I am pleased to announce that I am a new ProVisors home group leader in the Silicon Valley Region. I will be leading a new Silicon Valley Virtual 1 Group, which will be an all-virtual home group for service providers engaged in Silicon Valley business. The group will meet the first Friday of the month at 11:30 a.m. PT, and we are currently seeking our first members. If you would like to learn more about ProVisors or Silicon Valley Virtual 1, please reach out to me for additional information, either through Linked In or email at
kp****@pr************.com
. I am excited about this new opportunity and look forward to the challenge of leading a new ProVisors group in this dynamic region. For more information about ProVisors, view the website at https://provisors.com.
The Silicon Valley Privacy Law Blog’s Kristie Prinz of The Prinz Law Office will be speaking at an upcoming one-day Practicing Law Institute Program to be held on October 9, 2024 at the PLI headquarters in San Francisco, California.
Kristie will be speaking on “Drafting Privacy Policies for Devices with No User Interface – What Do You Do?”, along with Peter McLaughlin of Rimon, P.C. The presentation will examine the challenges of managing legal and privacy terms with IOT devices.
The one-day program is titled “Advanced Internet of Things 2024: Deeper Dive, Practical Wisdom” and will also feature presentations by Leonard Naura of Flatiron Law Group, LLP, Ian Ballon of Greenberg Traurig, LLP, Kate Downing of the Law Office of Kate Downing, Megan Ma of Stanford University, and John Yates of Morris, Manning & Martin, LLP. For more information and to register to attend this event, visit the Practicing Law Institute website at this link.
Privacy Lawyer Kristie Prinz introduces The Prinz Law Office in this recorded video on 8.20.24.
The Prinz Law Office is pleased to announce that Silicon Valley Privacy Law Blog’s Kristie Prinz has been selected to the 2024 Super Lawyers list. Each year, no more than five percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor. Super Lawyers, part of Thomson Reuters, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement. The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates, and peer reviews by practice area. For more information about Super Lawyers, visit SuperLawyers.com.
The Prinz Law Office has recently announced the launch of three new service offerings to our clients, which were effective August 1, 2024. First, we have made available a new fractional counsel services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an anticipated volume of work at a discounted rate. To view our new fractional services plan, please click here. Second, we have made available a new subscription services plan for those of our clients seeking a recurring monthly arrangement with the firm based on an uncertain volume of work at a discounted rate. To view our new subscription services plan, please click here. Third and finally, we have just entered into a relationship with several senior paralegals to make available paralegal services through the firm, which our clients may utilize on an optional basis at rates that will be significantly reduced from our standard lawyer rates.
The firm is excited to be able to make these new offerings available to our valued clients. If you have any questions about the new offerings, please schedule a consultation here. For more information on The Prinz Law Office, visit PrinzLawOffice.com.
This video was recorded by Kristie Prinz on 7.9.24 as an introduction video.
The Prinz Law Office is pleased to announce the launch of a new subscription plan, which is intended to simplify the process of working with a lawyer for companies as well as individuals. The firm’s subscription plans have been been designed to uniquely enable clients to hire and communicate with counsel without the fear or worry of an accruing billable hour.
Subscriber clients will pay a flat monthly rate each month with the option of purchasing add-on services at an additional flat fee rate that they can easily estimate in advance of making a work request. Subscription prices will start at just $150 at the lowest bronze level.
To view the currently available subscription plans, please click here: Prinz Law Office Subscription Plans.
The new subscriptions are available to clients immediately.
Ars Technica is reporting that a federal judge has ordered a preliminary injunction stopping California’s attorney general from enforcing California’s Age-Appropriate Design Code Act (“CAADCA”), finding that the “law likely violates the First Amendment.” According to the Ars Technica‘s reporting, the judge found that “the age estimation and privacy provisions thus appear likely to impede the ‘availability and use’ of information and accordingly to regulate speech,” and “the steps a business would need to take to sufficiently estimate the age of child users would likely prevent both children and adults from accessing certain content.”
If you are unfamiliar with CAADCA, also known as AB-2273, the text of the legislation is linked here: https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=202120220AB2273&showamends=false. The key provisions are in Section 1798.99.31, which states as follows:
(a) A business that provides an online service, product, or feature likely to be accessed by children shall take all of the following actions:(1) (A) Before any new online services, products, or features are offered to the public, complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children. A business shall biennially review all Data Protection Impact Assessments.(B) The Data Protection Impact Assessment required by this paragraph shall identify the purpose of the online service, product, or feature, how it uses children’s personal information, and the risks of material detriment to children that arise from the data management practices of the business. The Data Protection Impact Assessment shall address, to the extent applicable, all of the following:(i) Whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.(ii) Whether the design of the online product, service, or feature could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts on the online product, service, or feature.(iii) Whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.(iv) Whether the design of the online product, service, or feature could allow children to be party to or exploited by a harmful, or potentially harmful, contact on the online product, service, or feature.(v) Whether algorithms used by the online product, service, or feature could harm children.(vi) Whether targeted advertising systems used by the online product, service, or feature could harm children.(vii) Whether and how the online product, service, or feature uses system design features to increase, sustain, or extend use of the online product, service, or feature by children, including the automatic playing of media, rewards for time spent, and notifications.(viii) Whether, how, and for what purpose the online product, service, or feature collects or processes sensitive personal information of children.
Ars Technica further opined that fixing the legislation would require California lawmakers to “remove the age estimation provision, and remove the provision requiring platforms to report on design features that could be harmful to kids.” On the other hand, Ars Technica acknowledged in its reporting that the Judge had expressed her belief that updating the law to fix its problems was likely to make it “obsolete.”
The Silicon Valley Privacy Law Blog will continue to follow this issue as it develops.
I am excited to announce that my firm is adopting a number of new options for working with our clients. We received feedback asking for new fixed rate and subscription packages for specific business scenarios, and in response to that feedback we have designed a variety of new packages designed around those requests. These options are available for viewing upon request. Existing clients who are working with us already under another billing arrangement will be able to switch to a new plan at any time upon request. I am confident that these new options will address new business needs of the technology and life sciences communities we serve. If you have an idea for a billing arrangement that the firm has not yet developed, we invite you to submit your ideas for consideration at
kp****@pr************.com
.
The Federal and Trade Commission (“FTC”) announced today a settlement with Twitter, Inc. (“Twitter”) in which Twitter agreed to pay $150 million for its alleged misuse of user account security data, specifically email addresses and phone numbers, for advertising purposes. The government alleged that the misuse of account data was in violation of a 2011 FTC Order against Twitter, which prohibited the company from misrepresenting the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. The government alleged that the misuse of consumer data also violated the EU-US Privacy Shield, and the Swiss-U.S. Privacy Shield.
