Federal Judge Concludes Entity Subject To CCPA Despite Claim Not Being “Business” | Arent Renard


US News

Federal Judge Concludes Entity Subject to CCPA Despite Claiming Not “Business”

In Blackbaud Inc. Customer Data Security Breach Litigation, n ° 3: 20-mn-02972 (DSC August 12, 2021), a federal judge found that the defendant, Blackbaud Inc. was subject to the CCPA despite its motion to dismiss claiming that it was not considered a “Business” under the Act. The CCPA applies to for-profit entities that collect personal information from California consumers and have either gross annual revenues greater than $ 25 million; buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices each year; or earn more than half of its income from selling consumers’ personal information. Blackbaud believed they were not a “business”, arguing instead that they were a “service provider” and therefore immune from liability under the CCPA. The court disagreed. In addition to meeting this threshold, the court specifically noted that Blackbaud was registered as a data broker in California under a law that adopted the same definition of “business” as the CCPA and that it used the data. of consumers to test and improve its offers.

California AG Takes CCPA Enforcement Action Against Dealer-Manufacturer

Among the enforcement actions identified in the recent California AG press release was a lawsuit against an anonymous dealer-builder, stating that the company “failed to inform consumers of the use of personal information during the collecting personal information from consumers seeking to test vehicles at a dealership location, in addition to other omissions in its privacy policy. Specifically, the company did not have a process for authorized agents to submit requests, did not have a toll-free number for CCAC requests, and did not provide in-person notification during collection. This, and similar enforcement efforts, seem to indicate that California AG is actively enforcing CCAC requirements, including more technical provisions.

SEC fines company for misleading investors about 2018 cyber incident

The SEC recently struck a deal with Pearson plc in which the London-based educational publishing company agreed to pay $ 1million to settle claims it misled investors about a cyber intrusion. of 2018 involving the theft of millions of student records, including birth dates and email addresses. , and had inadequate disclosure controls and procedures. In particular, in its semi-annual report, filed in July 2019, Pearson characterized a data privacy incident as a hypothetical risk, when in fact, the 2018 cyber intrusion had already occurred. Additionally, in a July 2019 media statement, Pearson said the breach may include dates of birth and email addresses, when in fact she knew those records had been stolen. In the same statement, Pearson claimed he had “tough protections” in place, when in fact he failed to patch the critical vulnerability for six months after being notified. The media statement also omitted that millions of lines of student data, hashed usernames and passwords had been stolen. The FTC order also found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure decisions were made aware of certain information about the circumstances surrounding the breach.

Error – No Privilege Found: District Court Requests Data Breach Report

In March 2020, a class action lawsuit was filed against a gas station and convenience store operator Rutter’s Inc., claiming that Rutter’s had failed to adequately prevent and respond to an alleged breach exposing the financial data of its employees. clients. Upon discovery, it was learned that third-party cybersecurity consultant Kroll Cyber ​​Security LLC had been hired to “perform forensic analyzes on the environment of the Rutter card and determine the nature and extent of the incident ”and prepare an investigation report summarizing the same. Notably, Rutter’s and Kroll “understood that Kroll’s work was privileged.” Additionally, even though Kroll was hired by Rutter’s outside lawyer, Rutter paid Kroll directly. In June 2021, the complainants filed a motion to compel production of the report and related communications between Kroll and Rutter’s. In response, Rutter asserted that the report and communications were protected as a work product and under solicitor-client privilege. The Pennsylvania Middle District rejected these arguments because: (i) the report’s statement of work seemed limited to factual investigations and the company representative said he did not anticipate litigation at the time of the underlying investigation; and (ii) the cybersecurity consultant who prepared the report was not acting as a lawyer, on the instruction of a lawyer, or providing information to a lawyer to help him provide legal advice.

FTC removes COPPA Safe Harbor provider from list

For the first time ever, the FTC has struck off a COPPA Safe Harbor provider. Specifically, the FTC deregistered Aristotle International Inc. over concerns that Aristotle “may not have sufficiently monitored its member companies to ensure that they were complying with the [Aristotle’s] of the guidelines. “The delisting comes after warning Aristotle and receiving an” inadequate response. “In support of its decision, the FTC said,”[t]There is an obvious conflict of interest when self-regulatory organizations are funded by the website operators and application developers they are supposed to control. thus signaling the potential for further enforcement efforts under COPPA.

Global News

UK Information Commissioner consults on data transfers, including EU Model Contractual Clauses approach

On August 11, 2021, the UK Information Commissioner launched a consultation on data transfers. The consultation is for anyone who transfers personal data from the UK or provides services to UK organizations. The consultation examines whether the Information Commissioner should approve an addendum allowing the use of EU CSCs for transfers of personal data from the UK. Further, the consultation proposes (1) that the Information Commissioner end the current temporary approval of the 2001, 2004 and 2010 SCCs; (2) a new international data transfer agreement specific to the United Kingdom; (3) an assessment of the risks of accompanying transfer; and (4) changes to existing UK guidelines on data transfers. The deadline to respond to the consultation is October 7, 2021.

UK Children’s Code effective September 2, 2021

The UK Age-Appropriate Design Code (aka the ‘Children’s Code’) came into effect on September 2, 2021 after its one-year transition period expired. The code applies to providers of “information society services” (similar to Internet service providers in the United States) who process personal data and may be viewed by children in the United Kingdom. The code requires, among other things, the use of a DPIA (“data process admission assessment”), the application of the principles of age filtering to your data processing with a certain flexibility of application, and the requirement that privacy information provided to users, as well as other published terms and policies and community standards, be presented in a concise, prominent and clear language appropriate to the child’s age . More information about the code can be found here.

China adopts new personal data protection law, to be taken
Effective November 1

The Chinese National People’s Congress recently passed a law to protect the privacy of online user data (PIPL), which is due to come into force on November 1, 2021. This law follows China’s data security law, which came into effect on September 1, 2021. Some of the requirements of PPIL include, but are not limited to:

  1. “Separate consent” will be required to: (1) provide personal information to a third party; public disclosures of personal information; personal information collected by devices installed in a public place if used for purposes other than public safety); processing of sensitive personal information; and provide an individual’s personal information to a party outside the territory of China;
  2. All personal information processors (similar to controllers under the GDPR) (PI processors) must adopt the necessary measures to ensure that the processing activities of foreign recipients meet an equivalent level of protection provided for in the PIPL;
  3. PI processors must meet one of the following conditions before exporting personal information outside of China: (1) pass the required security assessment for CIIOs and organizations handling personal information reaching a certain designated amount by authority; (2) undergo personal information protection certification conducted by certified institutions; (3) the conclusion of a standard contract (which must be formulated by the authority) with the foreign recipient; or (4) other circumstances provided for by law, regulation or authority.
  4. A data subject has the right to request an IP processor to transfer their personal information to another IP processor provided that such transfer meets the requirements of the Cybersecurity Administration of China (“CAC”). The PI processor then has the obligation to provide a channel for such a transfer.

IP subcontractors are required to inform the competent authorities for the protection of personal information and the persons concerned in the event of a data-related incident, or is likely to occur.


Leave A Reply