0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Beckage will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

Jordan FischerJordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer, Esq., has been named to the 2021 Pennsylvania Rising Stars list for outstanding lawyers 40 years old or younger or in practice for 10 years or less. This is her third straight year, appearing on this list. Each year, no more than 2.5 percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor.

Fischer leads Beckage’s Global Privacy team where she represents clients in cross-border data management, creating cost-effective and business-oriented approaches to cybersecurity, data privacy and technology compliance. She practices in several jurisdictions throughout the United States in both state and federal courts, as well as internationally in both Europe and Asia.

At Beckage, she provides counsel to clients on a wide variety of regulatory requirements, including the General Data Protection Regulation and implementing member state law, the California Consumer Privacy Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, biometric data laws, global data breach standards, and federal and state unfair business practices acts. She also provides counsel on a variety of security and privacy frameworks, including the International Standards Organization 27001 and 27701, the National Institute of Standards and Technology cyber and privacy frameworks, and the Payment Credit Card Industry Data Security Standard.

Super Lawyers, a Thomson Reuters business, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement. The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates and peer reviews by practice area. The result is a credible, comprehensive, and diverse listing of exceptional attorneys.

About Beckage
Beckage is a women-owned law firm that focuses on technology, data security, and privacy. Our attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, incident response, government investigations, technology intellectual property, and emerging technologies such as Artificial Intelligence (AI), digital currencies, Internet of Things (IoT) devices, and 5G networks. Beckage has offices from California to New York. Learn more at Beckage.com

                                                                               ###

Contact: Morgan Neal
mneal@beckage.com
585.738.2438

Beckage in the News: Protecting Against Deepfakes

Beckage in the News: Protecting Against Deepfakes

Beckage Managing Director, Jennifer Beckage was quoted in a recent Super Lawyers article, where she detailed the steps businesses can take to protect against becoming a victim of a deepfake scam.

“The first step is educating the board and executive teams that these things can be out there, and be used to cause harm or embarrassment,” she says. “It’s not unusual for an executive to have something like this happen to try to smear or tarnish their reputation.”

She also notes there are tools available to help monitor for deepfakes, like Microsoft Video Authenticator, for example, which analyzes photo and video and gives users a confidence score regarding the validity of the sample. 

And then there’s common sense. “We all should be looking more critically at certain things in certain circumstances,” she says. “For example, if an employee receives a video from the president of their company directing them to wire money, ask, ‘Would the president usually send me a video?’”

Jennifer Beckage, Managing Director, Beckage.

Beckage also commented on the recent FBI warning about the rise of deepfakes, which gave consumers tips on how to spot a deepfake. 

“The agency suggests looking between the eyes—does it seem like there’s too much space? Also, does there seem to be an issue with lip and mouth synchronization?” Further guidance includes looking for strange movement in relation to the head and torso.

“But there’s nothing more important than having an incident-response plan,” Beckage says. “If you have a business continuity plan that walks an organization through a fire or a flood, you should have a plan in place that addresses the unique circumstances of a data-security incident. What we often see is that deepfakes are usually part of something else—they tend to arise in the context of a data breach.”

Jennifer Beckage, Managing Director, Beckage

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

GDPRThe EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

The EU Commission Releases the Long-Awaited Updated SCCs for Continued Cross-Border Data Transfers

One of the most highly contentious areas under the European Union’s General Data Protection Regulation (“GDPR”) is the cross-border data transfer of Personal Data out of the EU and into other regions, especially the US. Last year, the Court of Justice released its highly anticipated decision, Schrems II, where it invalidated the EU-US Privacy Shield as a lawful mechanism to transfer Personal Data into the US but upheld the continued use of the Standard Contractual Clauses (“SCCs”). However, the Court signaled a heightened tension around the transfer of data, even using the SCCs, from the EU to the US, directing companies to consider whether those transfers would require “supplemental measures” prior to utilizing the SCCs to transfer Personal Data from the EU to the US.

In the wake of that decision, the EU Commission, charged with adopting the SCCs, announced its plans to update the SCCs to align with the Schrems II decision, to generally update the document. To date, the current form SCCs used for cross-border data transfers were adopted under the GDPR’s predecessor, the EU Directive on Data Protection, in 2001.

For the last two decades, companies across the globe leveraged the SCCs to validate the on-going transfers of personal data across many borders. However, with the increasing complexities of technology and multi-party data transactions, the limited form and nature of the SCCs continued to create challenges in leveraging the standard documents to fit varying types of cross-border data transfers. On Friday, June 4, 2021, the EU Commission released its long anticipated updated form of the Standard Contractual Clauses, available here.

The New Form Standard Contractual Clauses

The new SCCs include robust obligations on both importers and exporters of personal data under the GDPR and the Schrems II decision. Further, the new SCCs are intended to provide more flexibility and options for companies to better address the complex nature of data transfers.

The new SCCs also include modules for entities to leverage depending on the relationship between the parties involved in the transfer, i.e., controller to processer; processor to processor; etc.  These changes are intended to further align with modern data transfers and to promote the free flow of data. In the EU Commission Press-Release, Vice-President for Values and Transparency, Vera Jourová emphasized that the SCCs provide a useful tool for the free-flow of data:

“In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”

The Impact of the New SCCs

The new SCCs are expected to impact and streamline the process of adopting the appropriate contractual language to allow for the cross-border exchange of personal data. Further, the clauses are intended to align closer to the GDPR requirements, which went into effect in 2018, and the recent Schrems II guidance. Commissioner for Justice, Didier Reynders, emphasized that:

“In our modern digital world, it is important that data can be shared with the necessary protection – inside and outside the EU. With these reinforced clauses, we are giving more safety and legal certainty to companies for data transfers. After the Schrems II ruling, it was our duty and priority to come up with user-friendly tools, which companies can fully rely on. This package will significantly help companies to comply with the GDPR.”

The updated SCCs focus on the following key updates:

  • Align with the GDPR and Schrems II decision;
  • Provide simple and flexible model clauses for international transfers;
  • Include more robust data protection obligations (e.g., requiring importers to allow regular audits upon exporter request); and
  • Allow for third parties to acceded to existing SCCS as data exporter or importer (under the Docking Clause).

Transition to New SCCs

The new SCCs go into effect in approximately 20 days. Businesses leveraging previous versions of the SCCs have 18 months to transition to the new SCCs.

Overall, these new SCCs will allow companies to use contractual agreements in the cross-border transfer of personal data that better align to the increasingly complex nature of these transactions. Further, the new versions come at a critical juncture, when companies are struggling to implement the guidance of Schrems II and continue to leverage data processing in multiple regions around the world.  In the wake of the invalidation of the EU-US Privacy Shield, and heightened challenges with cross-border data transfers, the SCCs demonstrate the EU’s commitment to addressing data protection while continuing to allow the continued data flows out of the EU.

In light of this critical development, Beckage recommends that clients taken immediate steps to evaluate all existing agreements that will need to be updated with the new SCCs.  As stated above, companies will have up to 180 days to amend previously executed DPAs to include the new form SCCs. As such, companies will need to discuss a process to review its previously executed contracts and develop a plan to roll out amendments. Additionally, moving forward, companies will need to leverage the updated form SCCs in all new Data Processing Agreements.

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address the new SCCs.  

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to ourNewsletter

Online Shopping11th Circuit Holds a Website is Not a Place of Public Accommodation in Gil v. Winn-Dixie Stores

11th Circuit Holds a Website is Not a Place of Public Accommodation in Gil v. Winn-Dixie Stores

Website class actions alleging violations of the Americans with Disabilities Act (“ADA”) have been on the rise in recent years – involving small and large businesses alike.  These lawsuits generally involve a plaintiff who suffers from a disability and attempted to access a business’ website, but their disability hindered their enjoyment of the full range of the website’s services.  Moreover, these website class action lawsuits began their rapid proliferation in June 2017 after a Southern District of Florida court held that Winn-Dixie grocery store chain had violated the ADA because the inaccessibility of its website had denied the plaintiff the full and equal enjoyments of the goods, services, facilities, privileges, advantages, or accommodations that that grocery store offered.  However, now the Eleventh Circuit has unequivocally clarified that a website is not a “place of public accommodation” within the meaning of Title III of the ADA.

The District Court: Gil v. Winn-Dixie Stores

In 2017, Plaintiff Juan Carlos Gil, who is legally blind, sued the grocery retailer Winn-Dixie, alleging the business violated the Americans with Disabilities Act (ADA) because the website was allegedly inaccessible to Gil due to its incompatibility with Gil’s screen reading software.  Gil wanted to order his prescriptions for pickup and to download online coupons onto his rewards card for store use.  The Southern District of Florida concluded that as Winn-Dixie’s website was not accessible to the screen reader users, it had violated the ADA.  Moreover, the court determined that as the website was heavily integrated with Winn-Dixie’s physical stores, acting as a gateway to the physical store, the court did not need to consider whether websites were places of public accommodation under the ADA.  Finally, the Southern District of Florida, issued a detailed injunctive relief order, requiring Winn-Dixie to make its website conform to the Web Content Accessibility Guideline 2.0 Level AA – a privately developed set of criteria for web accessibility that has not been adopted as a legal standard under the ADA for the public accommodation websites.  In response to this finding, Winn-Dixie allocated $250,000 to update their site to make it more accessible to those with significant visual impairment.

 The Circuit Court: Gil v. Winn-Dixie Stores 

Winn-Dixie immediately appealed the Southern District of Florida’s holding, seeking further clarification on three issues:

  1. Whether Gil has standing to bring this case;
  2. Whether websites are places of public accommodation under Title III of the ADA; and
  3. Whether the district court erred in its verdict and judgment in favor of Gil, including the court’s injunction.

In April 2021, the Eleventh Circuit held, in relevant part that:

  1. Winn-Dixie did not violate the ADA because its website is not a place for public accommodation; and
  2. Winn-Dixie’s website did not pose an intangible barrier to his access to goods, services, privileges, or advantages to Winn-Dixie’s physical stores.

In reaching its conclusion, the Eleventh Circuit focused on two important facts:

  1. No goods or services could be purchased on Winn-Dixie’s website; and
  2. All interactions with Winn-Dixie can be, although need to be, initiated on the website must be completed in store: prescription pickups and redemption of coupons.

Therefore, the Winn-Dixie website had limited functionality and purchases could not be made on the Winn-Dixie website.

What does this mean going forward?

After this recent decision, there are now three different theories of liability for website accessibility adopted by the federal courts of appeal. The Eleventh Circuit states that in order to establish a violation of the ADA based on an inaccessible website, a plaintiff must show the inaccessibility of the website prevented him/her from accessing goods, services, privileges, or advantages of a physical place of public accommodation. The Ninth Circuit has held that a plaintiff must show that an inaccessible website has a nexus to a physical place of public accommodation to establish ADA liability. The First Circuit has held that a plaintiff would have a strong argument under current precedent that a website that falls into one of twelve categories of business in ADA’s definition of the term “public accommodation” would be covered under the ADA, even if it has no physical place of public accommodation. The statutory definition of a ‘public accommodation’ is “an expansive list of physical locations,” that does not include websites.

It is unclear what the impact of the Winn Dixie decision will be, although it is anticipated that it will not have a tremendous impact on the number of website accessibility lawsuits filed because plaintiffs can choose to file in a different circuit court where the precedent is more favorable. The likelihood that the Supreme Court will take up this issue has increased due to the new conflict between the Eleventh and Ninth Circuits as to when an inaccessible website belonging to a physical place of public accommodation violates the ADA.

Many lawsuits filed in the past few years involve the threshold issue of whether and to what extent Title III applies to websites, leaving the courts left to decide. Case law is developing rapidly in this area because website accessibility claims have become a big business for the plaintiff’s bar. It is important that companies are proactive and prioritize accessibility to put themselves into a legally defensible position.

At Beckage, we have a team of highly skilled ADA attorneys and technologists who are uniquely situated to help clients navigate website accessibility and work towards national and international standards with other privacy and security laws from both a litigation defense perspective but also with unique technical experience. Beckage works with clients at all stages of the accessibility analysis and is here to help make your company evaluate your ADA compliance posture and implement a legally defensive plan to mitigate risk.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  


1 2 3 4 5 6 25