If you condition participation in a sweepstakes on receiving advertising on a particular topic from the provider of the sweepstakes or from other third parties — this is still valid consent under GDPR, says the Higher Regional Court of Frankfurt, Germany.

Key takeaways:
  • Requiring consent to marketing as a condition to participation in a sweepstakes does not constitute coercion. The individual is free to decide whether or not to participate (free choice) and whether the participation is worth the disclosure of his data and deciding not to participate will not result in suffering any disadvantages.
  • If you notify the individual of all the companies that will contact them — that is specific enough. An exception is if the number of companies is so great that the person can’t realistically deal with all these companies and their business area.
  • The notice has to describe the subject / topic of the advertising with specificity.
    • Sufficient: “electricity and gas.”
    • Not sufficient: general explanations such as the fact that the consent extends to “financial services of all kinds.”

Read the full opinion.

Three proposed amendments to the California Consumer Privacy Act were themselves amended on September 6. Here is a summary of the major changes, with links to the current version of each proposed amendment:

  • Until 1/1/2021 personal information collected about employees in their role as such is carved out. New addition: emergency contact information and benefits information for employee’s dependents, also carved out. (AB25)
  • Consumer authentication should be reasonable in light of the nature of the personal information requested. If there is a user account – can use that (AB25) – Business not required to collect or retain personal information it would not normally collect/retain (AB25)
  • “Publicly available” is information lawfully made available from federal, state, or local government regardless of purpose of use.
  • Until 1/1/2021: personal information used in communication between a business and an employee of another business in the course of conducting due diligence regarding, or providing or receiving a product or service to or from a business (AB1355)
  • Fair Credit Reporting Act (FCRA) exemption revised (AB1355)
  • Sale of personal information to a third party in connection with a rewards or loyalty program allowed subject notice + express consent + third party using the info for identifying consumer eligibility (AB846)

If your social media profile is public … do you really have an expectation of privacy in the information it contains?

The United States’ Ninth Circuit Court of Appeals says … maybe not.

In an interim decision in the HiQ vs LinkedIn case, on the permissibility of web-scraping public profiles, the court analyzed the privacy of public social media profiles. It upheld a lower court ruling  denying LinkedIn an injunction seeking to block HiQ’s access to publicly available LinkedIn profiles.

Some takeaways that apply to social media profiles generally:

  • If your profile is set to “public”, it is doubtful that you have an expectation of privacy in the contents of your profile.
  • This is especially the case if:
    • the privacy statement for the platform clearly discloses that information on the profile may be seen by others and
    • the social media platform has services that allow third parties to view public profiles, export information from them or get alerts on changes.
  • Choosing a profile setting that prohibits certain types of sharing from your public profile does not in itself create an expectation of privacy.
  • If you would like to prevent your employers or others from seeing information about your job / status updates, choose a private setting for your profile and don’t include your employer as your contact / social media friend.

Read the court ruling.

Some new guidance on obtaining consent under GDPR from Denmark:

  • silence or a pre-ticked box are not enough
  • a signature or an action can be enough
  • it must be as easy to revoke as it is to give it

That and other principles are included in the new detailed guidance on consent under GDPR from the Data Protection Authority of Denmark.

Read my detailed analysis.

To sell or to “disclose for a business purpose.” That is the CCPA question.

“When asked, most companies state honestly they do not ‘sell’ customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (‘consideration’) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.”

In view of the broad definition of the term “sale” under CCPA, “businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of ‘sale’ under the CCPA for disclosures to a ‘service provider.’ The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.”

Details from The International Association of Privacy Professionals.

Include de-identified personal information in your CCPA data mapping.

“De-identification as a process can be quite complicated to execute with precision to ensure the privacy risk is completely eradicated. The old complications present in this process expand under the CCPA, as the dimensions of what is protected has expanded. Most privacy programs will require modification to accommodate the imposed requirements pertaining to California residents, such as protecting data inferences.”

“Beyond the PI elements listed, companies need to also pay closer attention to employee data, and one of the chief challenges is that publicly available information is no longer a full-blown exemption. The only data exempted is government offered.”

“The combination of the increased capacity of artificial intelligence to repurpose and study data against the CCPA’s rigor will deeply complicate the de-identification process.”

Details from the International Association of Privacy Professionals.

The FTC is stepping up privacy enforcement – reports Bloomberg Law‘s Sara Merken.

“The Federal Trade Commission is issuing specific data security requirements to companies as part of agency settlements, policing businesses more aggressively than before, attorneys and former staff said.”

“Mandates in related consent orders, such as directing senior officers to provide annual compliance certifications to the FTC, go father than previous requirements and will likely reappear in future orders in settlements with other companies.”

“The moves, and a separate proposal to add specific provisions to a financial data security rule, come as Congress weighs whether to give the commission more authority over companies’ data security and privacy practices.”

“Some of the specific requirements in recent FTC consent orders include new mandates to implement data access controls for databases that store personal information, encrypt certain data like Social Security numbers, as well as new obligations for third parties that assess the companies’ data security practices. ”

Details from Bloomberg Law.

Click to accept – not always good enough, says the New Zealand Privacy Commissioner.

Companies need to be fully transparent about their data processing practices and take steps to ensure that this is conveyed to the individuals.

In the case of a “clicked consent,” the Commissioner will also check:

  • Why the company believes that click actually conveys an authority to undertake the action.
  • What research was done to establish the number of people who read the terms.
  • How many times do customers click the link to the terms or privacy policy before clicking the consent box?
  •  Do those who do click spend a long enough time on the privacy policy page to actually read it?

“If you are telling customers in the ‘click to consent’ box that their information will be used to “enhance the services we can provide you,” and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to U.S. data brokers – this may be a violation of the NZ Privacy Act obligations for transparency and fairness (in particular for children and other vulnerable consumers).”

Details from the office of the New Zealand Privacy Commissioner. 

Passports and biometric data would be included in the types of personal information covered by California’s data breach notification law, under a bill that passed the state Senate and is headed to Gov. Gavin Newsom.

A.B. 1130 by Assemblyman Marc Levine (D) would also add taxpayer and military identification numbers, and other unique government identification numbers to the law, which has been in place since 2002.”

” California would join twelve other states that already include biometric data in data breach notification laws, and another 13 that include passports, if it enacts the bill, Sen. Bob Wieckowski (D) said as he presented the bill on the Senate floor.”

” Unlike a credit card number, the consumer’s biometric information cannot be changed in the event of a breach, making its unauthorized disclosure all the more dangerous,” a coalition of the groups told lawmakers in a letter of support.”

Details from Bloomberg Law.

Ireland’s privacy regulator is weighing potential probes into how some online companies handle children’s data.

The Irish privacy office is “scoping” children’s privacy enforcement actions

“There will absolutely have to be changes and will be changes in terms of how” online companies handle children’s data… It’s a “big area of importance” for the commission – said Helen Dixon, the Data Protection Commissioner of Ireland.

Details from Bloomberg Law.