Even if your business is based on the East Coast, you are likely to feel the effects of the California Consumer Privacy Act (“CCPA”), which will be effective January 1, 2020.

CCPA applies to for-profit businesses that:

  • Do business in the state of California; collect, or contract with a vendor for the collection of, personal information of “consumers[1]”; and determine the means or purpose of processing the data and
    • Have annual gross revenues in excess of $25,000,000 OR
    • Buy, receive, sell or share information about 50,000 or more consumers, households or devices for commercial purposes OR
    • Derive more than half of their revenue from selling consumers’ personal information.

So… if you are not doing business in California, or you do not fall into one of the sub-categories enumerated above, why do you need to worry about CCPA?
Continue Reading

States continue to pass legislation addressing the protection and breach of private information and, on July 25, 2019, New York joined the growing trend when Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”) into law.  The SHIELD Act significantly amends New York’s data protection and data breach notification laws – expanding their reach beyond businesses operating in New York and imposing new requirements on persons and businesses in possession of New York residents’ private information.

Effective March 2020, the proactive portion of the SHIELD Act will:

  • Apply to any business that has personal information (“PI”) regarding any New York resident
  • Require those businesses to adopt proactive measures to safeguard that PI
  • Require businesses to vet vendors entrusted with or with access to that PI

The amendments to the current New York breach notification law, effective on October 23, 2019, “redefine a “breach” to include the “mere” unauthorized access to PI (expand the law beyond the actual acquisition of such PI without authorization).

While the amendment to the breach notification requirements may not greatly impact businesses’ current practices, the proactive requirements will be felt by any business that is not already taking “reasonable” measures to safeguard PI in their control.  And if you are a vendor to any of these businesses, and you are not prepared to adopt the requisite proactive measures to protect PI entrusted to you, then you may lose that business.
Continue Reading

In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on

On November 21, 2018, the Pennsylvania Supreme Court, the highest ranking state court in Pennsylvania, ruled that an employer had a common law duty to exercise reasonable care to protect employees’ personal data where, as a condition to employment, the employer (i) required employees to provide sensitive data, (ii) the employer chose to store such

In the wake of GDPR and California’s new data privacy law, website privacy policies continue to be a hot topic for the business community.

These pieces of legislation, the FTC Act, and various other sectoral and state laws and regulations set forth a myriad of complex rules and guidelines for website privacy policies.  At