The FTC press release is attached here. The complaint is attached here, and the stipulated order is attached here.
In addition to the paying a $150 million fine, the government announced that Twitter has agreed to the following:
- Twitter will not profit from deceptively collected data;
- Users will have other options to multi-factor authentication such as apps or security keys that do not require the provision of phone numbers;
- Notify all users that Twitter misused the phone numbers and emails collected for targeted advertising and to provide users with information about Twitter’s privacy and security controls;
- Implement and maintain a comprehensive privacy and information security program which requires an assessment of the potential privacy and security requirements of new products;
- Limit employee access to users’ personal data; and
- Notify the FTC if it experiences a data breach.
With this enforcement action against Twitter, the FTC is clearly making a statement to businesses that they need to truthfully disclose the purposes for which data used for advertising purposes is collected, and that failure to disclose this information will have potential federal regulatory consequences.
Date: June 18, 2022 Start Date
Location: Virtual
Price: $699 Register
How are digital health contracts unique from other business contracts? What do you need to know to negotiate them?
Silicon Valley Digital Health Lawyer Kristie Prinz will present an introductory workshop on digital health contracts negotiation for nonlawyers.
In this workshop, she will address:
• What is digital health?
• What constitutes a digital health agreement?
• What are the key considerations you need to have in negotiating digital health contracts?
• What is unique about digital health contracts?
This workshop is intended for entrepreneurs and other non-lawyers who are negotiating digital health contracts and need a practical, interactive overview on these contracts generally.
Dates: May 30th Start Date
Location: Virtual
Price: $699 Register
Are you a lawyer who would like to expand your practice niche into the digital health area? Would you like to know the basics about negotiating and drafting these types of agreements?
Join Digital Health Lawyer Kristie Prinz in an introductory digital health contracts workshop intended for lawyers looking to expand into this practice niche.
The workshop will meet on four consecutive Monday mornings this summer from 10 a.m. to 11:30 a.m. PST. The workshop will be interactive and students will be invited to participate in shaping the course content.
The course will be taught by Silicon Valley Digital Health Lawyer Kristie Prinz.
Location: Virtual Workshop
Date: May 28, 2022
Price: $699 Register
Are you a lawyer who would like to expand your practice niche into the software contracts area? Would you like to know the basics about negotiating and drafting these types of agreements?
Join Software Lawyer Kristie Prinz in an introductory software contracts workshop intended for lawyers looking to expand into this practice niche. The workshop will meet on four consecutive Saturday mornings this summer from 10 a.m. to 11:30 a.m. PST. The workshop will be interactive and students will be invited to participate in shaping the course content.
The course will be taught by Silicon Valley Software Lawyer Kristie Prinz. Kristie Prinz is a Software, SaaS, Digital Health, and Technology Transactions Attorney based in Silicon Valley, who has been representing life sciences companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a frequent speaker and media contributor, and is also the author of the Silicon Valley Software Law Blog. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia. For more information on Kristie, check out her website.
To sign up for this workshop, please register here.
How are digital health contracts unique from other business contracts? What do you need to know to negotiate them?
Silicon Valley Privacy and Digital Health Lawyer Kristie Prinz will present an introductory webinar on May 16th at 10 a.m. PST on “Introduction to Negotiating Digital Health Contracts” which will provide an overview of the basic concepts you need to know before entering into a digital health contract negotiation. In the webinar, she will address:
• What is digital health?
• What constitutes a digital health agreement?
• What are the key considerations you need to have in negotiating digital health contracts?
• What is unique about digital health contracts?
Kristie Prinz is a Digital Health, Privacy, SaaS and Technology Transactions Attorney based in Silicon Valley, who has been representing life sciences companies in technical transactions for 22 years. Prior to arriving in Silicon Valley, Kristie practiced law in Atlanta, Georgia. Kristie is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Digital Health Law Blog. Kristie runs the Life Sciences Advisors and Silicon Valley Software Services Advisors Group. Kristie is a graduate of Vanderbilt Law School and licensed to practice law in the states of California and Georgia.
This program is intended for physicians, entrepreneurs, IT professionals, CFOs, and general business lawyers who are negotiating digital health contracts.
To register for this event, please click this link.
Date & Time: December 14, 2020, 10-11:30 a.m. PST
Price: $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite How are SaaS agreements unique from other technology contracts? What do you need to know to negotiate and draft them? Silicon Valley SaaS lawyer Kristie Prinz will present an introductory webinar on December 14, 2020 at 10 a.m. PST on “Introduction to Negotiating & Drafting SaaS Agreements,” which will provide an overview of the basic concepts that you need to know before attempting to negotiating and draft a SaaS contract. In the webinar she will address:
- Key differences between SaaS contracts and other technology contracts
- Essential SaaS contract terms
- Where SaaS relationships can go wrong
Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia. To register for the webinar, please sign up here.
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships” which will provide an overview of how SaaS companies should be drafting customer agreements and what steps they should be taking to manage the SaaS customer relationship after the agreement is signed. At this webinar, you will learn the following:
• What makes an effective SaaS customer contract?
• What are the essential terms in a well-drafted SaaS contract?
• What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
• What are the best practices to manage the customer relationship?
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as salespeople, founders, and other executives working with SaaS companies.
Date & Time: November 21, 2019, 10-11:15 PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite Watch On-Demand
The Prinz Law Office is sponsoring a webinar on “Legal Developments Impacting the Software Industry in 2019” which will provide an overview of what software companies need to know about key legal developments in 2019 and practice steps they should be taking in response to those developments. At this webinar you will learn about:
- Key state law developments impacting the industry, including but not limited to the California Consumer Privacy Act (the “CCPA”), which goes into effect January 1, 2020;
- Federal Regulatory activity impacting the software industry, particularly with respect to the Federal Trade Commision (“FTC”); and
- Cases and trends in litigation impacting the software industry.
Silicon Valley SaaS Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as founders, executives, and service providers working with software companies.
Date & Time: April 6, 2020, 10-11:30 a.m. PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite
With the rapidly developing changes affecting businesses due to the worldwide spread of the coronavirus infection, and the widespread fear of the potential economic fallout, what are some of the best practices your business should be implementing immediately in negotiating master service agreements with customers and service providers?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating Master Services Agreements in an Uncertain Economy” which will provide an overview on how companies should approach the negotiation of master service agreements (“MSAs”) in the current economic climate, and steps you can be taking to protect your business in uncertain times. At this webinar, you will learn the following:
- What terms should be in a well-drafted MSA?
- What special concerns do you need to address in uncertain times?
- What steps can you take to protect your company against the risks of doing business in uncertain times?
Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 21 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. She publishes the Silicon Valley Software Law Blog and the new Silicon Valley Privacy Law Blog. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as IT professionals, consultants, and other businesspeople working in the technology industry.
Date & Time: April 13, 2020, 10-11:30 a.m. PST
Price: $125 Early Bird, $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite
With the rapidly developing changes affecting businesses due to the worldwide spread of the coronavirus infection, and the widespread fear of the potential economic fallout, what are some of the best practices your business should be implementing immediately in negotiating software, website, and technology development agreements?
The Prinz Law Office is sponsoring a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” which will provide an overview on how companies should approach the negotiation of development agreements in the current economic climate, and steps you can be taking to protect your business in uncertain times. At this webinar, you will learn the following:
- What terms should be in a well-drafted development agreement?
- What special concerns do you need to address in uncertain times?
- What steps can you take to protect your company against the risks of entering into development transactions in uncertain times?
Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting this webinar. Ms. Prinz is a technology transactions attorney in Silicon Valley who has been representing early stage and mid-market technology companies for more than 21 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author on software, technology, and intellectual property-related issues. She publishes the Silicon Valley Software Law Blog and the new Silicon Valley Privacy Law Blog. Ms. Prinz is a graduate of Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
This program is intended for in-house counsel and attorneys, as well as developers, consultants, and other businesspeople purchasing or performing development services.
Date & Time: December 8, 2020, 10-11:30 a.m. PST
Price: $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite
With the continued economic uncertainty resulting from COVID-19 and ongoing disruptions to large sectors of the worldwide economy, what are the current best practices to adopt in the negotiation of SaaS agreements?
Silicon Valley SaaS lawyer Kristie Prinz will present a webinar on December 8, 2020 at 10 a.m. PST on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy.” The program will provide an overview on how companies should approach the negotiation of SaaS agreements in the current economic climate, and steps you can take to better protect your business in the negotiation process.
At this webinar you will learn the following:
What are some of the key considerations you should be addressing in your SaaS negotiations in an uncertain economy? What are the best practices for successfully addressing those concerns? What steps can you take to better protect your company in SaaS negotiations? Ms. Prinz is a SaaS, software and technology transactions attorney in Silicon Valley who has been representing early stage, small, and mid-market software companies for more than 20 years. Ms. Prinz is a nationally-recognized speaker, media contributor, and author of the Silicon Valley Software Law Blog. Ms. Prinz has developed particular expertise in the fields of SaaS and digital health transactions. She graduated from Vanderbilt Law School and is licensed to practice in the states of California and Georgia.
To register, please click here.
If you missed the recent webinar by Silicon Valley Privacy Lawyer Kristie Prinz on “Best Practices for Negotiating and Drafting SaaS Contracts,” a recording of the program is now available on demand for viewing. To view the program, please visit this link.
Price: $150 General Admission, $175 Last Minute & On-Demand Register on Eventbrite How are SaaS agreements unique from other technology contracts? What do you need to know to negotiate and draft them? Silicon Valley SaaS lawyer Kristie Prinz will present an introductory webinar on December 14, 2020 at 10 a.m. PST on “Introduction to Negotiating & Drafting SaaS Agreements,” which will provide an overview of the basic concepts that you need to know before attempting to negotiating and draft a SaaS contract. In the webinar she will address:
- Key differences between SaaS contracts and other technology contracts
- Essential SaaS contract terms
- Where SaaS relationships can go wrong
Silicon Valley Privacy Law Blog’s Kristie Prinz will present a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on December 8, 2020 at 10 a.m. PST. To learn more about the program or to register, please click here.
The Silicon Valley Privacy Law Blog’s Kristie Prinz will be presenting a series of webinars on negotiating in a very uncertain economy, sharing practice tips developed and lessons learned from the last recession. Kristie will be kicking off the series with a webinar on “Best Practices for Negotiating Master Services Agreements in an Uncertain Economy” on April 6th, followed by a webinar on “Best Practices for Negotiating Development Agreements in an Uncertain Economy” on April 13th, and and a webinar on “Best Practices for Negotiating SaaS Agreements in an Uncertain Economy” on April 20th. The next webinars in the series will be announced soon. To register for any of these programs, please check out the webinar notices at The Prinz Law Store Website.
Silicon Valley Privacy Law Blog’s Kristie Prinz will be presenting a webinar on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships” on March 31, 2020 at 10 a.m. PST/ 1 p.m. EST. The program will be hosted by The Prinz Law Office. To register, please sign up at Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships.
Silicon Valley Privacy Law Blog’s Kristie Prinz will be presenting a webinar for Clear Law Institute on “Negotiating SaaS Contracts: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on March 23, 2020 at 10 a.m. PST/1 p.m. EST. To register for the program, please sign up at: Negotiating SaaS Contracts:Drafting Key Contract Provisions, Protecting Customer and Vendor Interests.
If your company is like many, you have known about the upcoming effective date of the California Consumer Privacy Act (“CCPA”), but are still making last minute preparations in advance of it going into effect.
If you are one of many procrastinators out there just starting to think about the law, the Silicon Valley Software Law Blog wanted to recap some highlights for you.
- Your business is subject to the law, regardless of its location, if any one of the following is true:
- Your company has gross annual revenues in excess of $25 million.
- Your company buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Your company derives 50 percent or more of its revenues from selling consumers’ personal information.
- The CCPA creates new rights for California consumers: (a) the right to know; (b) the right to delete; (c) the right to opt out; and (d) the right to non-discrimination.
- You must provide notice to consumers at or before the point of data collection of the personal information to be collected and the purposes it will be used.
- You must provide clear and conspicuous notice to consumers of the right to opt out of the sale of personal information, which includes providing a “Do Not Sell My Personal Information” link on the website or mobile application.
- You must respond to requests for consumers to know, delete, and opt-out within specified timeframes (generally 45 days). Privacy settings to opt out must be treated as a validly submitted opt out request.
- You must verify the identity of consumers who make requests to know or to delete, regardless of any password-protected account settings with the business.
- You must disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how the value of the personal information is calculated, and explain how the incentive is permitted under the CCPA.
- You must make available to consumers at least two or more designated methods for submitting requests, including at a minimum a toll-free phone number, and if you maintain a website, a website address by which to submit requests. However, a business that operates exclusively online and has a direct relationship with the consumer from who it collects personal information is only required to provide an email address.
- You must make your privacy policy accessible to consumers with disabilities, or to provide consumers with disabilities information on how they can access the policy in an alternative format.
- You must make your privacy policy available in a format where consumers can print it out in a separate document.
- You must ensure that the privacy policy explains how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
- You must retain records of all requests and responses to requests for at least 24 months; provided that businesses that buy or sell personal information of more than 4 million consumers annually have additional reporting obligations.
Also, if your business qualifies as a “data broker” you are required to register with the Attorney General by January 1, 2020. How do you know if your business is a “data broker”? Your business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Three categories of businesses are excluded from these obligations: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.
The CCPA, its amendments, and regulations define more compliance obligations that businesses should be familiar with, but this list is a good starting point in advance of the effective date.
Obviously, even if your business is not subject to these laws, these privacy requirements will now constitute the best practices for doing business in California, so all businesses should seriously consider incorporating these privacy practices into their standard privacy practices and procedures. The Silicon Valley Software Law Blog will continue to keep you updated as these new laws begin to be implemented.
Software companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.
In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers: AB-1202 establishes a new compliance framework for data brokers.
Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online. Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.
What businesses are defined as “data brokers” under the law? The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act. “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained
So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker. Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”
In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.
The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130. The text of the published regulations are made available here. The deadline to submit written comments is 5 p.m. on December 6, 2019. California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.
So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, software companies are in a better position to start preparing for the law to take effect.
So, what does your software company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?
First of all, your business will be subject to the law if at least one of the following are true:
- Your company has gross annual revenues in excess of $25 million;
- Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
- Your company derives 50 percent or more of its revenues from selling consumers’ personal information.
“Consumer” is currently defined as a natural person who is a California resident. “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information. However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition. “Business” is currently defined to include for-profit businesses as well as other legal entities.
Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:
- A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
- A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information. If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
- A Right to Opt Out of the Sale of personal information. “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale. In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale. In the case of children under 13, a parent or guardian must opt-in on behalf of the child. The proposed regulations further define the rules related to the protection of children.
- A Right of Non-Discrimination. Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA. Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature. The proposed regulations further define how the right of non-discrimination will be implemented.
Third, businesses will now have other new business obligations to consumers, including the following:
- Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
- Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
- Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days). The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
- Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
- Verify the identity of any consumer making a request to know or delete. Password protected account settings are not considered sufficient verification. The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
- Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
- Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra recordkeeping obligations.
- Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices. The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format; that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
- Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher training obligations.
-
-
Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws. In particular, California’s Department of Justice has advised businesses to be wary of the following:
- Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
- Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
- Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.
-
-
Regardless of whether your software company is going to meet the threshold to be subject to the new California law when it goes into effect, it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020. It goes without saying that software companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.
The Silicon Valley Software Law Blog will continue to follow any further rulemaking and privacy law amendments as they are proposed and/or adopted by the State of California.
Multiple media outlets are reporting today that the Federal Trade Commission has agreed to settle its case against Facebook on its privacy practices for $5 Billion.
The Wall Street Journal reports that the vote by FTC commissioners was 3-2 in favor of accepting the agreement and split along party lines with the Republican majority favoring the settlement. According to The Wall Street Journal, the matter next goes the the Justice Department’s civil division for final review.
According to the Mercury News, assuming reports are correct, this will be the largest fine imposed to date by the U.S. government on a tech company. The Washington Post reports that the fine is more than 200 times higher than any previous fine.
Interestingly enough, The Wall Street Journal is reporting that the fine obtained by the FTC exceeds what the European Union could have obtained under its privacy laws.
The Washington Post predicts that the settlement will impose serious consequences on Facebook that go far beyond just a $5 billion fine. However, The Washington Post acknowledges that the dissenting commissioners opposed the settlement because they wanted some assessment of personal liability against CEO Mark Zuckenberg; commissioners reportedly decided to accept a settlement without any such assessment in order to ensure that the matter did not end up in litigation.
While controversial, the FTC’s enforcement action in this matter still sets a significant precedent for the software industry with respect to the consequences of not protecting data uploaded to or generated by software. Software companies are on notice: the FTC is closely following your privacy practices and may assess fines in the billions of dollars against you if you fail to take sufficient steps to protect user data.
The Federal Trade Commission (“FTC”) has put software companies and software service providers on notice it intends to interpret the Gramm-Leach-Bliley Act’s Safeguards Rule broadly to apply to businesses which make available software or services that serve financial, payroll, and accounting purposes and collect sensitive data on consumers and their employees.
The FTC recently announced its settlement of a complaint filed against LightYear Dealer Technologies, LLC which does business as Dealerbuilt, which required Dealerbuilt as condition of the settlement to develop, implement and maintain an information security program that incorporates the minimum requirements specified by the FTC and submit to third party compliance assessments and annual certifications over a period of the next 20 years.
The FTC’s specified minimum requirements for Dealerbuilt’s information security program included the following:
- Develop, implement, maintain and record in writing an Information Security Program;
- Make available the written program, evaluations of the program, and updates on the program, to the company’s board of directors or governing body, or if none exists, the senior officer responsible for the program at least once per annual period and after any data breach;
- Identify an employee or employees responsible for the coordination of the program;
- Provide written assessment annually and after any data breach of any potential data breach risks;
- Develop written safeguards to ensure data security including the following:
- Training of all employees at least once every annual period on how to protect personal information;
- Technical measures monitoring networks, systems to identify attempted data breaches;
- Access controls on databases containing personal information, which (a) restrict the ability to connect to only approved IP addresses; (b) require authentication to access the databases; and (c) limit the access of employees to only those databases as necessary to perform their duties;
- Encrypt all social security numbers and financial account information;
- Implement policies and procedures for secure installation and inventory on an annual basis
- Perform assessment annually and after any data breach of the sufficiency of safeguards and modify the program as necessary;
- Conduct test annually and after any data breach of effectiveness of safeguards, which shall include vulnerability testing every four months and after a data breach, and annual penetration testing, as well as after any data breach;
- Ensuring that contracts with any service providers ensure compliance with safeguards; and
- Evaluate and make adjustments to program upon any changes to operations or business or in event of any data breach. or on an annual basis.
The FTC Order also mandates that an information security assessment be conducted initially and biennially by a third party professional approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the FTC, and that the assessor will be required to provide the documents relevant to the assessment to the FTC for review within 10 days following the completion of the initial review and then on demand. Furthermore, the Order requires the senior corporate manager or senior officer of Dealerbuilt to submit annual written certifications to the FTC, and that within a reasonable time following any discovery of a data breach, or at least 10 days following the provision of first notice of any data breach, Dealerbuilt must send a report to the FTC of any data breach, which meets certain specified requirements. Also, the Order permanently enjoins all individuals affiliated with Dealerbuilt from violating any provisions of the Safeguards Rule, and makes the Order applicable to all businesses connected to Dealerbuilt, which Dealerbuilt is to be broadly interpreted and Dealerbuilt is required to identify in detail via compliance reports, accompanied by sworn affidavits.
The FTC also imposes broad recordkeeping requirements on Dealerbuilt through the Order, requiring Dealerbuilt to create and retain for the next 20 years accounting records of all revenues collected, personnel records, consumer complaint records and responses to those records, and any documents relied upon to prepare mandate assessments and to demonstrate full compliance with the order.
Finally, within 10 days of any request by the FTC, Dealerbuilt is required to furnish compliance reports to the FTC or other requested information accompanied by sworn affidavits.
The FTC announcement is attached here and the Order attached here.
What prompted this broad enforcement action by the FTC against DealerBuilt? According to the FTC Complaint, a series of security failures resulted in the breach of a backup database through a storage device beginning in late October 2016, which resulted in the breach of personal information of nearly Seventy Thousand consumers, which included full names and addresses, telephone numbers, social security numbers, drivers license numbers, and birthdates of consumers as well as wage and financial account information of dealership employees. The FTC Complaint further alleges that Dealerbuilt failed to detect the breach and only learned of it after a customer called its chief technology officer demanding to know why customer data was publicly available on the Internet.
The FTC Complaint alleged that Dealerbuilt was a financial institution as defined by Section 509(3)(A) of the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6809(3)(A) as a result of being “significantly engaged in data processing for its customers, auto dealerships that extend credit to customers.” The Complaint alleged that the “failure to employ measures to protect personal information” constituted an “unfair act or practice” and that the failures to (a) “develop, implement, and maintain a written information security program”; (b) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information” and “assess the sufficiency of any safeguards in place to control those risks”; and (c) to design and implement basic safeguards and to regularly test or otherwise monitor the effectiveness of such safeguards” constituted a violation of the Safeguards Rule and an unfair or deceptive act or practice in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
What should software companies and service providers take away from this FTC enforcement action? First and foremost, the FTC is making a definitive statement that if you are in the business of providing software or software services that have any sort of financial or accounting function to them, you are a financial institution for purposes of Gramm-Leach-Bliley and the Safeguards Rule is going to be deemed to apply to your business. Second, the FTC considers service providers accountable for the protection of any personal data they collect or store. Third, the FTC expects businesses using third party software or providers to have contracts in place with those software companies or service providers imposing security requirements, monitoring requirements, and explicitly requiring them to follow websites reporting on known vulnerabilities. Fourth, the FTC expects businesses to train and supervise employees on how to ensure the security of the company. The FTC specifically points businesses in its announcement to comply with its publication, Start with Security: Lessons Learned from FTC Cases.
If your company has either pursued Privacy Shield certification, or publicly claimed to be in pursuit of Privacy Shield certification, recent enforcement action by the Federal Trade Commission (“FTC”) should put your company on notice that failure to maintain your certification may render you subject to FTC enforcement activity if you continue to make representations on the Internet or in advertising materials related to Privacy Shield.
The FTC has just announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. on allegations related to EU-U.S. Privacy Shield compliance.
The FTC’s complaint against IDmission, LLC, which is a cloud-based technology platform, focuses on the company’s website representations of compliance with the EU-U.S. Privacy Shield framework despite the company’s failure to actually complete the certification process. In contrast, FTC’s complaints against mResource, SmartStart, and VenPath, which are companies providing talent management and recruiting services, employment and background screening services, and data analytics services respectively, all focus on the companies’ website representations of Privacy Shield certification despite failing to maintain the certification.
The settlements now render these four companies subject to direct FTC oversight and monitoring with respect to their advertising and compliance activities going forward.
From this enforcement action, it is clear that the FTC is on the lookout for companies who are making claims about the EU-U.S. Privacy Shield that they are not actually meeting, and that the FTC is prepared to exercise its enforcement authority against any company that fails to meet its representations as they pertain to Privacy Shield.
So, software companies, the FTC is putting you on notice: you need to self-monitor your Privacy Shield certification and ensure that you maintain the certification at all times, and to ensure that you are compliant with certification requirements, particularly if you are making advertising-related representations related to Privacy Shield. The FTC is watching.
USA Today is reporting that multiple technology and telecommunication companies are lobbying Congress to pass federal privacy legislation that would pre-empt the new privacy law recently passed in California which grants sweeping protections to consumers. In particular, USA Today reports that Amazon, AT&T, Apple, Google, Twitter and Charter Communications are leading the lobbying effort and argue that inconsistent state laws will “make it tough for companies to operate” and would “threaten innovation.”
Of course, as USA Today reports, the lobbying companies are seeking weaker regulations than exist in the European Union or that were just passed in California, with the sole exception of Apple, which relies on a different business model and was reportedly the only company “at the hearing to argue that the bar for federal legislation should be set “high enough” to protect consumers.” As The New York Times reported, the goal of the tech industry is to institute federal rules that would give technology companies wide leeway over how personal information is handled. The Electronic Frontier Foundation describes the tech industry’s goal as “neuter[ing]” California for a weaker law at the federal level.
According to The New York Times, however, the tech industry’s efforts are not limited to just federal lobbying efforts. In fact, The New York Times reported that lobbying efforts are underway in California as well, and that the California Chamber of Commerce and other business and tech groups have just submitted nineteen pages of bill edits to State Senator Bill Dodd, one of its authors. In addition, The New York Times reports that the groups are also asking California to delay enactment for a year.
The bottom line is that the tech and telecommunication industries are actively lobbying at both the federal and state levels to ensure that California’s new privacy law never goes into effect in its current form. Convincing Congress to pass a federal law that they hope to be able to influence and shape has now become the top priority for both industries.
After spending months preparing to comply with the European Union’s General Data Protection Regulation (“GDPR”), software companies now have a new U.S. data privacy law to be concerned with. California has just passed a landmark data privacy law of its own: the Consumer Privacy Act of 2018. To view the text of the law, click here.
As USA Today reports on the new law: “[it] is similar to Europe’s General Data Protection Regulation rules, which took effect last month, but goes further, allowing consumers to opt out of their data being shared instead of forcing them to opt in to continue using online services.”
For its part, The New York Times characterizes California’s new law as less “expansive” than the GDPR but “one of the most comprehensive in the United States.” However, Wired describes the new law as “adding to [the GDPR] in crucial ways.” In particular, Wired points to the fact that the GPDR requires opt-ins to collect and store data but in practice the opt-ins actually used do not give consumers a choice other than to opt-in in order to use the service; however, California’s law will prevent companies from denying service to consumers who opt out.
According to Tech Crunch, the key protections of California’s new law are requiring companies to comply with consumer requests to delete data, providing a new consumer right to opt out of data being sold without any sort of penalty being assessed, preserving for companies the right to provide “financial incentives” to collect data, and granting state authorities the right to fine companies for violations.
