What To Do About Employees Under CCPA: An Update

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021. Continue Reading

New York SHIELD Act Expands Breach Notice Requirements Starting in October

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019. Continue Reading

Preparing for New York’s New Data Security Requirements

New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions. Continue Reading

Brazil’s New Privacy Law One Year Away

Global corporations will soon have another privacy law acronym to address. In one year (August 2020), Brazil will join the fray with its own general privacy law, the Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD). The law was passed in 2018, and is set to go into effect a year from now. While the law was designed to be similar to the EU’s GDPR, it is not identical. Individuals will receive very similar access and deletion rights. Like GDPR, the law also contemplates data impact assessments, and provisions in contracts between controllers and processors of personal data. Also like GDPR, the law has extraterritorial impact, applying to those who process or collect information in Brazil, even if the entity is itself outside of the country. There are, though, differences between LGPD and GDPR. For example the amount of time to respond to individuals’ rights requests will be shorter. The definition of personal information under LGPD is also broader.  The law will be enforced by Brazil’s new National Data Protection Authority, and carries penalties that are similar to GDPR. Before the law goes into effect, it is expected that the data protection authority will issue regulations. Continue Reading

Processor or Controller? It Really Depends

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor. Continue Reading

Singapore Appoints Its First Ever Accountability Agent Under the CBPR System

On July 23, 2019, APEC issued a press release announcing Singapore’s appointment of the Infocomm Media Development Authority (IMDA) as its accountability agent. Singapore joined the APEC Cross-Border Privacy Rules (CBPR) system in March 2018 and is the third economy after the United States and Japan to operationalize the system. Continue Reading

Utility Provider Settles Call Recording Lawsuit for $3.7 Million

Tiger Natural Gas, Inc. recently settled a class action privacy suit alleging that it illegally recorded sales calls with over 27,000 potential customers. Although Tiger hired a third party to handle its telemarketing, Tiger will pay $3.7 million on the claims as the advertiser with ultimate liability for non-compliance. According to the plaintiffs, neither company told the consumers the calls were recorded, as is required under California’s call recording law. Continue Reading

French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR. Continue Reading

FTC Seeks Comments on COPPA Rule

The Federal Trade Commission is requesting comments and input on the effectiveness of the 2013 amendments it made to the Children’s Online Privacy Protection Rule. Although the FTC typically reviews its rules every ten years, it is doing so early because of rapid changes in and children’s expanded use of technology. Part of the input it is seeking is whether the COPPA Rule should be updated again. Among the specific input the FTC has requested, it wants to know if companies and other interested parties believe that the Rule should be amended to include websites and online services that are not directed at children but have large numbers of child users. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree