As many who have been tracking CCPA are aware, the law requires training employees who handle consumer inquiries, and ensuring that employees understand how to help consumers exercise their rights. Since most of those rights requests are arriving by web page, email, and phone, it is unlikely that rights requests will slow in the face of COVID-19. Indeed, it is possible that they may increase. Employees will thus still need training, something many companies had anticipated doing in-person.

CoronavirusContinue Reading Turn On the Camera Part Three: Fulfilling CCPA Training Obligations in the Face of COVID-19

As companies brace for the impact of COVID-19, the last thing on everyone’s mind may be proactive privacy compliance obligations. Certainly, companies may be thinking about privacy obligations that relate specifically to their COVID-19 response. What types of employee information can be disclosed, for example, especially in European offices? (On this, see guidance from the French, Italian and Irish data protection authorities.) But companies can think more broadly, in particular about how they will continue the proactive operations of the privacy team during this time. Some questions companies can ask themselves now include:
Continue Reading Turn on the Camera Part One: Keeping Your Privacy Compliant Efforts Moving Forward in the Face of COVID-19

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according to the guidelines, is that companies can show that the measures they took are effective.
Continue Reading New European Data Protection Board Guidance on Data Protection by Design and by Default

Under GDPR, companies are required to keep certain records of their processing activities. There has been some question about the types of records controllers should keep. To help clarify the questions arising from many companies, CNIL issued guidance recently about how to fulfill record keeping obligations. The guidance includes an RPA template for controllers, and outlines contents to include for both controllers and processors. This includes keeping track of why information was collected, the categories of personal information, recipients of personal information, and any out-of-country transfers. Companies should also include how long information will be kept. For processors, records should be kept “for each type of activity operated in place of customers” with many of the same details. The CNIL recommends gathering information, making a list of processing activities, clarifying any questions and then creating the record. CNIL notes that this record should be updated “frequently” with an eye towards the activities and type of information. While the document is internal, companies should keep in mind that it will need to be provided to the CNIL if requested.
Continue Reading CNIL Issues Record-Keeping Guidance

Global corporations will soon have another privacy law acronym to address. In one year (August 2020), Brazil will join the fray with its own general privacy law, the Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD). The law was passed in 2018, and is set to go into effect a year from now. While the law was designed to be similar to the EU’s GDPR, it is not identical. Individuals will receive very similar access and deletion rights. Like GDPR, the law also contemplates data impact assessments, and provisions in contracts between controllers and processors of personal data. Also like GDPR, the law has extraterritorial impact, applying to those who process or collect information in Brazil, even if the entity is itself outside of the country. There are, though, differences between LGPD and GDPR. For example the amount of time to respond to individuals’ rights requests will be shorter. The definition of personal information under LGPD is also broader.  The law will be enforced by Brazil’s new National Data Protection Authority, and carries penalties that are similar to GDPR. Before the law goes into effect, it is expected that the data protection authority will issue regulations.
Continue Reading Brazil’s New Privacy Law One Year Away

The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.
Continue Reading EDPB Seeks Comment On Online Services Guidance

The Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards.
Continue Reading Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature

The European Data Protection Board (EDPB) has released its priorities for 2019/2020 in its two-year “Work Program.” The EDPB is charged with issuing guidelines and opinions about GDPR, advising the European Commission about privacy-related issues, to help with the “consistent application” of GDPR, and to promote cooperation among the EU Member States’ supervisory authorities. Among the activities it anticipates engaging in over the next two years are a variety of guidelines, including those relating to the targeting of social media users and guidelines on children’s information. It also expects to have a guideline on the territorial scope of GDPR (which it will finalize after public consultation), and a guideline on data subjects’ rights.
Continue Reading European Data Protection Board’s Priorities for 2019/2020

In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive.  The fines, totaling £120,000,  were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent.  Leave.EU had sent marketing emails to over 300,000 of Eldon’s customers, and the two entities had carried out unlawful joint marketing campaigns through Leave. EU’s mailing list. 
Continue Reading Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations