The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent. Continue Reading
Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature
Posted in CCPA, Consumer Privacy, GDPRThe Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards. Continue Reading
Will CCPA’s Definition of Consumer Be Narrowed?
Posted in CCPA, Employee PrivacyIn response to the concern of many that the definition of consumer is so broad as to cover employees, a bill has been introduced in California to exclude employees from the scope of CCPA. As those who have been following CCPA are aware, the definition of “consumer” is extremely broad. Under the proposal, amended on March 25 of this year, the definition would specifically exclude from the definition information collected by a business “in the course of a person acting as a job applicant,” employee, contractor, or agent of the business. The carve-out goes on to clarify that this would hold true only if the individual’s information is used “for purposes compatible with the context” in which they gave it to the company. Continue Reading
FTC Looks Back at 2018
Posted in Consumer Privacy, Data Security, FTCAs we enter into the second quarter of the year, the FTC has released its annual report on privacy and data security, and the steps it took in those areas over the course of 2018. The report includes summaries of its actions against companies for alleged violations of the FTC Act, CAN-SPAM, and COPPA, among others. The total cases brought by the FTC in the privacy area by the end of 2018 numbered 75 (with an additional 130 spam and spyware cases), and 65 in the data security and identity theft realm. Continue Reading
UK ICO Settles with Marketer Over Unsolicited Email Messages
Posted in Communication Privacy, EU PrivacyGrove Pension Solutions Ltd is a UK-based company that helps people get “pension releases,” i.e. getting money out of their pensions. The company uses a vendor to conduct lead generation. That vendor would identify individuals who had given consent to get messages on a variety of third party websites (including for example, soapboxsurvey.co.uk). None of the individuals had a relationship with Grove, and the consents did not specifically name Grove. Grove sent almost 2 million messages to individuals following this process, after obtaining advice that doing so was compliant with applicable laws. Continue Reading
Israel Expresses Concerns Over Investment Fund Security Measures
Posted in Data SecurityIsrael’s investment industry has been reported as growing, and not surprisingly it has received interest from the Israeli Securities Authority. Late last year the ISA surveyed several funds and found that they were not following the requirements of Israel’s privacy laws. This resulted in a recent letter sent by the ISA to fund managers, warning the managers to take steps to protect customer information. Israel, like most countries around the globe, has a privacy law and corresponding regulations. Unlike many other jurisdictions, though, its privacy law has been deemed “adequate” by the EU, and as such, compliance can be a fairly rigorous exercise. Accompanying the ISA letter were “insights” on how to protect information, including things like software updates and user authentication. Included in the insights were recommendations that are not included in Israel’s privacy law or regulation. However, the insights do mirror requirements that exist under Israeli laws for banks and insurance companies. Continue Reading
France Continues to Focus on Use of Biometrics
Posted in EU PrivacyThe French CNIL (the country’s data protection authority) has released rules for how companies can use the biometric information of their employees. Fingerprint scanning is a popular method for “clocking in” around the globe, and like the biometric laws in the US (in particular in Illinois, which we have written about here), it has fallen under scrutiny in France. Late last year the CNIL issued a fine for a company’s use of fingerprint timeclocks, stating that use of biometrics could not be done without CNIL approval under the French Data Protection Act. Around the same time, the CNIL sought input on proposed regulations, which have now been adopted. Continue Reading
SEC To Focus on Cybersecurity in 2019
Posted in Cybersecurity, Data Security, SECFor the fourth year running, the Securities and Exchange Commission’s Office continues to list cybersecurity as one of the top enforcement priorities for 2019. As it relates to cybersecurity, the SEC will be focusing on ensuring companies have proper configuration of network storage devices, robust information security governance, and established policies and procedures specific to protecting retail investors’ trading information and preventing cyber intrusions into retail brokerage accounts. The SEC also wants to see that companies manage both their own systems (including legacy systems), as well as maintaining adequate oversight of the practices of their partners and affiliates. Continue Reading
European Data Protection Board’s Priorities for 2019/2020
Posted in EU Privacy, GDPRThe European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about privacy-related issues, to help with the “consistent application” of GDPR, and to promote cooperation among the EU Member States’ supervisory authorities. Among the activities it anticipates engaging in over the next two years are a variety of guidelines, including those relating to the targeting of social media users and guidelines on children’s information. It also expects to have a guideline on the territorial scope of GDPR (which it will finalize after public consultation), and a guideline on data subjects’ rights. Continue Reading
UK’s ICO Brings Texting Enforcement Action, Fines Vote Leave 40,000 Pounds
Prior to the “Brexit” vote in 2016, the pro-Brexit campaign, Vote Leave, sent almost 200,000 unsolicited texts in violation of the Privacy and Electronic Communications Regulations (PECR), according to a recent settlement it reached with the ICO. Under those regulations, as the ICO outlines in its PECR guidance, consumers must either have opted into receiving texts or they must already be an existing customer who “bought . . . a similar product or service” in the past. Continue Reading
