The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations, presenting the parties with, essentially, a pre-negotiated approach to common issues. When CCPA was passed, IAB updated its form to address that law and address consumer notice and consent. With the upcoming laws in California, Colorado, Connecticut, Utah and Vermont, the document is now outdated.
The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An “opt-out preference signal” also known colloquially as ”GPC,” is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. Below, we summarize how each of the states treats this requirement.
Continue Reading Comparing and Contrasting the Opt Out Preference Signal Across States
With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements. Requirements that will impact preparation activities.
Continue Reading State Comprehensive Privacy Laws: Status of the Regulations
The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these national actions are analyzed and bundled, generating deeper insights into a particular topic. Last year, the EDPB had selected the use of cloud-based services by the public sector for its first coordinated enforcement action. So, this second topic will be of more relevance to a wider set of organizations. Given that the report on the outcome of the 2022 coordinated action is expected to be adopted before the end of the year, companies can expect a report on the DPO position sometime in 2023.
Continue Reading EU Regulators to Take Closer Look at DPO Position
Companies transferring personal data out of the EU or UK are reminded of key deadlines approaching for the contracts that govern these transfers. When the European Commission adopted the new Standard Contractual Clauses (SCCs) in 2021, it set a deadline of December 27, 2022 for existing contracts under the old SCCs. This means that by December 27, 2022 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.
Continue Reading Deadlines for EU and UK Standard Contractual Clauses Approaching
Companies subject to California’s Consumer Privacy Act (CCPA) may soon need to figure out how to scale their privacy compliance programs to include employee and B2B information. The current exemptions that exist for most of the law’s requirements to this type of information are set to expire January 1, 2023.
Continue Reading CCPA May Soon Apply to Employee and B2B Information
The FTC recently announced an ambitious Advance Notice of Proposed Rulemaking (ANPR) broadly aimed at a host of privacy and data security issues. This is the first step by the agency to explore using its Section 18 rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. The ANPR poses 95 questions and various topics, ranging from collection of information from children, to consent, data security, biometrics, artificial intelligence, and automated decision-making. The ANPR is focused on the impact to consumers and as workers or employees in a business capacity.
Continue Reading FTC Announces Proposed Rulemaking On Privacy and Data Security
With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be impacted by regulations that have either not been drafted, or if drafted, remain unfinalized. What, then, can companies do now? Familiarizing themselves with the types of requirements and beginning to address and develop mechanics for those requirements is a good start. Fortunately for most, these will not be new, as they are conceptually covered by CCPA, GDPR, or both.
Continue Reading Preparing for US State Privacy Law Compliance: The Six Month Mark
In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)
Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts