Photo of Natasha Amlani

Natasha Amlani

Subscribe to Natasha Amlani's Posts

Natasha Amlani has experience with privacy counseling, litigation and data breach response.

Contact:Read more about Natasha Amlani

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading Six Phases of Compliance for a Comprehensive Privacy Program

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading Incident Response: Have a Plan

The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.

The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here.
Continue Reading CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking

With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.

Last week, on January 16, 2019, Republican Sen. Marco Rubio introduced the American Data Dissemination (ADD) Act (S. 142). Recognizing the lack of a single comprehensive federal privacy law, the ADD Act seeks to “provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.” It instructs the Federal Trade Commission (FTC) to prepare privacy regulations applicable to “covered providers”—i.e., persons who provide a service that uses the internet to collect records containing personally identifiable information—for approval by Congress that are substantially similar to the requirements under the Privacy Act of 1974. Among other things, the FTC would be required to establish criteria for exempting small or newly formed providers, to restrict disclosure of records, and to provide consumers with rights to access and correct their personal data. The ADD Act, if enacted, would preempt the California Consumer Privacy Act (see our CCPA page here) and other state privacy laws, including the recently introduced New York privacy bill, which would establish a privacy bill of rights for New York residents.
Continue Reading Federal Privacy Bills Introduced

Does your company handle data analytics to target California consumers? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA goes well beyond the General Data Protection Regulation (GDPR); however, if you’ve achieved compliance with the GDPR, you are well on your way to achieving CCPA compliance.

Once in effect, the CCPA will require businesses processing the personal information (PI) of 50,000 or more California consumers (defined as California residents) to comply with new regulations governing the processing of their PI. Businesses will have to respond to eight (8) specific consumer rights, observe restrictions on data monetization business models, and update their privacy notices to provide detailed disclosures about their data collection, sales and business disclosures.
Continue Reading Update for Financial Institutions Regarding the California Consumer Privacy Act—This New Law May Apply to You