Governor Gavin Newsom of California vetoed a bill that would have created new limitations on data sharing for direct-to-consumer genetic testing companies.
Continue Reading California Governor Pulls the Plug on Genetic Information Privacy Act
French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data
CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.
Continue Reading French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data
Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature
The Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards.
Continue Reading Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature
UK Issues Fine for Unsolicited Funeral Marketing Emails
The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent.
Continue Reading UK Issues Fine for Unsolicited Funeral Marketing Emails
Vermont Is First Mover Regulating Data Brokers
Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers
FTC Expresses Concerns Over Mobile Security Updates
In its recent report (Mobile Security Updates: Understanding the Issues), the FTC expressed concerns with the process for keeping mobile devices updated and secure. Of particular concern for the FTC were inconsistencies in the length of time that support is offered for mobile devices, the frequency of updates and the perceived lapse of time between identifying a vulnerability and effectively installing a patch on consumers’ devices. Further, the FTC was worried that information about device support and update frequency is not always clear to consumers, and is not always maintained by manufacturers.
Continue Reading FTC Expresses Concerns Over Mobile Security Updates