What To Do About Employees Under CCPA: An Update

Liisa ThomasCraig CardonRachel Tarko HudsonElfin NoceBy Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Elfin Noce on Posted in California, CCPA, Consumer Privacy, Employee Privacy

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021. Continue Reading

New York SHIELD Act Expands Breach Notice Requirements Starting in October

Liisa ThomasKari RollinsElfin NoceRebecca MackinBy Liisa Thomas, Kari Rollins, Elfin Noce and Rebecca Mackin on Posted in Consumer Privacy, Data Breach

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019. Continue Reading

Preparing for New York’s New Data Security Requirements

Liisa ThomasKari RollinsElfin NoceBy Liisa Thomas, Kari Rollins and Elfin Noce on Posted in Consumer Privacy, Consumer Privacy, Data Protection, Data Security

New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or the NYDFS will be deemed compliant with this new law. Between now and March companies will want to think about these new data security provisions. Continue Reading

Brazil’s New Privacy Law One Year Away

Liisa ThomasBy Liisa Thomas on Posted in CCPA, GDPR

Global corporations will soon have another privacy law acronym to address. In one year (August 2020), Brazil will join the fray with its own general privacy law, the Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD). The law was passed in 2018, and is set to go into effect a year from now. While the law was designed to be similar to the EU’s GDPR, it is not identical. Individuals will receive very similar access and deletion rights. Like GDPR, the law also contemplates data impact assessments, and provisions in contracts between controllers and processors of personal data. Also like GDPR, the law has extraterritorial impact, applying to those who process or collect information in Brazil, even if the entity is itself outside of the country. There are, though, differences between LGPD and GDPR. For example the amount of time to respond to individuals’ rights requests will be shorter. The definition of personal information under LGPD is also broader.  The law will be enforced by Brazil’s new National Data Protection Authority, and carries penalties that are similar to GDPR. Before the law goes into effect, it is expected that the data protection authority will issue regulations. Continue Reading

Processor or Controller? It Really Depends

Rebecca MackinBy Rebecca Mackin on Posted in EU Privacy, Healthcare Privacy

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor. Continue Reading

Singapore Appoints Its First Ever Accountability Agent Under the CBPR System

Rebecca MackinBy Rebecca Mackin on Posted in APEC

On July 23, 2019, APEC issued a press release announcing Singapore’s appointment of the Infocomm Media Development Authority (IMDA) as its accountability agent. Singapore joined the APEC Cross-Border Privacy Rules (CBPR) system in March 2018 and is the third economy after the United States and Japan to operationalize the system. Continue Reading

Utility Provider Settles Call Recording Lawsuit for $3.7 Million

Robert HoughSarah WilliamsonBy Robert Hough and Sarah Williamson on Posted in California, Communication Privacy, Consumer Privacy, Online Privacy, TCPA

Tiger Natural Gas, Inc. recently settled a class action privacy suit alleging that it illegally recorded sales calls with over 27,000 potential customers. Although Tiger hired a third party to handle its telemarketing, Tiger will pay $3.7 million on the claims as the advertiser with ultimate liability for non-compliance. According to the plaintiffs, neither company told the consumers the calls were recorded, as is required under California’s call recording law. Continue Reading

French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

Alyssa ShauerBy Alyssa Shauer on Posted in Consumer Privacy

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR. Continue Reading

FTC Seeks Comments on COPPA Rule

Liisa ThomasRebecca MackinBy Liisa Thomas and Rebecca Mackin on Posted in Children's Privacy, Online Privacy

The Federal Trade Commission is requesting comments and input on the effectiveness of the 2013 amendments it made to the Children’s Online Privacy Protection Rule. Although the FTC typically reviews its rules every ten years, it is doing so early because of rapid changes in and children’s expanded use of technology. Part of the input it is seeking is whether the COPPA Rule should be updated again. Among the specific input the FTC has requested, it wants to know if companies and other interested parties believe that the Rule should be amended to include websites and online services that are not directed at children but have large numbers of child users. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree