In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)

Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts

On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of data between institutions or across borders.

Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies

On June 7, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. The letter raised concerns that this information may be sold to third-party purchasers or data brokers who compile it with personal data collected from other sources often associated with advertising and exploited for other uses. The Committee also raised concerns that such data could be used for nefarious purposes including “glean[ing] consumers’ tolerance for price hikes, or using certain people’s spending patterns to target them for blackmail or ransomware.” 

Continue Reading Senate Banking Committee Sends Letter to Yellen on Collection, Use of Consumer Data

As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and participate with their local countries’ “accountability agent.” There are currently seven participating economies, which include the US, Canada, Japan. Those participating economies recently announced the development of a “Global CBPR Forum.” The Forum is tasked with, inter alia, creating an international certification system, reviewing members’ privacy standards, and ensuring that the program is “interoperable with other data protection and privacy frameworks.”

Continue Reading Formation of CBPR Forum Signals Continued Movement

The Colorado AG’s office recently released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The office is seeking informal public feedback on a series of topics. While the AG listed eight specific topics for feedback, the public can offer input on any aspect of the upcoming rulemaking. The AG’s office is interested in comments about the universal opt-out, the requirements around consent, and “dark patterns.” The AG is also interested in circumstances triggering data protection assessments and the requirements around profiling. Questions were also posed about “offline” collection of data. Lastly, the office seeks feedback to the rules around opinion letters and about how CPA compares or contrasts to privacy laws in other jurisdictions.

Continue Reading Colorado AG Seeks Input on Key Aspects of Upcoming Privacy Act

It has been almost two years since the Privacy Shield was struck down as a valid data transfer mechanism in Schrems II. Many have been wondering “what’s next”? Will there be a replacement framework? When will that be released? Will the replacement be invalidated? Well, the European Commission and US recently announced an “agreement in principle” to replace the EU-US Shield Privacy Shield. The EDPB also recently released a statement welcoming the announcement, but reminding companies that the announcement is not actually a legal framework. Thus, nothing has changed… yet.

Continue Reading Waiting on a new EU-US Privacy Shield