California Consumer Privacy Act (CCPA)

Although amended twice (September 13th and October 11th of 2018) after its initial passage by the California State Legislature and being signed into law by Governor Jerry Brown in June of 2018, the California Consumer Privacy Act (California Civil Code Section 1798.100) (“CCPA”) becomes effective with the new year (January 1, 2020).

Although it is intended to protect and afford California residents with certain rights (in some areas, greater or somewhat different than the European Union’s General Data Protection Directive 2016/679), it affects non-profit entities that do business in California, and that collect personal information of consumers and either has annual gross revenues over $25 million OR buys or sells personal data of 50,000 or more consumers/households OR earns over half its annual revenue from selling consumer personal information.

If your organization fits into any of those categories, you are required to establish, put into place and maintain reasonable security procedures and practices to protect consumer data and to afford California residents the right to know what personal data is being collected about them; to know whether and to whom the consumer’s personal data is sold or disclosed; to refuse to permit the sale of their personal data; to access their personal information; and to ask you to delete personal information collected from them.  The law also prohibits discrimination against any consumer for exercising any of their privacy rights under the CCPA.

While many business have been busily amending their agreements with suppliers, service providers and likely have been presented updated and revised contracts with “CCPA” amendments in order to ensure those in the chain of collection, storage, handling, distribution and use are in compliance, if you do any business in or with California residents, don’t forget to update your privacy policies and any terms of use that apply to your websites, e-commerce and online/mobile presence generally.  Those sites, even those that do not require any registration or input directly from consumers, almost certainly will be collecting information that is covered by the broad definition of “personal information” under the CCPA.

If you would like to know more about the CCPA or have any questions about this post, don’t hesitate to contact me Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

 

Forensic DNA and Missing Children: The Legal & Ethical Issues

Since 1983, when the day was designated by U.S. President Ronald Reagan as National Missing Children’s Day in the United States and spreading internationally through the Global Missing Children’s Network (GMCN), May 25th has been celebrated as International Missing Children’s Day.  GMAC is a jointly sponsored venture of the U.S. National Center for Missing & Exploited Children (NCMEC) and the International Centre for Missing & Exploited Children (ICMEC),  that focuses on educating parents on steps they can take in protecting their children, as well sharing best practices and information in investigating cases of child abduction, trafficking and illegal adoptions.

This year, I have the distinct privilege and great honor of speaking at the conference for Missing Children and Genetic Identity, organized by the Portuguese Association for Missing and Exploited Children [Associaçāo Portuguesa de Crianças Desaparecidas] and sponsored by Genomed, to be held at Lusófona University in Lisbon on the 25th of May 2017 – International Missing Children’s Day.

The conference will explore the connection between modern genetics and forensic science and on national and international efforts to aide investigations of missing and abused children.  The legal and ethical issues surrounding DNA collection and use, the pros and cons of storing DNA samples and maintaining a database of digital DNA ‘fingerprints’ as well as other bio metric information from individuals – convicted criminals, arrested individuals, victims, family members and even the general public – continues to be hotly debated on the national and international level throughout the world.  In addition to issues of privacy and security, the use and potential abuse of genetic and other bio metric evidence, whether to exonerate individuals or convict guilty individuals, is not just complicated, it is inconsistent across jurisdictional borders.  Sharing of critical information that may help identify a child or investigate a missing person, whether or not a crime may have been committed, is neither assured nor routine – despite the obvious benefits a regulated and carefully constructed information sharing system might be to family members, law enforcement and the forensic scientific community.

The conference, one of many throughout  the world on May 25th, will attract distinguished guests and provide a forum for discussion and shine a much needed spotlight on the legal and ethical challenges and opportunities at the intersection of science, law and law enforcement. I will publish a copy of my presentation and remarks after the conference concludes, but if you would like to know more about the conference, feel free to contact me, Joe Rosenbaum, or the organizers directly.

 

US-EU Data Transfer Privacy Shield

Being referred to by the European Union as the most important change in data privacy regulation in 20 years, the new EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.  There is even a ‘countdown’ clock on the website and under the GDPR, “Personal Data” means information relating to an identified or identifiable natural person (including email addresses, telephone numbers, addresses and IP addresses).   While the European Commission has determined a number of countries already meet the ‘adequate protection’ test, the United States is not one of them!

As most readers of Legal Bytes already know, personal data cannot be transferred to from the EU to a non-European Union/European Economic Area country, unless that country can ensure “adequate levels of protection” for such personal data.

As background, in July of 2016, a new framework for the movement of personal data between the EU and the US was finalized – EU-U.S. and Swiss-U.S. Privacy Shield Frameworks – which was put into place in an effort to meet the requirements of the EU Data Directive.   However, critics noting the holes in that framework, have generated increasing concern as the 2018 effective date of the new EU GDPR approaches.   A few months ago, immediately following the inauguration ceremony, President Trump issued United States’ Executive Order 13768 (January 25, 2017) that has created even greater concern.  While it is possible a new or refined agreement and framework may be put into place in the months leading up to 2018, there is no certainty.

What do you need to know? What should you consider doing now?   My colleague Jill Williamson has written an article which has been published in Risk & Compliance Magazine, entitled “The Fragile Framework of the Privacy Shield“.   If you want to know more about the privacy and data protection implications of the new framework, its potential risks to your business and what you should be considering as you look to the future, feel free to contact Jill Williamson directly.  Of course, you can always contact me, Joe Rosenbaum, or any of the Rimon lawyers with whom you regularly work.

Legal Bytes – A New Beginning

A long time ago in a galaxy far, far away……  oops, wrong beginning.

Welcome to the new Legal Bytes blog.  As many of you know, my Legal Bytes blog has been dormant after my recent transition to Rimon, P.C..  Getting set up, ensuring smooth transitions for clients, enhancing the look and feel of the blog has taken a longer than I hoped, but hopefully the bugs are out of the system and it’s now up to me to try my best to make the new Legal Bytes blog worth the wait.  For newcomers, buckle your seatbelts – this isn’t your ordinary legal blog!

What happened? Why does it matter? How does or could it affect you?  Inquiring minds always want to know and in the process of trying to answer those questions for you, I will always try to illuminate and perhaps also entertain you.   In the coming months I’ll entice you into regular readership, enlighten you with timely content, addict you with my trivia contests, entice you to keep in touch and most of all, try to help you better understand how developments in the law and regulation may affect you.

I intend to continue Light Bytes, with interesting quotes and sayings that pique my interest and hopefully yours.  Of course, there was never a question about my trivia contests. After all, who else but a lawyer could call it “Useless But Compelling Facts”?  We have once again made arrangements with the International Law Office (ILO) based in London. I am privileged to have been re-appointed as Editor and exclusive content coordinator for their U.S. Media, Marketing, Sports & Entertainment Newsletter.  Although there will be content you will see exclusively in the ILO newsletter, you may also see many of our Legal Bytes articles re-purposed and ‘internationalized’ in collaboration with much appreciated work of the ILO editorial staff.  I am again excited to be working with such a valued organization and truly great people – shout out to Carolyn Boyle, my Editorial contact.

Want to know what’s on my radar for the year ahead – I won’t spoil all the surprises, drone on about drones, nor will I keep my head in the clouds or the crowds.  I am fascinated by the legal implications of the Internet with Things (yes, I replaced ‘Of’ with “With”).  I’m also concerned about cybersecurity and data protection.   I am intrigued by the growing robustness of augmented reality, which means I don’t have to walk around with those funny goggles or a digital scuba mask to experience the virtual world.  Mobile technology is transforming our world – making digital content, e-commerce and communication available to billions of people that had previously never seen a television, had a bank account or used a telephone.  I would be remiss not to mention social media – maturing and increasingly commercialized – further blurring the distinctions between information, entertainment and advertising; between me as an individual and an employee; between me at play and at work; and between my trademarks and my reputation; and between my insatiable desire to tell the world and my seemingly paradoxical concern over my privacy!

It is a brave new world – so much to know and so much to keep up with.

So stay tuned, and as always, thank you for reading.

Advocate General Asks EU Court of Justice WHAT?

The Advocate General of the Court of Justice of the European Union recently announced that it had delivered an opinion in connection with a number of proceedings calling for a preliminary ruling in cases involving Ireland and Austria. In Ireland, the owner of a mobile phone submits that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications. In Austria, three cases brought by the Province of Carinthia have alleged the Austrian Law on telecommunications is contrary to the Austrian Constitution.

Essentially, the top EU legal advocate is asking the EU court NOT to enforce a bad law so the legislature is afforded a chance to fix it. Seriously? That is like asking the U.S. Supreme Court not to strike down discriminatory laws and give Congress a chance to fix them. Seriously?
 

Continue reading “Advocate General Asks EU Court of Justice WHAT?”

Identity Theft? Victim and Alleged Thief ID Each Other.

Digital or Analog, identity theft is frightening, anxiety provoking, and tedious – even if you aren’t in danger of losing money or at risk of physical injury. But it’s often not that simple – for the victim or the perpetrator. As an Applebee’s waitress in Lakewood, Colorado, found out, identity theft in the real world can be more frightening than digital theft.

A few weeks ago, the waitress, Brianna Priddy, while out with some friends (not while working), apparently lost her wallet with all of her credit cards, her checks, and her driver’s license, as well as the cash. She dutifully went through the time-consuming and sometimes frustrating process of calling, writing and notifying everyone she could remember, alerting them to stop transactions that may involve the lost instruments and identification, and asking for replacements. Not fun. Even when her bank called, alerting her to forged checks being issued, she probably resigned herself to living with some frustration, anxiety and pain for a while. But if you think digital identity theft is frightening, read on.

Fast forward, Ms. Priddy is now back at work, waiting tables. A group of young people at her station order drinks. She asks for ID. How amazing to find that one of the women at the table ordering a drink is none other than herself! Cloning? Not really. The woman in the group had offered the victimized waitress’ ID as proof, and I confess she must have been a lot calmer than I would have been. She didn’t let on and, according to reports, said to the patron, handing her back the ID, “I’ll be right back with your Margarita." The waitress called police and despite what must have been a nerve racking eternity, she tried to appear calm and collected waiting for the police to arrive. They did and promptly arrested the woman patron on suspicion of theft, identity theft and criminal impersonation.

Not all criminals are as unwitting or as helpful as the alleged thief in this case. Not all identity thieves are that cooperative, even by accident. Most digital identity theft, compromises of personally identifiable information, and data breaches are more complex, and involve more than one individual and often cross-state and national borders – with multiple statutory and regulatory schemes that apply to you, the “victim.” Rimon has an entire group dedicated and experienced to help companies deal with identity theft – from preventive policies to defense of legal rights with respect to consumers and regulators. If you need more information about the complex legal and regulatory involved, contact me, Joseph I. Rosenbaum, or the Rimon attorney with whom you regularly work.

What You Don’t Know Can Hurt You

Multiple Choice Question: What do the following have in common:

“Privacy & Data Protection: Distinctions Between Surveillance and Secrecy”

“Ethics, Process, Privilege, Discovery and Work Product in the Digital Age”

“When Worlds Collide: Old Ethics and New Media”

“Outsourcing: The Law & Technology”

“The Changing Legal Landscape: Evolution or Revolution”

“Growing Your Business Internationally – What to Know Before You Go”

“Social Media, Mobile Marketing, Clouds and Crowds: (modules)

  • Advertising & Marketing in a Digital World
  • Media & Entertainment: Digital Rights and Wrongs
  • Financial Services, Payments & E-Commerce
  • Online Gaming, Gambling & Virtual Worlds
  • Apps & M-Commerce
  • Context & Geo-Marketing: Wi-Fi, Bluetooth, SMS, RFID, QR Codes & Augmented Reality
  • Operations & Performance, Security, Compliance and Interoperability
  • Wired & Wireless: Sweepstakes, Contests, Product Placement & Branded Entertainment
  • Anti-Social? Communication & Public Relations for Companies, Employees & Investors
  • Behavioral Advertising, Endorsements, Blogs, Buzz, Viral, Street Teams & Word of Mouth
  • Labor & Employment Policies in a Networked Age: The Good, The Bad & The Ugly
  • Crowd Sourcing, Crowd Funding, Crowd Investing: Today & Tomorrow

“Privacy, Data Protection & Globalizing Technology: Digital Commerce Brings Legal Challenges”

“Comparative Advertising Issues: Multinational Brands; Global Challenges”

“Direct to Consumer: Legal Challenges in the Digital Marketplace”

“Out of Control? Challenges to Privacy & Security in a Big Data World.”

 

Answers: (a) Seminars & Presentations Given; (b) Seminars & Presentations Available; (c) Targeted at Lawyers; (d) Targeted at Commercial and Business Management; (e) Relevant to Small-to-Medium Size Business; (f) Relevant to Multinational, International & Global Companies; (g) None of the Above; or (Y) All of the Above.

If you guessed (Y), you are correct. Let us know if any of these, a combination of these or a customized version of these or any other presentations might be right for you. Hey, you never know, but what you don’t know, can hurt you. For more information, contact me, Joe Rosenbaum, or the Rimon attorney with whom you regularly work.

Airlines May be Mobile But Delta Apps Irk California Regulators

In a civil action filed in California (People v. Delta Air Lines Inc., California Superior Court, San Francisco, 12-526741), the California State Attorney General’s office alleges that Delta Air Lines was distributing a mobile application without a privacy policy, in violation of the California Online Privacy Protection Act of 2003 (COPPA), which became effective July 1, 2004. The California statute provides a penalty of up to $2,500 for every violation.

Among other things, the Delta ‘app’ allows customers to check in, and display and make reservations; and, according to the lawsuit, Delta has been allowing customers to download and use the ‘Fly Delta’ app without a privacy policy, since at least 2010.

