Privacy & Cybersecurity

Navigating digital privacy

Consumer privacy and data security are two of the most vital topics facing California auto dealers and other retailers today. Scali Rasmussen’s Privacy & Cybersecurity blog explores the changing legal landscape, its impact on retailers, and how to take a practical approach to issues when perfection may be unattainable. Count on us for updates on new laws and regulations, enforcement actions by regulators and the plaintiff’s bar, and steps you can take to decrease liability and increase customer confidence.

Published on

Senator Earl Carter announced that he will be forming a bipartisan congressional caucus on vehicle data access. The caucus will be formed to address policy issues related to the access, use, and control of data generated by telematics programs and other vehicle monitoring systems. These programs use GPS and other systems to monitor drivers’ mileage and driving habits.

Published on

A new bill, Senate Bill (“SB”) 346, is before the Governor of California to further protect Californians’ privacy. California already passed laws to protect consumer data collected by businesses through the California Consumer Protection Act (“CCPA”). Now, SB 346 aims to protect consumers from collecting and sharing data from in-vehicle cameras.

Published on

Although portions of the California Consumer Privacy Act (“CCPA”) and regulations are not yet effective, California Attorney General’s (“AG”) office is not waiting to enforce. As it stands, the CCPA was modified by the California Privacy Rights Act (“CPRA”) and is not in full effect until January 2023. However, the majority of the CCPA is currently in effect and Sephora is the first one to feel it.

Published on

California voters passed Consumer Privacy Rights Act (“CPRA”) which amended the California Consumer Privacy Act of 2018 (“CCPA”) and created the California Privacy Protection Agency (“Agency”). The Agency enforces the CCPA and adopt regulations to further the purpose of the Act. As part of the process to adopt new regulations, the proposed regulations are made available to the public in order to allow a 45-day comment period.

Published on

The Federal Trade Commission (“FTC”) amended their Standards for Safeguarding Customer Information (16 CFR Part 314) (“Safeguard Rule”) that requires compliance by December 9, 2022. The Safeguard Rule was designed to protect the security of customer information and the recent amendments were for the purpose of keeping up with technology. Specifically, the latest version of the Safeguard Rule requires financial institutions (which includes motor vehicle dealers) to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The FTC published detailed guidelines to maintain compliance with the Safeguard Rule.

Published on

The California Consumer Privacy Act (“CCPA”) provides consumers with a variety of rights regarding the collection, selling, and sharing of their personal information. Some of the latest amendments to the CCPA expand mandatory disclosures when businesses share consumer information with other businesses (which can include vendors and contractors). However, it is important to know how to classify third-party businesses for purposes of maintaining compliance with the CCPA.

Published on

Human Resource and Compliance departments are scrambling to prepare for changes in California’s consumer protection laws. The California Privacy Rights Act (“CPRA”) goes into full effect on January 1, 2023 which makes a variety of changes to the California Consumer Privacy Act (“CCPA”) that was passed in 2018. Amongst many of the changes, CPRA provides consumers the right to know, modify and delete their information that a business collects. Many of these changes are applicable to information that human resource departments maintain.

Federal District Court decides that the CCPA does not limit discovery in Federal Court

2021 case review: Will Kaupelis v. Harbor Freight Tools USA, Inc.

Published on

The California Consumer Privacy Act (the “CCPA”) went into effect on January 1, 2020, requiring the provision of certain notices, including that businesses inform consumers of their: (1) right to know, (2) right to delete, (3) right to opt out, (4) and right not to be discriminated against for exercising any rights the CCPA provides. In the class action case plaintiff Kaupelis sought discovery that included the personally identifiable information of persons that complained about defects in the chainsaw that was the subject of the action. The defendant resisted production of this information in reliance on the CCPA arguing that the CCPA expanded the privacy rights previously provided under California law and that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.” The Court noted that historically Courts engaged in a balancing test, balancing the need for the discovery against the privacy interests involved, and that the CCPA did not set aside that body of law. The court granted plaintiff’s motion to compel, stating that “[n]othing in the CCPA presents a bar to civil discovery. Notably, no other case has so held. And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law,” which would include the Federal Code of Civil Procedure provisions concerning discovery.

Published on

Plaintiff in this case alleged that because he found his personally identifying information on the dark web, Walmart had suffered a data breach. Walmart argued that Plaintiff’s failure to allege the time the breach occurred was fatal because the CCPA could not apply to any breach occurring before January 1, 2020, the date it took effect. The Court also held that Plaintiff’s CCPA claim failed because Plaintiff did not sufficiently allege disclosure of his personal information. The Court found insufficient the Complaint’s allegation that the breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”

Pages