – the Interactive Promoting Bureau and the Digital Promoting Alliance – developed mechanisms by which customers could choose out of the sale of their private info within the context of digital promoting. The viability of those packages is at the moment being examined in a number of OAG inquiries. Along with counseling shoppers on CCPA compliance, a number of BakerHostetler attorneys have been among the many stakeholders engaged by the IAB within the development of its CCPA framework and a digital advertising industry CCPA compliance survey. BakerHostetler’s involvement with the IAB and the efforts in regard to its Framework and {industry} is a product our agency’s place as a pacesetter within the digital media, promoting and privateness house.
iOS 14 Updates. This summer season, Apple introduced two new consumer-oriented privateness options. The primary, which has been carried out, requires app publishers to reveal info concerning their apps’ knowledge assortment and use practices in what some are referring to as a privateness “vitamin label.” One other vital privateness function, not but carried out, would require companies to evaluate whether or not they’re “monitoring” customers of their apps and, if that’s the case, to acquire opt-in consent from customers to proceed the follow. You’ll be able to learn our weblog submit introducing these necessities here.
Google’s Integration with IAB Europe’s GDPR Consent Framework (TCF 2.0). After over two years of working independently from the IAB Europe’s Transparency and Consent Framework (TCF), Google built-in with the IAB’s TCF 2.0 in August 2020. BakerHostetler attorneys endorsed quite a few shoppers that rely on Google’s promoting companies by means of the modifications related to Google’s adoption of the TCF 2.0.
Trade Self-Regulation Updates. The Community Promoting Initiative, a number one promoting {industry} group whose members embrace promoting know-how firms, up to date its Code of Conduct in January 2020. BakerHostetler attorneys not solely endorsed NAI members by means of the updates to the 2020 Code, however offered counsel to prospects and shoppers of NAI members, to which the NAI code necessities apply contractually by means of their contract with their NAI member-advertising know-how distributors. The NAI is already contemplating additional updates to the code, illustrating how shortly issues are altering in digital media and promoting.
Knowledge Stock and Client Rights Distributors and Platforms. Lots of our shoppers rely on third-party knowledge stock and shopper rights administration platforms. In consequence, it’s not possible to advise organizations on compliance with privateness legal guidelines just like the CCPA and GDPR with out being versed within the vendor merchandise our shoppers use for a similar. Now we have a working data of or experience in lots of of those platforms, so our attorneys are capable of assist our shoppers operationalize the necessities of the CCPA and different privateness legal guidelines. Quite a lot of BakerHostetler attorneys went by means of intensive coaching on OneTrust’s knowledge mapping and shopper rights administration instruments.
Cookie Stock and Administration Platforms. Addressing cookies and different monitoring applied sciences, and taking a correct stock of them on on-line and cell properties, is a key a part of complying with knowledge privateness regimes, together with the CCPA and GDPR. BakerHostetler attorneys and people from our industry-leading IncuBaker crew conduct assessments of our shoppers’ cookie inventories utilizing each extensively adopted instruments and proprietary strategies. The evaluation consists of identification of cookies and tips on how to tackle them from a compliance perspective on a person foundation. As well as, we’re adept at counseling shoppers by means of the adoption of cookie consent administration platforms, corresponding to OneTrust.
Teleworking Platforms. As firms migrated to or upped their presence on video conferencing platforms, BakerHostetler attorneys fielded questions from and suggested shoppers on numerous points regarding firms’ elevated telepresence and use of such platforms. Such points embrace however should not restricted as to whether firms can report conferences and what sort of discover is required in the event that they do; whether or not an organization ought to present discover of such recordings of their calendar invites and what the language of the discover ought to be; how the recordings match into the corporate’s present knowledge retention coverage; and lots of extra.
e-Commerce Points. Motivated by the obligatory closing of brick-and-mortar retail required by state and native quarantine efforts, and customers’ ongoing reluctance to go to retailers and eating places in particular person due the COVID-19 pandemic, companies with out an e-commerce presence tried to maneuver shortly to determine one, whereas companies with an present e-commerce presence swiftly moved to increase it. Furthermore, eating places with out supply, curbside pickup, and on-line and cell ordering tried to shortly pivot and increase to supply these capabilities. BakerHostetler attorneys assisted scores of shoppers within the enlargement of their e-commerce capabilities, together with by negotiating contracts with e-commerce and meals ordering/supply platforms, counseling organizations by means of the authorized points related to improvement of e-comm cell and net functions, drafting phrases of use and privateness insurance policies, and offering normal counseling regarding the COVID-19-related dangers related to the expanded e-comm actions. BakerHostetler’s cross-disciplinary teams of attorneys from our Privateness Governance and Know-how Transactions crew and our Promoting, Advertising and marketing and Digital Media crew have intensive expertise on this house and are nicely poised to advise on all features of organizations’ e-commerce actions.
Search for future weblog posts on some of these points. For extra info, please be at liberty to achieve out to the authors or others in BakerHostetler’s DADM Follow Group. For added articles masking the CCPA, the CPRA or the current Schrems II determination, go to BakerHostetler’s Data Counsel weblog and our Consumer Privacy Resource Center.
Barbara Linney, Alan Friel, Melinda McLellan, Carolina Alonso, Orga Cadet, Patrick Waldrop, and Veronica Reynolds additionally contributed to the drafting of this weblog submit.
