The Data Strategy and Security team at Debevoise & Plimpton LLP has authored the 2022 edition of the Privacy Law Answer Book (Practising Law Institute, 2021), a user-friendly guide to the laws and regulations that govern how companies collect, use, store and transfer the personal information of their consumers and employees.

Edited by Debevoise partners Jeremy Feigelson, Jim Pastore, and counsel Johanna Skrzypczyk, with contributions from other Debevoise partners, counsel, and associates, the guide helps readers keep pace with the latest developments in data privacy and serves as a resource for those looking to make sense of a complicated patchwork of federal and state laws governing privacy in the United States.

Topics in the 2022 Edition include:

•  An overview of U.S. Information Privacy Law. A thorough overview of the book’s contents, this section provides a quick point of reference on several of the topics below with references to deeper discussions on each topic throughout the book.

•  Privacy Policies. How can a company craft its policies within the confines of the existing regulatory and legislative guidance?  How should policies differ by device?  What if a company changes its privacy policy?  This chapter contains guideposts for organizations looking to craft or update their privacy policies to conform to the current legal environment, with special attention paid to the nuances of the California Consumer Protection Act (CCPA).

•  Children’s Privacy. For organizations potentially or actively using children’s data, this chapter offers essential information, especially for those organizations governed by the Children’s Online Privacy Protection Act (COPPA).  This chapter provides detailed guidance on the scope and applicability of COPPA under statute and regulation, and this edition incorporates the FTC’s recent revised guidance on the COPPA rule and recent enforcement actions.

•  Financial Privacy. Organizations that collect and use consumers’ personal financial information participate in one of the most heavily regulated industries in the market.  This section discusses a range of topics, such as the standard regulations that apply to these organizations (including the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA), the Fair Credit Reporting Act of 1970 (FCRA), and the amendments in the Fair and Accurate Credit Transactions Act of 2003 (FACTA)), state laws (like the California Financial Information Privacy Act (FIPA)), as well as some of the most current and relevant FTC settlements, recent litigation in this space, and the growing list of relevant security breach notification laws.

•  Medical Privacy. Addressing the medical privacy essentials: HIPPA and the new challenges posed by the rise of telemedicine, especially during the Covid-19 pandemic, this chapter closely examines medical privacy and it contains helpful practice notes pertaining to HIPPA’s intricate definitions and requirements.  This year’s edition includes new analysis concerning HIPPA’s interaction with the CCPA and its amendments.

•  Mobile Privacy. Mobile phones and devices are ubiquitous across industries, and business owners, management, employees, and customers are all engaging with more data with increasing frequency on their mobile devices.  The Covid-19 pandemic has only accelerated the adoption of these devices and their proliferation poses big challenges to organizations trying to comply with their privacy requirements.  This chapter includes a discussion of the iOS privacy initiatives that Apple put forth in April 2021, as well as more information about the future of privacy for Android devices.

•  Digital Workplace Privacy. As the use of technology in the workplace has increased and the workforce becomes increasingly mobile, the scope of workplace privacy has evolved as well.  This chapter addresses workplace privacy and surveillance, including bring-your-own-device policies.  This chapter also covers common questions posed by return-to-work efforts during the Covid-19 pandemic.

•  Advertising, Tracking, and Privacy. Advancements in digital advertising and tracking have moved quickly across industries and privacy concerns related to these issues have grown as well.  Modern online advertising effectively means that no two users have the same digital experience because ads are often provided dynamically and ad content can vary based on the underlying digital content, or on what a user has previously viewed online.  With a thorough discussion of the nuances related to advertising and tracking, this section also covers the new privacy laws impacting the industry, including updates stemming from the CCPA, the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act.  This chapter also offers some recent case studies and updates on ongoing litigation related to internet tracking at some of the largest tech companies of today.

•  Vanguard States. Without federal legislation on data privacy some states have taken action to address privacy concerns.  California, Colorado, Nevada, and Virginia have each enacted privacy laws in the past two years.  This chapter offers a side-by-side look at how these laws compare in their requirements.  This chapter also looks at other proposed legislation from states including Florida, New York, and Washington.

•  Privacy Enforcement and Litigation. Federal regulators such as the FTC, state attorneys general, and class action plaintiffs are all policing how companies manage consumer privacy.  This chapter addresses the nuts and bolts of how regulators enforce privacy regimes and provides examples of recent enforcement actions.  This year’s edition also addresses how changes at the FTC may impact the agency’s enforcement priorities.

•  Global Privacy Laws. The United States is only one actor in a complicated system of international privacy regulators.  This chapter provides an overview of the global privacy landscape, looking at some of the key concepts and areas addressed by some of the most well-developed privacy regimes around the globe.  It also presents regional case studies, setting out trends, and principles of the data privacy law of jurisdictions with robust privacy regimes that are particularly relevant to many U.S. practitioners: European Union, the U.K., Canada, Australia, and Brazil.  It also includes a useful Appendix comparing data protection requirements found in more than 50 jurisdictions.

The book is styled as a Q&A so that practitioners can easily find answers to common—as well as uncommon—questions, a sampling of which we’ve included here from the substantially revised Vanguard States chapter:

Does the CCPA apply to service providers who might have consumer data?

Yes. The CCPA defines a service provider as an entity “that processes information no behalf of a business and to which the business discloses a consumer’s personal information for a business purposes pursuant to a business contract.” The contract between the business and the service provider must prohibit the service provider from retaining, using, or disclosing personal information other than for the business purposes specified in the contract.

In addition to the statutory text, companies seeking to comply with the CCPA also must consider the implementing regulations issued by the California Attorney General. The CCPA regulations provide that service providers “shall not retain, use, or disclose personal information obtained in the course of providing services except” in certain circumstances. These circumstances include:

(1)        Processing or maintaining “personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA”;

(2)        Retaining a subcontractor, “where the subcontractor meets the requirements for a service provider under the CCPA and these regulations”;

(3)        Internal use by the service provider;

(4)        Detecting “data security incidents or protect against fraudulent or illegal activity”; or

(5)        Circumstances otherwise permitted by certain sections of the CCPA.

Notably, a service provider is prohibited from selling data on behalf of a business after the consumer has opted out of the sale of personal information and may respond on behalf of the covered business or re-direct the consumer to the covered business.

How broad is the GLBA exemption under the CCPA?

The federal GLBA exemption and FIPA exemption apply to information, not institutions. Financial institutions thus will be well advised to consider, dataset by dataset, whether their data is covered by GLBA or FIPA. One critical component to understanding the reach of the exemption is examining the definitions of “consumer” and “personal information” under the CCPA, on the one hand, and “consumer” and “nonpublic personal information” under GLBA, on the other.

A consumer is an individual who obtains a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes. The GLBA Privacy Rule protects a consumer’s “nonpublic personal information.” Nonpublic personal information is “personally identifiable financial information” that:

  • is “provided by a consumer to a financial institution”;
  • “[r]esult[s] from any transaction with the consumer or any service performed for the consumer”; or
  • is “otherwise obtained by the financial institution.”

The Privacy Rule defines “personally identifiable financial information” as information:

  • that a consumer provides to a financial institution “to obtain a financial product or service” from the financial institution;
  • “about a consumer resulting from any transaction involving a financial product or service” between the financial institution and a consumer; or
  • that the financial institution “otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer.”

The newest edition of the Privacy Answer Book can be purchased from the Practising Law Institute.  We hope our clients will find it useful as they address their privacy concerns.

***

To subscribe to the Data Blog, please click here.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Jyotin Hamid, a partner in the New York office, is a seasoned litigator with extensive courtroom experience. He handles a diverse array of complex commercial litigation matters, with a particular focus on employment litigation and intellectual property disputes. He has represented major companies in their most challenging commercial matters. In the employment area, he has successfully handled numerous whistleblower, discrimination, contract, compensation and corporate raiding litigations involving high-level executives in a broad range of industries. Mr. Hamid also counsels employers on their most sensitive personnel matters, including investigations of alleged executive misconduct. He is also deeply involved in Debevoise’s market-leading intellectual property practice, and he has litigated trademark and trade dress cases involving some of the most well-known brands in the world.

