The European Council recently approved a final version of the EU Data Act. The Act applies to manufacturers of connected devices. Among other things, it gives consumers certain rights about the information those devices collect. The Act is viewed as part of an overall data strategy by the EU, and complements both GDPR and the Data Governance Act.Continue Reading Connected Devices: Eyes on EU Data Act

The FTC’s second attempt to pursue the data broker, Kochava, continues to move forward. The amended complaint, which was just unsealed and thus available for the public to review, gives insight into the agency’s perspective on the harm that results when companies create profiles with sensitive information, and use that information to target ads to individuals. The amended complaint provides more detail about Kochava’s alleged practices; allegations the company strongly disagreed with. (Thus, why it sought -unsuccessfully- to have it sealed.)Continue Reading Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles

Among the various requirements under US state comprehensive privacy laws, those that relate to loyalty programs may be some of the most confusing. Only three states — California, Colorado and Florida — regulate these programs. How they do this varies, and the level of detail contained in the laws also varies. In California and Florida, the laws’ impact on loyalty programs is in how they define “financial incentives.” These are times when a company “pays” a consumer for their personal information. This might occur with a straight cash payment. More common though, is optimized pricing or providing a higher quality of services in exchange for getting personal information. For those who offer loyalty programs, depending on how they are operated, they may viewed as be financial incentives under these laws. Colorado’s comprehensive privacy law, on the other hand, imposes obligations on companies that operate “bona fide loyalty programs.” These are defined as programs where information is processed solely to provide the program’s benefits. Benefits must be -like in California- better pricing or quality of services.Continue Reading The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs

As many who are keeping track of generative AI developments are aware, the FTC recently announced that it is investigating OpenAI’s ChatGPT product. For the privacy practitioner this investigation is important given that among other things, the agency wants to understand better how OpenAI is using personal information, and if its privacy representations are sufficient.Continue Reading OpenAI – FTC OpensAnInvestigation

The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods. Continue Reading CPRA Update: Moving Toward Finalization

Virginia edges closer to its privacy law January 2023 implementation. A new working group report gives some insight on implementation focus. The working group is tasked with giving advice on implementing the Virginia Consumer Data Protection Act. It held a series of meetings with companies and other stakeholders throughout the year. This current report summarizes “points of emphasis” from those meetings.  Those included that law be interpreted strictly. For example, sunseting companies “right to cure” after two years. Another point raised was whether to let the attorney general seek actual damages based on harm.
Continue Reading Virginia Privacy Law Continues to Progress Towards 2023 Implementation

Google Play’s “data safety form” is now live. Developers can now submit the form for early review and feedback. Starting in April 2022, Google will require this label and a privacy policy for all new and existing apps. This is similar to Apple. Before, only apps that collected personal and sensitive user data needed to share a privacy policy in Google’s store.
Continue Reading Google’s Privacy “Data Safety” Form Is Now Available

New York City recently amended its law governing third party delivery services, with the changes going into effect December 27, 2021. The revised law specifically permits restaurants to ask for customers’ personal information from the delivery service. The delivery service, in turn, must tell consumers about the potential sharing “in a conspicuous manner” on its website and give people the ability to opt-out of such sharing.  That notice needs to indicate that the person’s information will be shared with the restaurant, and needs to identify the restaurant.
Continue Reading Impact of NYC’s New Delivery Service Data Sharing Requirement

The California attorney general has created a tool for consumers to report situations where companies sell information but do not have an opt-out of sale link on their website. The release of the tool came at the same time as the AG’s update on its CCPA enforcement actions. In that update, the AG highlighted one of the most common problems it had found: not having appropriate disclosures around “sales.”
Continue Reading AG Implements Tool to Allow Consumer Reporting of Alleged DNS Violations

Google recently announced that beginning next year it will require Android mobile apps to provide privacy disclosures. These disclosures will live in a new “safety section” in Google Play. The requirements include disclosing:

  • What information the app collects and how information is used;
  • How the app protects information and if it uses encryption;
  • If information is shared and if users have a choice about sharing;
  • If users can request data deletion; and
  • If the disclosures made in the safety section have been verified by an independent third party.

Continue Reading Time to Update Your Privacy Disclosure Creation Checklists? Google Will Add to Mobile Privacy Disclosure Requirements

On March 15, 2021, the California Office of Administrative Law (“OAL”) approved additional regulations to the CCPA. These regulations were originally proposed at the end of 2020 (which we covered here).  The changes are effective immediately. The modifications largely focus on (1) changes impacting those companies that “sell” information, and (2) the verification process for rights requests made by authorized agents.
Continue Reading Changes to CCPA Regulations are Approved and in Effect