Keeping up with Privacy Laws: Lily Li on The Gen Why Lawyer Podcast

On July 2, 2018 attorney Lily Li appeared as a guest star on The Gen Why Lawyer Podcast. During the half-hour segment, Ms. Li discussed starting her own dedicated privacy practice, the recent enactment of the General Data Protection Regulation, and growing developments in state privacy regulation.

Listeners may tune into this broadcast on ITunes, Stitcher, and The Gen Why Lawyer website at the links below:

 

***
The Gen Why Lawyer is a weekly podcast hosted by California Patent Attorney and Millennial, Karima Gulick. Join Karima each week as she chats with some of the greatest innovators and leaders in the legal profession. Listen in to hear their inspiring stories and learn from their insight on how to build a meaningful life and fulfilling career. For more information, check out their website.

California Privacy Update: Tentative Compromise on Consumer Privacy Act

6/28/2018 Update: Governor Brown signed AB-375 into law on the afternoon of June 28, 2018. The law is named the California Consumer Privacy Act of 2018, and will take effect in January 2020. This will give industry and lawmakers some time to regroup and fine tune the regulations under this new act.

In a last-minute attempt to keep the California Consumer Privacy Act initiative off the November ballot, California lawmakers reached a tentative deal with ballot sponsor Alastair Mactaggart on June 21st to push forward a legislative privacy bill. The deal depends on the bill passing both houses and being signed by Governor Brown by June 28th.

The proposed bill, introduced by State Assembly member Ed Chau and state senator Robert Hertzberg, would give California consumers unprecedented rights to know what information businesses collect about them, where that information comes from, and how that information is shared. The bill also gives consumers the power to stop companies from selling their data.

The bill removes some of the most draconian features of the proposed Consumer Privacy Act, by removing private rights of action for procedural violations of the law, discarding minimum statutory damages for even de minimis violations, and providing a 30-day “right to cure” for businesses. Further, the proposed bill provides some relief for businesses facing “manifestly unfounded or excessive” requests from consumers concerning their data.

Though this compromise bill reduces many of the operational headaches of the proposed ballot initiative, it will likely face strong opposition from the tech sector. Most prominent amongst the initiative’s detractors is the Committee to Protect California Jobs, a PAC composed of the California Chamber of Commerce, TechNet, Internet Association, and technology giants such as Google, AT&T, and Comcast.

While it remains to be seen whether this bill prevents a November ballot showdown, the policy debate around the Consumer Privacy Act is indicative of broader trends towards privacy legislation. Public sentiment in support of state privacy laws is only growing, given the recent Facebook-Cambridge Analytica scandal, and the increasing frequency of large-scale data breaches like those affecting Equifax, Target, and Yahoo. This growing pro-privacy sentiment is not confined to California and follows on the heels of recent cybersecurity legislation in Massachusetts and New York, heightened data breach rules in Idaho and Oregon, and a new federal bill introduced in Congress by Sens. Edward Markey, D-Mass, and Richard Blumenthal, D-Conn. (the “CONSENT” bill).

California’s appetite for regulation is one of the largest in the nation, however, and it has a history of spearheading privacy rules. It was the first state to introduce data breach notification requirements in 2002, and so far, is the only state with specific rules on online privacy notices (under CalOPPA). Compared with other proposed legislation, this would be the widest in scope, increasing the operational burdens of most businesses. Regardless of the outcome of this tentative privacy deal, businesses should pay close attention to privacy developments in California, as they often provide a model for other states.

Metaverse Law Discusses GDPR and State Privacy Laws on KUCI 88.9 FM Privacy Piracy Radio

On Monday, June 25 at 8 A.M. Pacific, attorney Lily Li appeared as a guest star on KUCI 88.9 FM’s Privacy Piracy radio show. During the half-hour segment, Ms. Li discussed the impact of the recent General Data Protection Regulation, growing developments in state privacy regulation, and the California Consumer Privacy Act.

To listen to this broadcast, please click on the MP3 below.

KUCI 88.9 FM is a commercial free radio station, based out of the University of California – Irvine. For more information, see http://kuci.org/

Privacy Piracy is a half-hour public affairs radio show broadcasting on KUCI 88.9 FM. The show is co-hosted by attorney and privacy consultant Mari Frank and production engineer Lloyd Boshaw. For more information, see http://privacypiracy.org/

California Privacy Update: SB-1121 and the Consumer Privacy Act

As Californians gear up to vote in this week’s primary elections, the state’s businesses and voters should be aware of two separate privacy law developments: SB-1121 and the Consumer Privacy Act.

SB-1121 and Increased Liability for Data Breaches

On May 30, 2018, the California Senate recently voted to send SB-1121 to the state Assembly. The proposed amendment to the state’s current data breach laws (codified at Sections 1798.80-1798.84 of the Civil Code) would increase corporate liability for data breaches. The key provisions are as follows:

  • California “consumers,” not just “customers,” will be able to sue businesses under California’s data-breach protection laws. Under the existing rules, a California resident can only sue a business for a data breach if it provided information to the business for the purpose of buying products or services. This amendment would cover all businesses that maintain the personal data of California residents, regardless of the relationship between the business and the resident. The expansion of liability to consumers is in part responsive to the Equifax hack. In that situation, the credit agency reported that the records for about 148 million Americans were compromised, but very few of those people would be considered “customers” of Equifax.
  • California residents will be able to sue for a minimum of $200 in penalties per violation, without proof of consumer injury. This poses the risk of large-scale consumer class actions, for even minor data breaches, even where no one was harmed by the breach.
  • SB-1121 sets a 4-year statute of limitations “from the time the person discovered, or, through the exercise of reasonable diligence, should have discovered” a data privacy violation.
    Read More

American Privacy Laws in a Global Context: Predictions for 2018

[Originally published as the May 2018 Cover Story: Data Privacy and the Law – American Privacy Laws in a Global Context: Predictions for 2018, by Lily Li, in Orange County Lawyer Magazine, May 2018, Vol. 60 No.5.]

Cybersecurity Attacks Are Inevitable

Cybersecurity attacks are on the rise. According to the non-profit organization, Identity Theft Resource Center, there were over 1,579 publicly reported data breaches in 2017, compared to 1,091 in 2016, and 780 in 2015. Not only are these cyberattacks happening at high-profile companies like Equifax, Uber, and Yahoo, they are increasingly happening to businesses of all sizes. Any entity able to pay a ransom is now a potential target.

Law firms are no exception. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous email hacks of Cravath and Weil Gotshal in 2016. Earlier this year, UK-based cybersecurity firm, RepKnight, reported that almost 800,000 UK law firm email addresses and affiliated passwords were available on the dark web, with over 50% of these credentials posted in the last six months. These law firms did not just include local UK firms, but global law firms with a UK presence.

Given these alarming statistics, what should legislators do?

In the EU, Canada, and China, legislators have decided to develop and implement national data privacy and cybersecurity frameworks: GDPR, PIPEDA, and CSL respectively. The United States, by contrast, still relies upon a patchwork of sectoral laws and inconsistent state rules. This article will take a brief look at developments in the EU, Canada, and China, discuss the current United States privacy framework, and predict likely developments in U.S. privacy law over the next year.

Read More
1 2 3