Of course, Delta is not the only company with user-friendly mobile apps for on-the-go busy travelers, and I’m guessing that company lawyers are now scrambling to determine if their apps are in compliance and whether changes need to be made and, just as importantly, how to make those changes to ensure compliance with the law and still maintain the customer friendliness mobile users are accustomed to and demand.

Our Advertising, Technology & Media law practice can help you navigate the challenges of compliance – preventive law as well as representing clients when the regulators come calling . . . and we have a group dedicated to legal support when your needs, defensive or as a defendant, turn to privacy, data protection and identity theft. So if you need help or more information, contact me, Joseph I. Rosenbaum (joseph.rosenbaum@rimonlaw.com), or any of the Rimon lawyers with whom you regularly work.

Bond Meets Bond Street: Mannequins are Watching You Shop

An Italian company, Almax S.p.A., is selling a mannequin (price tag about $5,000) in a development that is being closely watched – literally – by retailers, consumers and, of course, regulators and privacy gurus. The new product, marketed as the EyeSee Mannequin, contains a camera embedded in the mannequins eyes, and according to the company’s website: “This product will do much more; it would make it possible to ‘observe’ who is attracted by your windows and reveal important details about your customers: age range; gender; race; number of people and time spent.”

In Europe and the United States, the mannequins are making sporadic appearances – perhaps in showrooms and even in street-side display windows, gathering data as people saunter by the store gazing into the windows. According to reports, Almax may also be testing auditory capabilities that would allow a mannequin to not only see, but to hear what customers are saying as well. Hey, did you just call that mannequin a dummy?

 


(Image from Almax Website)

 

The EyeSee Mannequin has a camera placed as an “eye” that includes facial recognition technology that records information about passersby, such as their gender and race, and the software guesstimates the approximate age of each person scanned by the camera. Typically, cameras can be used in retail stores for security, but in many jurisdictions the shop owners are required to post signs alerting consumers browsing the aisles that they are subject to being recorded. Now, the EyeSee Mannequin gives retailers the ability to collect and store information for marketing purposes – a commercial purpose that may put the technology squarely under a microscope (these vision puns really must stop), since it collects personal data about individuals without their consent. That said, the current product is only supposed to record information, not any actual photographs or image scans, but . . . it could, couldn’t it?

Need to know more about the legal implications of technology in advertising and marketing? Concerned about your rights (and wrongs) in deploying surveillance equipment and gathering data and information about customers and consumers? Are you up-to-date on the latest privacy and compliance requirements? Not sure? Need to see these issues more clearly? OK, don’t be a dummy (I mean mannequin) and consult your lawyer. Don’t hesitate to contact me, Joseph I. Rosenbaum, or the Rimon lawyer with whom you regularly work. We would be happy to see you, hear you and help you.

IAPP Privacy Presentation – Is the Wizard of Oz Still Behind the Curtain?

On May 10, 2012, I had the privilege of making a presentation at the IAPP Canada Privacy Symposium 2012. The title of my presentation was "Social and Mobile and Clouds, Oh My!" and it addressed some of the emerging issues in privacy, data protection and surveillance that arise as a result of globalizing technology and the convergence of social media, mobile marketing and cloud computing.

As part of that presentation (and as I have started to do for some time now in other presentations), I raised the issue of how lawyers, the law, legislators and regulators often use words to describe activities – words rooted in tradition or precedent – that are no longer applicable to the activity in today’s world. "Privacy" is such a word, although "not applicable" perhaps is too harsh. Obviously the word has significant applicability in a wide variety of situations. But "invasion of privacy" has become a knee-jerk reaction to virtually every information-gathering activity, even information readily and publicly available and, in some cases, posted, disclosed or distributed by the very individual whose privacy is alleged to have been "invaded."

Please feel free to download a PDF of my presentation, "Social and Mobile and Clouds, Oh My!" [PDF] (Note: Embedded video file sizes are too large to include), and let’s start a conversation about how we use words and how they wind up in laws and regulations. Lawyers work with words. Use them artfully and they provide powerful structures within which society, commerce and all forms of human endeavor function. Use them improperly and they cause confusion, uncertainty, inconsistency and inherently inequitable outcomes.

Seems like I am not the only one to point this out. Take a look at the insightful comments by John Montgomery, COO of GroupM Interaction, North America, as reported in a MediaPost RAW posting on Social Media entitled: If Marketing Terms Could Kill.

Kudos John. I’m with you. Let’s get it right.

FYI, Rimon has teams of lawyers who have experience and follow developments in privacy and data protection, information security and identity theft. If you want to know more, if you need counsel or need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Rimon lawyers with whom you regularly work.