Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Smart Home Products go Mainstream as Consumer Demand Increases
November 05, 2014 —
Beverley BevenFlorez-CDJ STAFFGigaom reported that Wal-Mart announced yesterday that they will begin selling Insteon gear, one of the Smart Home products, in 1,500 of its stores across the country. "The products in store will include a starter kit, motion sensors, dimmers, IP cameras, LED bulbs, leak sensors and door/window sensors among others. Wal-Mart also sells Chamberlain gear and a few other connected devices on its web site." According to Builder, a Savant survey demonstrated that "Americans are eager for home automation, proving that technology is a great way for builders to distinguish their new homes from the rest of the market."
In another article, Gigaom announced that Netgear will be introducing a line of Smart Home products under the name Arlo.
Read the full story, Gigaom, Wal-Mart now sells Insteon gear...
Read the full story, Gigaom, Netgear launches its Arlo smart home brand with a camera...
Read the full story, Builder... Read the court decisionRead the full story...Reprinted courtesy of
Hotel Claims Construction Defect Could Have Caused Collapse
December 30, 2013 —
CDJ STAFFThe owners of the Crowne Plaza New Orleans Airport, in Kenner, Louisiana, have filed a lawsuit claiming that a defective beam installed during renovations put the building at risk of collapse, reports The Louisiana Record. The hotel was sold to its current owners, 2929 Williams Blvd, LLC, in 2006, and the renovations began after Hurricane Katrina in 2007. The renovations converted an indoor pool area into a ballroom.
The renovations were finished in 2008, but hotel staff noticed the walls and ceiling of the ballroom were sagging by September 2011. A structural engineer determined that a main beam had failed, risking collapse of the entire building. The hotel owners set upon repairing the structure and now seek reimbursement. 2929 Williams Blvd., LLC is suing Trimark Constructors LLC, Kyle Associates LLC, and Avengo Baily & Associates, Inc. for an unspecified amount of damages.
Read the court decisionRead the full story...Reprinted courtesy of
ENR Northwest’s Top Contractors Survey Reveals Regional Uptick
June 25, 2019 —
Scott Judy - Engineering News-RecordA year ago, the 25 contractors responding to ENR Northwest’s Top Contractors survey collectively reported roughly $6.4 billion in 2017 revenue from the states of Washington, Oregon and Alaska. This year, the 27 contractors listed below—in alphabetical order—reported more than $8.8 billion in regional revenue for 2018.
Read the court decisionRead the full story...Reprinted courtesy of
Scott Judy, ENRMr. Judy may be contacted at
judys@enr.com
Texas Supreme Court Authorizes Exception to the "Eight-Corners" Rule
February 28, 2022 —
Jared De Jong, Nathan A. Cazier & Scott S. Thomas - Payne & FearsFor decades, an insurer’s duty to defend under Texas law was determined exclusively by reviewing the insurance contract and the allegations of the complaint under the “eight-corners rule.” All of this changed last week when, in a long-awaited decision, the Texas Supreme Court ruled that courts may consider extrinsic evidence to determine the existence of coverage in certain limited situations. Monroe Guar. Ins. Co. v. BITCO Gen. Ins. Corp., No. 21-0232, 2022 WL 413940 (Tex. Feb. 11, 2022).
In Monroe, a drilling contractor was sued for damages arising out of the allegedly botched drilling of an irrigation well. The underlying lawsuit alleged that negligent drilling caused damage to surrounding farmland. However, the complaint did not allege when the damage occurred. The contractor’s insurers, BITCO General Insurance Corporation (“Bitco”) and Monroe Guarantee Insurance Company (“Monroe”) disputed whether Monroe owed a duty to defend. Although Bitco agreed to provide a defense, Monroe refused, arguing that the property damage happened before its policy period. Bitco sued Monroe for contribution. In the trial court, the insurers stipulated that a drill bit became stuck before Monroe’s policy incepted, a fact that would have supported Monroe’s “prior damage” defense. On summary judgment, though, the trial court ruled this stipulated fact could not be considered under Texas’ eight-corners rule. Monroe appealed, and the Fifth Circuit, which had previously endorsed an exception to the eight-corners rule under Northfield Insurance Co. v. Loving Home Care, Inc., 363 F.3d 523, 531 (5th Cir. 2004), certified the question to the Texas Supreme Court.
Reprinted courtesy of
Jared De Jong, Payne & Fears,
Nathan A. Cazier, Payne & Fears and
Scott S. Thomas, Payne & Fears
Mr. Jong may be contacted at jdj@paynefears.com
Mr. Cazier may be contacted at nac@paynefears.com
Mr. Thomas may be contacted at sst@paynefears.com
Read the court decisionRead the full story...Reprinted courtesy of
Real Estate & Construction News Roundup (8/14/24) – Commercial Real Estate AI, Hotel Pipeline Growth, and Housing Market Improvements
September 23, 2024 —
Pillsbury's Construction & Real Estate Law Team - Gravel2Gavel Construction & Real Estate Law BlogIn our latest roundup, nonresidential spending drops, realtor payment structure changes, office vacancy rates soar, and more!
- A decline in mortgage rates and a drop in housing prices are giving buyers a potential path to securing homeownership. (Omar Mohammed, Newsweek)
- Starting August 17, new rules will roll out that overhaul the way Realtors get paid to help people buy and sell their homes. (Samantha Delouya, CNN)
- Spending dropped in almost half of nonresidential subcategories in June with the decrease stemming from higher interest rates, tighter credit conditions and a softening economy. (Sebastian Obando, Construction Dive)
Read the court decisionRead the full story...Reprinted courtesy of
Pillsbury's Construction & Real Estate Law Team
California Supreme Court Holds that Requirement of Prejudice for Late Notice Defense is a Fundamental Public Policy of the State for Choice of Law Analysis
November 04, 2019 —
Lorelie S. Masters, Michael S. Levine & Michelle M. Spatz - Hunton Insurance Recovery BlogCalifornia’s highest court held yesterday in Pitzer College v. Indian Harbor Insurance Co., that the state’s insurance notice-prejudice rule is a “fundamental public policy” for the purpose of choice of law analyses. This unanimous ruling, issued in response to certified questions from the Ninth Circuit, confirms and emphasizes California’s common law rule that policyholders who provide “late notice” may proceed with their insurance claim, absent a showing by the insurer of substantial prejudice. The California Supreme Court also extended the prejudice requirement, holding that a first-party insurer must show that it was prejudiced before denying coverage under a policy’s “consent provision,” which typically provides that the policyholder must obtain the insurer’s “consent” before incurring costs and expenses.
Reprinted courtesy of Hunton Andrews Kurth attorneys
Lorelie S. Masters,
Michael S. Levine and
Michelle M. Spatz
Ms. Masters may be contacted at lmasters@HuntonAK.com
Mr. Levine may be contacted at mlevine@HuntonAK.com
Ms. Spatz may be contacted at mspatz@HuntonAK.com
Read the court decisionRead the full story...Reprinted courtesy of
Home-Rentals Wall Street Made Say Grow or Go: Real Estate
July 23, 2014 —
Heather Perlberg and John Gittelsohn – BloombergAlexander Philips joined the rush to buy foreclosed U.S. homes four years ago, spending $40 million on houses in California and Nevada to operate as rentals. Now his firm, Twinrock Partners LLC, is getting ready to sell.
“We didn’t want to be the last one standing when the music stopped,” Philips, 38, said in a telephone interview. “We view this as a trade, not as a business.”
The U.S. home-rental industry, transformed over the past two years by Wall Street-backed companies that were built on the rubble of the housing crash, is poised to be reshaped again as landlords like Philips get out. Corporate owners with limited capital or deadlines to repay investors are now selling houses in bulk, or one by one, after a 26 percent surge in prices from a March 2012 low. For bigger firms, swallowing smaller competitors is among the best opportunities for growth as they shift their focus to managing scattered properties.
Ms. Perlberg may be contacted at hperlberg@bloomberg.net; Mr. Gittelsohn may be contacted at johngitt@bloomberg.net
Read the court decisionRead the full story...Reprinted courtesy of
Heather Perlberg and John Gittelsohn, Bloomberg