Author

Satish Kini is Co-Chair of Debevoise’s National Security practice and the Chair of the Banking Group and is a member of its Financial Institutions Group. Mr. Kini advises on a wide range of regulatory and transactional issues. He can be reached at smkini@debevoise.com.

Author

Henry Lebowitz is a Debevoise corporate partner and a member of the firm's Corporate Intellectual Property Group. His practice focuses on leading the IP and technology aspects of mergers and acquisitions, financings, capital markets and other corporate transactions. He can be reached at hlebowitz@debevoise.com.

Author

Maura Kathleen Monaghan is Co-Chair of the firm’s Commercial Litigation Group and Healthcare & Life Sciences Group. Her practice focuses on a wide range of complex commercial litigation matters, including products liability and mass tort litigation, environmental, healthcare, regulatory and criminal investigations and arbitration. She can be reached at mkmonaghan@debevoise.com.

Author

David A. O’Neil is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Recommended by Chambers USA (2021) and The Legal 500 US (2021) as a leading lawyer in White Collar Crime & Government Investigations and International Litigation, his practice focuses on white collar criminal defense, internal investigations, anti-corruption and FCPA defense and congressional investigations. In both 2018 and 2020, Mr. O’Neil was recognized as a Litigation Trailblazer by the National Law Journal and he was named a White Collar MVP by Law 360 in 2018. In Chambers USA (2020), clients report that he is “driven, practical and offers a level of common sense and solutions focus that few bring.” He has also been described as “responsive and sharp, he spots the key issues straightaway and is able to quickly analyze and break them down in a manner to be tackled.” Mr. O’Neil is also recommended for compliance and investigations by The Legal 500 Latin America (2021).

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

David Sarratt is a partner in Debevoise's Litigation Department. He is a seasoned trial lawyer whose practice focuses on government enforcement actions, internal investigations, and complex civil litigation, as well as novel enforcement issues arising from new technologies. He can be reached at dsarratt@debevoise.com.

Author

JJeffrey Cunard is a retired partner and currently is of counsel to the firm. He was managing partner of the Washington, D.C. office and led the firm’s corporate intellectual property, information technology and e-commerce practices. He has broad experience in transactions, including software and technology licenses, joint ventures, mergers and acquisitions, and outsourcing arrangements. Mr. Cunard’s practice also encompassed copyright litigation. He was an internationally recognized practitioner in the field of the Internet and cyberlaw, a member of the firm’s Data Strategy & Security practice, and advised in U.S. and international media and telecommunications law, including privatizations and regulatory advice.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Kim T. Le is a corporate counsel and a member of the Debevoise Healthcare & Life Sciences Group. She is also active in the firm’s Data Strategy & Security practice. She can be reached at kle@debevoise.com.

Author

Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at tbsherno@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Javier Alvarez-Oviedo is an associate in the Litigation Department.

Author

H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.

Author

Frank Colleluori is an associate in Debevoise's Litigation Department. He can be reached at facolleluori@debevoise.com.

Author

Josie Dikkers is a corporate associate and a member of the firm’s Financial Institutions Group.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Alexandra Mogul is a corporate associate and a member of the firm’s Financial Institutions Group. Ms. Mogul’s practice focuses on consumer finance and banking regulatory, transactional and compliance matters. She regularly advises banks, FinTechs, industry trade associations and other firms on a variety of regulatory, transactional and compliance matters relating to federal and state banking regulations, Consumer Financial Protection Bureau regulations and guidance, as well as related state consumer financial protection and licensing requirements. Ms. Mogul’s practice also includes advising financial institutions on anti-money laundering, broker-dealer, cybersecurity and data privacy issues. She can be reached at anmogul@debevoise.com.