Photo of Natasha Amlani

Natasha Amlani has experience with privacy counseling, litigation and data breach response.

The UK Online Safety Bill was passed by Parliament earlier this week and is expected to soon become law through royal assent. The Online Safety Act (UK OSA) will impose a series of sweeping obligations, including risk assessment, content moderation, and age assurance requirements, on a variety of online services that enable user-generated content, including but not limited to social media and search providers.

Among the most notable aspects of the UK OSA are its “duties of care.” The law will impose a series of affirmative obligations to assess and mitigate safety risks.

Continue Reading UK Parliament Passes a Sweeping and Controversial Online Safety Bill

The Global Online Safety Regulators Network (Network) issued a position statement on human rights and online safety regulation on September 13, 2023.

The Network is intended to facilitate a coherent international approach to online safety regulation by enabling online safety regulators to share insights, experience, and best practices. The current Network members include: the eSafety Commissioner (Australia), Coimisiún na Meán (Ireland), the Film and Publication Board (South Africa), the Korea Communications Standards Commission (Republic of Korea), the Online Safety Commission (Fiji), and Ofcom (UK).

Continue Reading Global Online Safety Regulators Issue Statement on Human Rights and Online Safety Regulation

Following the European Council’s approval last week, the Digital Services Act (DSA) has been officially adopted, starting the countdown to the law’s entry into force later this year. The DSA builds on the Electronic Commerce Directive 2000 (e-Commerce Directive) and regulates the obligations of digital services that act as intermediaries in connecting consumers with third-party

A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:

  • A description of a consumer’s right to disclosure regarding the personal information (“PI”) that the business has collected about the consumer, a consumer’s right to disclosure regarding the business’s sale of her or his PI, and a consumer’s right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
  • Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
  • Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].


Continue Reading CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy

On April 9, 2019, the California Senate Judiciary committee voted to advance SB 561, which would expand the private right of action to any violation of the CCPA (not just for negligent breaches) and would eliminate a business’s 30-day right to cure. During the hearing, several senators expressed serious concerns with the bill as currently drafted and made clear they expect to see changes to the bill or will not vote to move the bill forward. The bill will next be heard by the appropriations committee, followed by a Senate floor vote, before it moves on to the House.
Continue Reading Takeaways from CA Senate Judiciary Hearing on Bill That Would Expand CCPA’s Private Right of Action

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading Six Phases of Compliance for a Comprehensive Privacy Program

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading Incident Response: Have a Plan

The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.

The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking