On December 18, seven states have entered into a settlement agreement with e-retailer Cafe-Press for $2 million stemming from a 2019 data breach that exposed information of approximately 22 million consumers. The breach affected consumers’ personal information, including usernames and passwords, Social Security numbers and/or Taxpayer Identification numbers.

Of the $2 million, $750,000 will be an immediate payment divided among the states: New Jersey, New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.

According to the settlement agreement, if CafePress improves its data privacy practices, the states have agreed to suspend the balance of the settlement. Those improvements include implementing a comprehensive cybersecurity program that is updated and assessed regularly, a data breach notification plan (including preparation, detection, analysis, containment, eradication and recovery), as well as other safeguards like encryption, segmentation and penetration testing. CafePress must also update its disclosures to consumers including information on account closure and data deletion. The company must also have a third-party risk assessment for the next five years.

Although the Presidential race is unconfirmed at the time of this writing, there are several data privacy and security laws to put on your radar following the election this week.

Here is a brief list of laws that passed that we are aware of so far. We will provide more information as news breaks, but in this ever-changing area, we want to alert you to some important changes in the state law landscape following the election.

California’s Prop 24

 This proposition updates California’s CCPA, now referred to as California Privacy Rights Act (CPRA). In addition to other provisions [view related here and here], from a compliance perspective, it establishes a first-of-its-kind enforcement agency, the California Privacy Protection Agency, which will oversee enforcement of CPRA, and further establishes fines and penalties for violation of the law. The law goes into effect on January 1, 2023, for all data that are collected starting on January 1, 2022. Keep this one on your compliance radar and we will update you further.

Maine Approves Referendum on Limiting Use of Facial Recognition Technology 

Maine voters approved Referendum Question B, which strengthens the ban on the use of facial recognition surveillance technology by police and public officials. 

Massachusetts Votes in Favor of Ballot Question 1 

Massachusetts voted in favor of Ballot Question 1, which would require car manufacturers to equip vehicles using telematic systems with an open-access data platform starting with the model year 2022.

A detailed analysis of Ballot Question 1 is here.

Michigan Amends Constitution to Require Warrant for Access to Electronic Data

In Michigan, it appears that voters have approved an amendment to the state constitution to require search warrants for law enforcement to access electronic data and communications. The measure amends that part of the constitution that provides for the protection against unreasonable search and seizure.

Staying abreast of new state laws and regulations is a complex process for those charged with compliance adherence. We will continue to update you on the most significant changes to assist you in your compliance efforts.