Following the European Council’s approval last week, the Digital Services Act (DSA) has been officially adopted, starting the countdown to the law’s entry into force later this year. The DSA builds on the Electronic Commerce Directive 2000 (e-Commerce Directive) and regulates the obligations of digital services that act as intermediaries in connecting consumers with third-party
CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy
A business that is subject to the CCPA will need to update its consumer-facing online privacy policy. At a bare minimum, a privacy policy (and any California-specific privacy disclosure) must disclose:
- A description of a consumer’s right to disclosure regarding the personal information (“PI”) that the business has collected about the consumer, a consumer’s right to disclosure regarding the business’s sale of her or his PI, and a consumer’s right not to be discriminated against for exercising any rights under the CCPA [Cal. Civ. Code §1798.130(a)(5)(A)];
- Categories of PI collected, sold, or disclosed in the preceding 12 months [Cal. Civ. Code §1798.130(a)(5)(B)&(C)]; and
- Two or more designated methods for submitting consumer requests, including a toll-free number and a website address [Cal. Civ. Code §1798.130(a)(1)].
Continue Reading CCPA 12-Month Compliance Series Part 4: Update Your Privacy Policy
Takeaways from CA Senate Judiciary Hearing on Bill That Would Expand CCPA’s Private Right of Action
On April 9, 2019, the California Senate Judiciary committee voted to advance SB 561, which would expand the private right of action to any violation of the CCPA (not just for negligent breaches) and would eliminate a business’s 30-day right to cure. During the hearing, several senators expressed serious concerns with the bill as currently drafted and made clear they expect to see changes to the bill or will not vote to move the bill forward. The bill will next be heard by the appropriations committee, followed by a Senate floor vote, before it moves on to the House.
Continue Reading Takeaways from CA Senate Judiciary Hearing on Bill That Would Expand CCPA’s Private Right of Action
Six Phases of Compliance for a Comprehensive Privacy Program
When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading Six Phases of Compliance for a Comprehensive Privacy Program
CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis
After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g., Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis
Incident Response: Have a Plan
For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading Incident Response: Have a Plan
CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking
The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.
The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking
Federal Privacy Bills Introduced
With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.
Last week, on January 16, 2019, Republican Sen. Marco Rubio introduced the American Data Dissemination (ADD) Act (S. 142). Recognizing the lack of a single comprehensive federal privacy law, the ADD Act seeks to “provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.” It instructs the Federal Trade Commission (FTC) to prepare privacy regulations applicable to “covered providers”—i.e., persons who provide a service that uses the internet to collect records containing personally identifiable information—for approval by Congress that are substantially similar to the requirements under the Privacy Act of 1974. Among other things, the FTC would be required to establish criteria for exempting small or newly formed providers, to restrict disclosure of records, and to provide consumers with rights to access and correct their personal data. The ADD Act, if enacted, would preempt the California Consumer Privacy Act (see our CCPA page here) and other state privacy laws, including the recently introduced New York privacy bill, which would establish a privacy bill of rights for New York residents.
Continue Reading Federal Privacy Bills Introduced
Is Your Business Prepared for Holiday Hacking?
There is often an upsurge in hacking and online scams during the holidays, and businesses are not always prepared to respond. Here are five key steps you can take immediately to protect and defend against breaches:
Continue Reading Is Your Business Prepared for Holiday Hacking?
CCPA’s Independent Business Obligations
The CCPA creates eight consumer rights, eight corresponding business obligations and three independent business obligations.
Under the CCPA, businesses have the following independent obligations:
Continue Reading CCPA’s Independent Business Obligations