Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Seattle’s Newest Residential Developer
March 13, 2023 —
Michael J. Yelle - Ahlers Cressman & SleightOn February 14, 2023, Seattle voters passed Initiative 135, creating the “Seattle Social Housing Developer” (“Public Developer” or “PD”) and the initiative was signed into law by Mayor Bruce Harrel on March 1, 2023.
[1] With this initiative, voters created Seattle’s newest housing developer. The PD aims to develop, own, and maintain housing in the City of Seattle.
[2] In addition, the PD also intends to retrofit acquired properties to increase energy efficiency and bring them into compliance with accessibility standards.
[3] Contractors, subcontractors, and suppliers may see this as an opportunity to compete for and build everything from new multi-unit housing to handrail installation projects. This post will explore some of the basics of contracting with a public corporation like the Public Developer and what contractors may want to consider in their business planning.
What is the PD?
The Public Developer is a political subdivision of the State of Washington, like a port or fire district.
[4] The Public Developer is not an agency or department of the City of Seattle. In this way, it is like Seattle Public Schools (SPS) because both SPS and the PD operate within the City of Seattle, but have (or will have) their own staff, procurement rules, and standard contracts distinct from the City’s. Like SPS, the PD can also enter construction and supply contracts, sue, and be sued.
Read the court decisionRead the full story...Reprinted courtesy of
Michael J. Yelle, Ahlers Cressman & Sleight
Seattle Condos, Close to Waterfront, Construction Defects Included
February 11, 2013 —
CDJ STAFFThere's a cluster of eight condominium projects in Seattle, some within easy walking distance of each other, that are either in construction defect lawsuits, arbitration, or mediation. Jeff Reynolds, contributing a Seattle PI.com reader blog, notes that as Seattle condo projects have neared the end of the four-year warranty period, condo boards are being targeted by attorneys. Reynolds writes that "once [the attorneys] are hired by the associations, they retain specialists that test for any and all construction defects with the building envelope."
The problem that Reynolds sees is that that "major lending institutions stay away from condos with lawsuits." And so homeowners dealing with construction defects have apartments they can't sell to anyone who might want to use financing. This tightens Seattle's already limited inventory, leading to both frustrated sellers and frustrated buyers.
Read the court decisionRead the full story...Reprinted courtesy of
Wood Wizardry in Oregon: Innovation Raises the Roof for PDX Terminal
April 15, 2024 —
Aileen Cho - Engineering News-RecordDrones, self-propelled modular transporters and a curtain wall that really does hang off the roof like a curtain are all notable technologies that made installing an 18-million-lb timber roof possible at Portland International Airport. Of equal weight is the emphasis on full-scale sourcing of the timber and representing the Pacific Northwest’s residents, history and geography.
Reprinted courtesy of
Aileen Cho, Engineering News-Record
Ms. Cho may be contacted at choa@enr.com
Read the full story... Read the court decisionRead the full story...Reprinted courtesy of
First Lumber, Now Drywall as Canada-U.S. Trade Tensions Escalate
November 30, 2016 —
Katia Dmitrieva – BloombergA new trade dispute has broken out between Canada and the U.S. that threatens to raise prices in Canada’s already overheated housing markets.
The Canada Border Services Agency imposed a provisional tariff as high as 277 percent on U.S. drywall imports in September after ruling that manufacturers were dumping the product, or selling it below the price in their home market, undercutting local suppliers.
The tariff has raised the price of drywall, or gypsum board as it’s also called, by as much as 30 percent and is causing “chaos” and delays as contractors scramble for alternative sources. Some builders say the tariff could add as much as C$13,000 ($9,671) to the cost of a new home, which would amount to a C$2.6 billion increase to the roughly 200,000 homes built in Canada each year.
Read the court decisionRead the full story...Reprinted courtesy of
Katie Dmitrieva, BloombergMs. Dmitrieva may be followed on Twitter @katiadmi
Arkansas: Avoiding the "Made Whole" Doctrine Through Dépeçage
April 09, 2014 —
Robert M. Caplan – White and Williams LLPIn Arkansas, a workers’ compensation carrier’s subrogated recovery is subject to a determination of whether the injured worker—or, as the case may be, the worker’s surviving beneficiaries—has been “made whole” by the worker’s recovery against the third party tortfeasor. See, e.g., Yancey v. B & B Supply, 213 S.W.3d 657, 659 (Ark. App. 2005) (“An insured’s right to be made whole takes precedence over an insurer’s right to subrogation, and an insured must be fully compensated before the insurer's right to subrogation arises.”) [1] More often than not, a “made whole” determination will completely eradicate the carrier’s lien.
But under the right circumstances, a workers’ compensation carrier may be able to avoid the harsh outcome of “made whole” by intervening in a pending third party action and subsequently filing a motion for dépeçage—i.e., the conflict of laws principle requiring the court to conduct a separate choice of law analysis for discrete issues in a given case. A motion for dépeçage, in this sense, would demand that the court conduct a choice of law analysis to determine what state’s workers’ compensation subrogation law will apply on reimbursing a carrier’s lien.
We recently exploited this often underutilized tactic—to avoid Arkansas’ made whole doctrine—in a case involving a fatal plane crash in Louisiana. In that case, the deceased worker and his beneficiaries were residents of Louisiana; the accident took place in Louisiana; the worker was officially employed in Louisiana; and the workers’ compensation insurance policy was governed by, and benefits were paid under, Louisiana law. The only “contact” with Arkansas [2], meanwhile, was that Arkansas was the defendant’s domicile.
Read the court decisionRead the full story...Reprinted courtesy of
Robert M. Caplan, White and Williams LLPMr. Caplan may be contacted at
caplanr@whiteandwilliams.com
Single-Family Home Gain Brightens U.S. Housing Outlook: Economy
January 21, 2015 —
Shobhana Chandra – BloombergBuilders broke ground in December on the most single-family homes in almost seven years, propelling an unexpectedly large gain in U.S. housing starts that signals construction will contribute more to economic growth in 2015.
Work began on 728,000 houses at an annual rate, a 7.2 percent increase from November and the most since March 2008, a Commerce Department report showed Wednesday in Washington. Total housing starts, which include apartments, climbed 4.4 percent to a 1.09 million pace.
Read the court decisionRead the full story...Reprinted courtesy of
Shobhana Chandra, BloombergMs. Chandra may be contacted at
schandra1@bloomberg.net
Whose Lease Is It Anyway: Physical Occupancy Not Required in Landlord-Tenant Dispute
February 07, 2018 —
Afua Akoto – SDV Case Alert In September 2017, a Texas Federal district judge ruled that that Personal and Advertising Injury coverage in a CGL policy did not require physical occupancy in a landlord-tenant dispute.
In the underlying lawsuit, restaurant owner Ziggy Gruber alleged that John Dunn, the landlord of a Houston shopping center, wrongfully interfered with his right of occupancy at the shopping center by failing to complete the negotiation of a lease and preventing his occupancy of the space. Gruber further alleged that he had acquired a direct interest in the premises and became a rightful tenant but as a result of Dunn’s interference, he was never able to open his restaurant.
Read the court decisionRead the full story...Reprinted courtesy of
Afua Akoto, Saxe Doernberger & Vita, P.C. Ms. Akoto may be contacted at
asa@sdvlaw.com
