One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)
Continue Reading EU Seeking Comment on Revisions to Standard Contractual Clauses

Israel’s Privacy Protection Authority recently announced that Privacy Shield can no longer be relied on for data transfers between Israel and the United States. Israel did not have a direct Privacy Shield arrangement with the U.S., instead permitting the many Israeli companies that exchange data with their American counterparts to rely on a provision of its Privacy Protection Regulations that allows for transfers of data to any country that receives data from the EU under the same terms of such transfer.
Continue Reading Israel Follows Europe’s Lead on Privacy Shield

The FTC recently issued comments on how companies can use artificial intelligence tools without engaging in deceptive or unfair trade practices or running afoul of the Fair Credit Reporting Act. The FTC pointed to enforcement it has brought in this area, and recommended that companies keep in mind four key principles when using AI tools. While much of their advice draws on requirements for those that are subject to the Fair Credit Reporting Act (FCRA), there are lessons that may be useful for many.
Continue Reading FTC Provides Direction on AI Technology

As many who have been tracking CCPA are aware, the law requires training employees who handle consumer inquiries, and ensuring that employees understand how to help consumers exercise their rights. Since most of those rights requests are arriving by web page, email, and phone, it is unlikely that rights requests will slow in the face of COVID-19. Indeed, it is possible that they may increase. Employees will thus still need training, something many companies had anticipated doing in-person.

Coronavirus


Continue Reading Turn On the Camera Part Three: Fulfilling CCPA Training Obligations in the Face of COVID-19

NIST recently released a final version of its Privacy Framework to incorporate public feedback in response to the draft it issued late last year. For organizations familiar with the NIST Cybersecurity Framework first released in 2014, the privacy framework follows a similar structure and it is intended to be used together.
Continue Reading Final Draft of NIST Privacy Framework Released

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy

One of the amendments we’ve been watching over the past months is one that impacts rights of employees —both the company’s and other company’s employees. Under AB25, which passed the California Senate and is now awaiting governor signature, companies will be (for a year) exempted from providing current and former employees, job applicants, and contractors with the full suite of CCPA rights. Starting January 2020, however, these individuals must be provided with notice of information use. Access and deletion rights will not go into effect until January 2021.
Continue Reading What To Do About Employees Under CCPA: An Update

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details.
Continue Reading Like a Butterfly, Will the CCPA Continue to Evolve?

The Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards.
Continue Reading Washington State’s Comprehensive Privacy Law Bill Continues to Navigate Through State Legislature

Prior to the “Brexit” vote in 2016, the pro-Brexit campaign, Vote Leave, sent almost 200,000 unsolicited texts in violation of the Privacy and Electronic Communications Regulations (PECR), according to a recent settlement it reached with the ICO. Under those regulations, as the ICO outlines in its PECR guidance, consumers must either have opted into receiving texts or they must already be an existing customer who “bought . . . a similar product or service” in the past.
Continue Reading UK’s ICO Brings Texting Enforcement Action, Fines Vote Leave 40,000 Pounds

In a recent letter, the New York Department of Financial Services provided guidance for insurers who use third party data to help with their underwriting decisions. The letter was drafted in response to reports that insurers are getting information about potential insureds from many “unconventional” data sources, including those that contain predictive models and algorithms. These sources are used to supplement medical underwriting, and include information that isn’t necessarily related to a person’s medical condition, but might impact an insurer’s decision. While these sources could improve the market, according to NYDFS (e.g., by simplifying and expediting life insurance sales and making pricing more accurate) the sources themselves are not uniformly reliable. NYDFS had two specific concerns about these sources: first, that the algorithms they use may have a negative impact on consumers; and second, that these sources are often used without the consumers’ knowledge.
Continue Reading New York Department of Financial Services Releases Letter Regarding Third Party Data Sources