Photo of Joseph P. Cutler

Joe Cutler's litigation work focuses on combating cybercrime and enforcing website terms of use.

The Consumer Financial Protection Bureau (CFPB) announced on March 15, 2023, that it is issuing a Request for Information (RFI) about the business practices of data brokers, which the agency said will assist it in “planned rulemaking” under the Fair Credit Reporting Act (FCRA). The CFPB has explained it is seeking information on (1) “new

COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1. In a pandemic environment, companies, employers, and public institutions are grappling, outside the HIPAA context, with unique privacy, data security, and cybersecurity implications of their responses to the coronavirus. From a compliance perspective, businesses are considering under what circumstances they can disclose consumer or employee health conditions or geolocation information in the service of greater public health. Other companies —and governmental institutions at every level—are confronting the very real, and often opportunistic threats to data security posed by aggressive thieves who use crises as cover to commit an assortment of cybercrimes. Privacy and security requirements vary by jurisdiction, so businesses should be mindful of potentially divergent and overlapping approaches and responsibilities as the situation continues to evolve.

We offer a few updates and practical tips for best practices to promote compliance with privacy and data security requirements.Continue Reading CCPA & COVID-19: A Practical Guide to Addressing Privacy and Data Security Implications of the Coronavirus

The California Consumer Privacy Act (CCPA) imposes new transparency and disclosure obligations on businesses’ use, sale, and disclosure of consumer information. Businesses will need to honor requests from consumers to access their personal information, delete their personal information, and opt out of the sale of their personal information. “Personal information” is more broadly described in the CCPA than in any prior statute: that is, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Continue Reading Pseudonymized Personal Information on Blockchain Not Sufficient Under CCPA