Photo of Rebecca Mackin

The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of  the companies’ privacy provisions in vendor contracts.
Continue Reading The Privacy Shield Survives Another EU Commission Review, For Now…

One of the CCPA amendments that has gone to the governor’s desk is AB 1564, which addresses the methods companies must make available to consumers to exercise their rights under CCPA. Businesses which operate exclusively online and have direct relationships with their consumers can (1) provide an email address for consumers to submit requests, and (2) if they have a website (which presumably all online businesses would!), have a method for consumers to submit requests on that website. It is not clear from the amendment if listing the email address on the website would fulfill the latter requirement, or if the intent is for companies to have an online form on their websites where requests can be submitted.
Continue Reading Modifications Under CCPA To Receipt of Consumer Requests

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested.
Continue Reading CNIL Issues Record-Keeping Guidance

As we recently reported, New York’s new SHIELD Act contains data security provisions. It also contains a number of key changes to New York’s existing breach notification obligations. These changes will become effective October 23, 2019.
Continue Reading New York SHIELD Act Expands Breach Notice Requirements Starting in October

The European Data Protection Board and the European Data Protection Supervisor recently issued a joint opinion on the processing of personal data and the role of the European Commission within the eHealth Digital Health Service Infrastructure. As background, the eHealth Network is a network of eHealth authorities designated by the EU member states. Its main purpose is ensure the continuity of cross-border healthcare of patients as they move throughout the EU. To realize this goal, the Commission created the eHDSI, the system which enables the exchange of electronic patient data amongst member states. To clarify its role as the eHDSI creator and operator, the Commission sought the joint opinion of the EDPS and EDPS as to whether it was acting as a processor.
Continue Reading Processor or Controller? It Really Depends

On July 23, 2019, APEC issued a press release announcing Singapore’s appointment of the Infocomm Media Development Authority (IMDA) as its accountability agent. Singapore joined the APEC Cross-Border Privacy Rules (CBPR) system in March 2018 and is the third economy after the United States and Japan to operationalize the system.
Continue Reading Singapore Appoints Its First Ever Accountability Agent Under the CBPR System

The Federal Trade Commission is requesting comments and input on the effectiveness of the 2013 amendments it made to the Children’s Online Privacy Protection Rule. Although the FTC typically reviews its rules every ten years, it is doing so early because of rapid changes in and children’s expanded use of technology. Part of the input it is seeking is whether the COPPA Rule should be updated again. Among the specific input the FTC has requested, it wants to know if companies and other interested parties believe that the Rule should be amended to include websites and online services that are not directed at children but have large numbers of child users.
Continue Reading FTC Seeks Comments on COPPA Rule

Nevada recently amended its existing online privacy law to give Nevada residents the ability – in certain circumstances – to opt out of the sale of their data to third parties. The amendment goes into effect October 1, 2019, and modifies Nevada’s current requirement that website operators have privacy policies. As amended, companies who must comply with this opt-out requirement will be those who operate websites or online services and sell “covered information” to third parties. Website operators are those who own or operate a website or online service for commercial purposes and collect “covered information” from Nevada residents on its site. There are exceptions, namely if a company is in the state, has less than 20,000 visitors a year to the company’s site, and whose revenue is derived primarily from a source other than selling goods or services on the website. Added to the law will also be exceptions (beginning October 1) for companies that are regulated under GLBA or HIPAA. Covered information is one of seven categories of personal information the operator collects online. The first six are fairly narrow: (1) first and last name; (2) home or other physical address; (3) e-mail address; (4) phone number; (5) Social Security Number; and (6) an identifier that lets a specific person be contacted online (for example, information used to engage in behavioral advertising). The last category, however, is much broader, and includes “any other information” that the website operator collects online and “combines with an identifier” in way that makes the information personally identifiable.
Continue Reading Nevada’s Amended Privacy Law: Groundbreaking or More of the Same?

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details.
Continue Reading Like a Butterfly, Will the CCPA Continue to Evolve?