As you might expect, it is being reported that there were extensive corporate lobbying efforts employed by some prominent companies against the proposed legislation. The New York Times and USA Today are reporting that Google, Facebook, Verizon, Comcast and AT&T each contributed $200,000 to a committee opposing the ballot measure and that lobbyists are expecting businesses to pour between ten and a hundred million dollars into campaigns against the law over the next few months.
All in all, there seems to be a consensus that this legislation is going to have a tremendous impact on data privacy nationwide, despite its limited application to California and the fact that it may still be amended before it goes into effect in 2020.
As for the software industry, the worries about data privacy compliance now shift from Europe to California and potentially the other 49 states. Fortunately, the industry has two full years to prepare for the new California regulation.
If your software company has pursued Privacy Shield certification or is contemplating pursuit of certification, then you should know that an Irish Court has referred a case to the Court of Justice of the European Union, which could potentially invalidate the EU-U.S. Privacy Shield as it previously did with the Privacy Shield predecessor, Safe Harbor, according to a Tech Crunch report.
As Tech Crunch explains, the current case against Facebook was initiated by the lawyer and privacy campaigner Max Schrems, who also initiated the prior compliant which resulted in the judgment by the Court of Justice of the European Union overturning Safe Harbor.
The High Court of Ireland referred eleven questions for consideration to the Court of Justice of the European Union, including several questions (nos. 9 and 10) that specifically deal with the adequacy of the EU-U.S. Privacy Shield. Tech Crunch suggests that this referral could lead to a complete collapse of the EU-U.S. Privacy Shield framework.
With the evident uncertainty over the future of Privacy Shield: does it still make sense to pursue and/or maintain certification if your company has European customers? In light of the fact that the new data privacy rules in Europe (the “GDPR”) go into effect May 25th, which increase the fines for violations, and the Privacy Shield framework remains the best guidance currently available for American companies intending to do business in Europe, pursuit of certification remains a sound business and legal strategy. However, companies need to follow what happens with this challenge and remain cognizant of the fact that Privacy Shield has not yet been tested by this European high court and it is uncertain that it will withstand the current challenge.
If your business is in the software industry and you are doing any business in Europe, you should be aware of the EU General Data Protection Regulation (“GDPR”), as it will apply to your business when it goes into effect on May 25, 2018. You also may want to consider pursuing Privacy Shield certification before the GDPR goes into effect.
What exactly is the GDPR? This is the law passed by the European Parliament in 2016 which changes the laws relating to data privacy regarding EU citizens. Attached is a copy of the full text of the GDPR.
The GDPR will apply to any business processing the personal data of anyone residing in the European Union, regardless of the location of the business. Article 3 of the GDPR provides:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Article 4 of the GDPR defines “personal data” to constitute:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 4 of the GDPR defines “processing” to constitute:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Some highlights from the legislation include as follows:
Article 5 of the GDPR provides guidelines on how data should be processed, which includes keeping it in a form “which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Article 7 of the GDPR establishes the requirements for procuring consent to data processing, which include that “the request for consent shall be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language” and that the “data subject shall have the right to withdraw his or her consent at any time. Article 8 of the of the GDPR sets forth the conditions for procuring consent from children, including “where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”
Article 9 of the GDPR prohibits the processing of certain kinds of data:”personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Article 10 of the GDPR adds to this list the processing of data about criminal convictions unless processed by an official authority.
Article 17 of the GDPR codifies the so-called “right to be forgotten.”
Article 27 of the GDPR requires companies processing data of EU residents outside the European Union to designate a representative of the controller or processor in the European Union, except in the following circumstances:
-
processing. . . .is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
-
[where processing is by] a public authority or body.
Article 33 of the GDPR requires a data breach notification to be provided to the appropriate supervisory authority within 72 hours of becoming aware of a data breach.
Article 46 of the GDPR limits the transfer of personal data to a third party country or international organization only if “appropriate” safeguards are in place and effective legal remedies are in place which may include “contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation.”
If your software company is doing business in Europe and has not already pursued Privacy Shield certification, you may want to consider doing this as soon as possible. The Privacy Shield Frameworks were recently designed by the U.S. Department of Commerce in conjunction with the European Commission and Swiss Administration in order to provide companies with a “mechanism” to comply with European Union and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States. Some of the key requirements of Privacy Shield Framework are listed on this linked web page. As part of the process, your software company will need to update its existing privacy policy to include language required by the Privacy Shield Framework, which is set forth at the the https://www.privacyshield.gov website. The U.S. Department of Commerce has provided a webpage listing the benefits of participation to U.S. companies. Your company may find going forward that Privacy Shield certification is required by prospective European customers, so simply being prepared to do business with them may be an additional benefit of the Privacy Shield certification process.
The bottom line is that software companies need to spend some time familiarizing themselves with the GDPR and consider how their business may be impacted by the legislation before it goes into effect in May, 2018. If your company does business in Europe or hopes to do business in Europe in the foreseeable future, this privacy legislation will impact future deals with potential European customers and will certainly affect what you can do with personal data obtained through such relationships going forward.
If your software company is like most, you have probably spent little or no time contemplating what needs to be in your company’s privacy policy. In fact, what your company is currently calling its privacy policy was likely copied from a third party website years ago and never given much thought since. Meanwhile, your company is likely collecting and aggregating user data and looking for new opportunities to monetize it. Sound familiar?
Well, if this is your company’s situation, you may want to rethink how you are operating in light of recent enforcement action by the FTC on corporate data collection practices.
On February 6, 2017, the FTC announced that VIZIO, Inc. had agreed to pay $2.2 million to settle charges by the FTC and Office of the New Jersey Attorney General that it installed software on its TVs to collect data regarding consumer viewing without their knowledge or consent. In its complaint against VIZIO, the FTC alleged that VIZIO had manufactured televisions that continuously tracked consumer viewing on the television and transmitted this information back to VIZIO, and also had remotely installed the same proprietary software on previously sold televisions. In addition to collecting information about consumer viewing, the FTC alleged in its complaint that the software had collected information about the television, IP address, wired and wireless MAC addresses, WiFi signal strength, and nearby WiFi access points. The FTC further alleged in its complaint that VIZIO had then entered into third party contracts to sell the data collected to third parties for the purpose of measuring the audience, analyzing advertising effectiveness, and targeting advertising to particular consumers. While VIZIO’s contracts had provided only aggregate data to the third parties, those contracts did provide segmented demographic information by sex, age, income marital status, household size, education, home information, and household value. According to the FTC Complaint, VIZIO did make a privacy policy available on its website, but the only onscreen notifications provided to consumers were vague and timed out after 30 seconds, never sufficiently informing consumers as to VIZIO’s data collection practices with the software installed on their televisions. The FTC alleged that VIZIO’s actions in deceptively omitting material facts constituted deceptive acts or unfair practices prohibited by Section 5(a) of the FTC Act.
In the stipulated order, VIZIO was ordered to take all the following actions before collecting any further data from consumers:
- Prominently disclose to consumers “separate and apart” from the privacy policy specifics on the data to be collected, what would be shared with third parties, the categories of third parties who would receive the data, and the purpose for which the third parties would receive the data.
- Obtain affirmative express consent from consumers at the time of disclosure and upon any material changes.
- Provide instructions at the time of obtaining consent to how consumers may revoke consent.
The stipulated order then gave specific guidelines on what would constitute “prominent” disclosure
The stipulated order also required the destruction of the previously collected data, the mandated creation of an internal privacy program meeting certain requirements, and third party oversight going forward regarding the privacy controls in place at the company.
Clearly, the FTC intended to send a message to the software industry about the collection of consumer data in the case of this particular enforcement action.
However, the FTC’s recent enforcement activities against software companies did not end with VIZIO. In a separate statement, the FTC announced settlements with three other companies in the industry over allegations that they had made deceptive statements in their privacy policies about their participation in an international privacy program. The companies charged in those cases were, Sentinel Labs, Inc., a software company providing endpoint protection software to enterprise customers; SpyChatter, Inc., a company marketing a private messaging app; and Vir2us, Inc., a distributor of cybersecurity software. The FTC alleged in each complaint that the companies violated the FTC Act by making deceptive statements about their participation in privacy programs. Attached are the complaints against Sentinel Labs, SpyChatter, and Vir2us. In these cases, the proposed settlements merely prohibited the companies from making further misrepresentations about their participation in third party privacy or security programs, but are not final orders and still subject to possible amendment.
What conclusions should you as a software company take away from the FTC’s recent enforcement activities against software companies? Clearly, the FTC is cognizant of the trends in the software industry to monetize data collected from software, to adopt privacy policies without actually customizing them to the practices of their particular company, and to bury privacy notices on websites without actually obtaining clear end user consent to actual business data collection practices. So, if your company is like most in this space, you are on notice that your practices need to change. Your privacy policy needs to be customized to the business practices of your particular company, which means that you actually need to take the time to consider each and every piece of information that you are collecting from the public and disclose what you are doing with it. If your customers expect you to be a part of an international privacy program before they do business with you, you need to actually take the steps requirement to receive the appropriate certification from that organization before you advise consumers and the public that you are a member. And if your software collects information, you need to make sure that not only your customers but also the parties from whom the information is collected have given their clear consent to your collection practices. A privacy policy buried in your website is probably not sufficient to cover you legally.
If you do not change your privacy practices, you are on notice that you may soon be hearing from the FTC.
If you are a cloud service provider or a software provider who offers maintenance services to enterprise-level companies, then your company has likely had occasion to negotiate indemnification clauses relating to data breaches. Moreover, your company has probably had to provide warranties around data security or employee bad acts that would provide some protections to your customers in the event of a data breach.
But have you ever taken the time to really consider what the cost of a possible data breach might actually be for your company?
Network World recently published an article looking at the results of a 2016 data breach study conducted by the Ponemon Institute and IBM and determined that the total average cost for a breach is now $7 million, and that average cost per compromised record is now $221. Network World further reported that the same study concluded that the average cost of a data breach of more than 50,000 records was $13 million.
Obviously, these costs are significant enough that unlimited liability indemnifications relating to data breaches have the potential to generate significant expenses, as do actions for breaches of warranties relating to data security.
So, what can software companies do to protect themselves against data breach liabilities?
First and foremost, companies need to take data security seriously and enact policies and procedures that prioritize data protection.
Second of all, companies need to carefully negotiate clauses related to cyberrisk and cyberliability with the expectation that a data breach will occur that is going to trigger the application of all such clauses down the road. In particular, if you agree to take on unlimited liability of all costs related to a data breach, you need to be prepared to cover the expected costs that will arise from any such data breach. Similarly, in negotiated services contracts, companies need to take the time to carefully define the full scope of services they provide with respect to data protection and data security in such a way that a data breach will not constitute a material breach so long as the services are fully performed in accordance with the defined scope of services.
Third of all, companies need to purchase cyberinsurance in order to ensure that they have sufficient coverage in the event of a data breach. While cyberinsurance is a relatively new insurance product which has in the past often had many gaps in coverage, Tech Republic suggested in an article published today that the newer policies are starting to close some of the earlier policy gaps to coverage. However, Tech Republic reported that companies should still watch for coverage limits in cyberinsurance policies for regulatory actions, cost of call monitoring, credit monitoring, forensic investigations, hacks that began prior to the coverage term, and attacks that have third party consequences.
The bottom line is that software companies need to have contractual and insurance protections in place to protect the businesses against the consequences of the inevitable data breach that affects their business. With data breaches as well as costs on the rise, companies of all sizes need to be prepared to deal with the fallout of a cyberbreach when it occurs.
The Wall Street Journal reported this week that apps on the market overall are not providing users with even basic privacy protections.
The report focused on research conducted by the Global Privacy Enforcement Network, which is a coalition of privacy officials from 19 countries, including the U.S. Federal Trade Commission, and determined that 60% of the 1211 different apps reviewed raised privacy concerns, as they did not disclose how they used personal information, they required that the user give up significant personal data in order to download the app, and their privacy policies were posted in font too small to be read on a smartphone screen. In addition, they found that 30% of the apps provided no privacy information whatsoever, and 31% requested access to person data without advising users whether or not the personal data was necessary for the app to function. Just short of half of the apps had privacy policies that were not smartphone-friendly in terms of their readability.
If you are a developer with an app you have released on the market and you fall into the category of developers who are ignoring privacy concerns and want to change your ways, adopting a few practices would obviously address this organization’s concerns: start disclosing how you use personal information, refrain from requiring the disclosure or consent to use of personal data before a user can download your app; and make your privacy policy readable on mobile devices. In addition, you may want to consult the digital guide published by California’s Office of Privacy Protection for additional recommendations on best privacy practices.
The FTC has just announced proposed changes to its existing rules protecting children’s online privacy and is currently accepting public comment to the proposed rules through September 10, 2012. The proposed changes would amend the Children’s Online Privacy Protection Rule (“COPPA”).
In particular, the FTC is seeking to make modifications to the following language:
- Revise the definitions of “operator” and “website or online service directed to children” in order to specify that the operator of a child-directed site or service which incorporates into the site or service any plug-ins that collect personal information from visitors to the site should itself be subject to COPPA.
- Revise the definition of “website or online service directed to children” to specify that (a) plug-ins or ad-networks are covered by COPPA if they know or have reason to know that they are collecting personal information through a child-directed website or online service; (b) websites that appeal to both adults and children under 13 years of age may screen all visitors’ ages in order to provide COPPA’s protections only to users under age 13; and (c) all child-directed sites or services that knowingly target children under 13 or whose content primarily appeals to children under 13 must treat all users as children.
- Revise the definition of “personal information” to clarify that a persistent identifier will be treated as personal information “where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than internal operations,” and revise the definition of “support for internal operations” in order to specify that activities such as “site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft” will not constitute as the “collection of personal information,” provided that the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.
The full text of the proposed new rules is attached here.
In all honesty, while I’m all in favor of protecting children on the Internet, I’ve never been a big fan of COPPA. In my role as counsel to start-ups and small businesses, clients often come to me for advice on COPPA compliance, and the truth of the matter is that the language is cumbersome to read and interpret, and the rules are difficult to implement. Moreover, I question the practical application of COPPA in this day and age where kids are so wired at a very young age and there is so much quality educational content available to kids.
So, with that being said, I think further clarification of how the FTC is reading the rules on the enforcement end is welcome and long overdue.
However, at the same time, the FTC is clearly trying to expand the reach of COPPA, and if implemented, any expansion is going to pose an additional hardship on affected start-ups and small businesses. Huffington Post writer Larry Magid argues that the FTC has greatly underestimated the number of businesses that would potentially be affected by these new rules. I know in my practice alone I’ll have a number of start-up and small business clients who would be affected by any new rules in this space. Are the changes really going to have the effect of better protecting kids or are they just going to add to the administrative burden already facing start-ups and small businesses in the website and software services space?
The good news is that there is still time to review the proposed language and communicate your thoughts to the FTC, so I would encourage website and software service providers to get involved in the process and voice your opinions while this is still just a proposal.
President Obama yesterday unveiled his new consumer privacy initiative, as was announced on the White House website. To view the full text of the initiative, click here.
The purpose of the initiative is to urge Congress to adopt a Consumer Privacy Bill of Rights, which codifies the following:
- Individual Control: Companies should give consumers control over the personal data that they share and how companies collect, use, or disclose that data. They should be given clear and simple choices that enable them to make meaningful decisions about data collection, use and disclosure. Companies should give consumers the opportunity to limit or withdraw consent that are as easy as the methods for granting initial consent.
- Transparency: Consumers have the right to easily understandable and accessible information about companies’ privacy and security practices. Companies should provide clear descriptions of what data they collect, why they need the data, what they will do with the data, when they will delete or de-identify it from customers, and whether and for what purposes they may share the data with third parties.
- Respect for Context: Consumers have the right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context that consumers provide the data. Important considerations for context are the age and sophistication of customers. Children and teenages should have greater protections than adults.
- Security: Consumers have a right to secure and responsible handling of personal data. Companies should maintain reasonable safeguards to control risks such as loss, unauthorized access, use, destruction, modification, and improper disclosure.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only the personal data they need to accomplish purposes specified under the context, and they should dispose or de-identify personal data once they no longer need it.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure they are adhering to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and to consumers and companies should hold employees responsible for adhering to these principles. Where appropriate, companies should conduct full audits. If companies disclose data to third parties, they should ensure at a minimum that the recipients are under contractual obligations to adhere to these principles.
The initiative also asserts that the legislation should provide the FTC and State Attorneys General with the specific authority to enforce the Consumer Privacy Bill of Rights.
My initial reaction to the President’s announcement is mixed. As a consumer of the Internet who spends 95% of my day online, I am sick and tired of getting tracked all over the Internet. I find it very annoying to have advertisements pop up for somewhere I have shopped or thought about shopping online, and as soon as another advertisement pops up, I inevitably check all my computer settings and delete cookies and do what I can to stop being tracked. However, it seems as though nothing works–or at least nothing works for long. So, I agree that all this Internet tracking is overly intrusive and an annoyance.
At the same time, as an attorney in the Internet and Software space, I am strongly concerned by the fact that the President is proposing more government regulation over the Internet and more enforcement authority over the Internet. I agree with many of my legal counterparts who believe that the intrusion of more government regulation over the Internet is a hornet’s nest: the Internet has no borders, so if the United States government is allowed to police the Internet to a greater extent than it is currently doing, why shouldn’t other governments be allowed to do the same? And where do you draw the line? Philosophically, I think there is a very good argument that the federal government should not be empowered with the ability to step up its regulatory and enforcement authority over the Internet.
Putting aside my general concern over the federal government increasing its regulatory and enforcement powers in the Internet space, my next concern is that we may be imposing a HIPAA like regime over all businesses and not just the ones that handle personal health information. Is that really a good idea? Moreover, my understanding is that as a result of The Affordable Care Act, the government is now trying to coerce companies to turn over HIPAA information to the Department of Health and Human Services. If this is in fact happening, what is to stop the government from doing the same thing with other personal information once they have further regulatory authority? It’s bad enough that I’m being tracked by businesses all over the Internet, but the idea that Uncle Sam might be doing it is even worse.
And, then there is the concern that this initiative would be duplicating existing laws. We already have a law to protect children’s personal information on the Internet: the Children’s Online Privacy Protection Act (“COPPA”). We also have state privacy legislation that presumably this law would supersede.
Finally, as a lawyer for software and Internet companies, you have to be concerned about how this new privacy initiative will impact their existing business models. Many of my clients rely on the collection of this personal information to drive their revenues, as the websites rely on advertising and the sharing of data to make money. Will this new initiative have the ultimate effect of putting some Internet and software companies out of business?
Of course, at the moment, these are just my initial reactions to the President’s announcement. His initiative is merely a proposal to demonstrate to consumers who are likely voters that he is looking out for their well-being in an election year. Indeed, the initiative does not even rise to the level of a bill being introduced to Congress. Moreover, I would argue that the initiative contains largely “feel-good” language without any real teeth, so for now, my concerns about what happens next are simply speculation on my part about what Congress could do with the initiative, or alternatively, what the Federal Trade Commission might do on its own accord without any legislation being passed in Congress.
Still, as much as I personally dislike being tracked all over the Internet, I am troubled by the signals that the President is sending us through his announcement and concerned that expanding consumer privacy protection powers is just the first step to a further expansion of U.S. government regulatory powers over a global Internet. While at a personal level I would like to draw the proverbial line in the sand on Internet tracking, I worry about what the impact of actually allowing the federal government to draw a line in the sand for us will be on the further development of the Internet. For those of you who brush off this question, you should remember that the Internet does not have physical borders. So, where exactly do we draw the line between the U.S. government’s regulation of the Internet and another government’s regulation of the Internet? I think we need to stop to consider these questions very carefully before we start contemplating the further expansion of federal powers over the Internet–even if those powers may be directed at reigning in a business practice that many of us find intrusive and annoying.