Previously, my colleague Tanya Forsheit wrote a cautionary tale, “A Big Zooming Mess,” about the Zoom video conferencing service whose rise in popularity also brought increased scrutiny of its privacy and data security practices. That scrutiny came not just from media outlets and consumers, but also from government agencies such as the New York Attorney General and New York City Department of Education. The entire FKKS Privacy and Data Security team even had a round-table discussion (over WebEx) to unpack all the issues (recording available here). Now, both the New York Attorney General and the New York City Department of Education announced that they reached coordinated but independent agreements with Zoom to address various privacy and security issues, and paving the way for NYC DOE educators to resume using Zoom for virtual classroom instruction. This post looks at the terms of the NY AG agreement and discusses some of its key takeaways.

Continue Reading Zoom Reaches Agreement with New York Attorney General to Resolve Privacy and Security Issues

Over the last few months, we’ve witnessed some major developments around SDKs and privacy. In February, the SDK defendants named in the consolidated McDonald/Rushing putative COPPA class action settled with plaintiffs. In late March, Zoom experienced a PR nightmare due, in part, to its inclusion of the Facebook SDK in its platform (discussed further in our Zoom blog). In mid-April, the Ninth Circuit reinstated a lawsuit against Facebook for alleged privacy violations in connection with its use of tracking technologies on third party websites. And this past Wednesday, the US District Court for New Mexico granted a motion to dismiss, the privacy claims against ad networks providing SDKs in child-directed apps.

In this blog, we’ll break down the New Mexico District Court order, and provide some observations from the decision. We are also using this blog as a springboard for a follow-up webinar that will discuss the state of affairs for SDKs and privacy. More to follow on the webinar soon.

  • Background on the New Mexico District Court Case


Continue Reading SDKs and COPPA: An Overview of the Recent Court Order in the New Mexico Attorney General COPPA Lawsuit

Over the last several weeks, while Americans have grown accustomed to working from home, home schooling, and life in lockdown during the COVID-19 pandemic, the Zoom videoconferencing service has surged in popularity for every imaginable form of gathering, professional and personal. Zoom has become the service of choice – from team meetings to kids’ story times; from religious services to happy hours; from corporate onboarding to every manner of more “intimate” get-togethers for individuals who are following government-mandated social distancing guidelines.

The media and then, in quick succession, regulators, plaintiffs’ lawyers, and even Congress, began to scrutinize, publicize, and take legal action with respect to what were perceived as privacy or data security flaws from the latest technology darling. The result is a still-evolving case study in the classic reactionary American response to privacy and data security concerns, a phenomenon we have seen again and again in this practice space.

What sins has Zoom actually committed? Are they really so “shocking” from a privacy and data security perspective? In violation of law? Just not best practice? Creepy? And has Zoom’s iterative response served as a wet blanket or fuel for the inferno?

In this post, I explore the who, what, why, when, and how of this, at least as much as we can say as we sit here today. And because I am a hopeless nerd, I have chosen the format required by California’s data breach notification law, California Civil Code § 1798.82(d)(1), as the very best way to tell this story. We are going to use this blog post as a jumping off point for a free live and recorded roundtable discussion webinar (using WebEx [insert winking emoji here]) on April 14, 2020, at 12:30 pm Eastern/9:30 am Pacific. You can register here.
Continue Reading A Big Zooming Mess: A Cautionary Tale

Over the past several weeks, the California Attorney General (“AG”) published revisions to its proposed regulations implementing the CCPA (the “Modified Regulations”), and then further revised the Modified Regulations (“Version 2”).  Despite earlier warnings to the business community that AG’s initial draft of Regulations would not materially change, we’ve now seen it happen twice.  The full redlines of both the Modified Regulations and Version 2 are available here. This article highlights what’s new, what remains the same, what we expect to have the biggest impact on businesses working toward compliance, and the lack of predictability of next moves given the growing global health crisis.  
Continue Reading CCPA Update: Oops, the CA AG Did It Again

Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020.

Continue Reading Data Broker Registration for California is Live

On Thursday, October 10, 2019, only 83 days before the California Consumer Privacy Act (“CCPA”) was set to become effective, California Attorney General Xavier Becerra held a press conference, with no prior notice, and issued his long awaited proposed regulations (the “Regulations”). The hope had been that the Regulations would provide much needed guidance to businesses of all sizes and in all industries as to how to implement a law that was hastily passed in a week’s time in 2018. Instead, while the Regulations provide some clarity around the mechanisms that organizations may use to verify and respond to the various consumer requests allowed by the law, the Regulations also add even more ambiguity to a number of requirements. Even more concerning, the Regulations add some new requirements and deadlines that do not exist in the statute itself.

The Regulations include 24 pages of legalese. Every privacy lawyer I know – and I know the best and the brightest – is struggling to interpret these Regulations and what they really mean. That does not bode well for businesses who (1) are trying to run businesses and not become privacy experts; and (2) cannot afford experienced privacy counsel. And that, in turn, does not help California consumers. As I have said many times before, California can do better. I call again on all California businesses of any size, and in every industry, to submit comments to the Attorney General to let the AG know the impact on your business and the California economy. Comments are due on or before December 6.  There will also be hearings around the state December 2-5. Let’s show up and be heard.

With that, we give you a summary of the Regulations. I would say enjoy, but I know better.


Continue Reading The California AG’s Proposed CCPA Regulations are Live, but Not Ready for Prime Time

On May 29, 2019, Nevada’s SB 220[1] became law, amending Nevada’s Privacy Law (2017).[2] The existing Nevada Privacy Law is similar to California’s Online Privacy Protection Act (2004), by requiring a conspicuously posted privacy policy. The new SB 220 resembles the new California Consumer Privacy Act (“CCPA”) but is more narrow in application and scope.


Continue Reading Nevada’s New Privacy Law Has Data Sale Opt-Out Rights

California’s Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest.
Continue Reading CCPA Amendment Update: Bill to Expand Private Right of Action is Dead (for Now)

The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.


Continue Reading Attorney General Holds Public Forum on CCPA

Vermont’s new Data Broker Regulation (“Regulation”) takes effect on January 1, 2019. The Regulation requires, among other things, that data brokers register with the Vermont Secretary State and protect personally identifiable information of Vermont residents. This week, the Vermont Attorney General issued guidance on the Regulation, which helps address questions on process and scope. Below are some of the key takeaways from the Regulation and guidance.

Continue Reading Vermont AG Issues Guidance on New Data Broker Regulation