European Union Data Protection Authorities discussed enforcement priorities at the International Association of Privacy Professionals (IAPP) Data Protection Intensive.

Key takeaways:

  • CNIL: Online advertising and cookies are a focus right now.
  • Ireland DPC: currently handling 10,000 complaints with 23 investigations into so-called big tech companies, and two investigations at the decision-making stage. An area of focus is children’s privacy.

Details from the IAPP.

What do the proposed draft CCPA regulations mean for your….Responses to Consumer Requests under CCPA?
  • Provide initial response within 10 business days
  • May provide response in same manner as the request
  • Don’t need to respond to access request if you:
    • don’t maintain the personal information in a searchable or reasonably accessible format
    • maintain the personal information solely for legal or compliance purposes
    • do not sell the personal information and do not use it for any commercial purpose
      AND
    • describe to the consumer the categories of records that may contain personal information that were not searched because it meets the conditions stated above.
  • Don’t need to list source/purpose by category; but still need to do that for categories of third parties with whom you share/sell information.
  • If you sell personal information and you get a request to delete and the consumer has not already made a request to opt out then ask the consumer if they would like to opt out of the sale of their personal information and include either the contents of, or a link to, the notice of right to opt-out.
  • When responding to a delete request, don’t need to specify the method of deletion

For details, read my in-depth analysis.

Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.

Continue Reading Irish DPC Issues New Guidance for Data Controllers on Data Security

What do the proposed draft CCPA regulations mean for your…privacy notices?

General

  • Still need four notices: notice at collection, notice of opt out (if you sell), privacy notice and notice of financial incentive (if you have it)
  • Notices must meet WCAG 2.1 accessibility requirements
  • May use for a purpose different than those listed unless materially different
  • Don’t need to list source or purpose of collection for each category of information
BUT
  • Need to describe category, source and third parties in a manner that would be meaningful for consumers

Notice at Collection

  • Should be readily available at point of collection (whether online, offline or on mobile)
  • If you collect information from a consumer’s mobile device for unexpected purpose, add just-in-time notice with the purposes and link to your notice
  • No “do not sell” button for employee notice at collection

Notice of Opt Out

  • Can use suggested opt-out button
  • If you don’t have an opt-out notice but collect personal information, you can’t sell it without affirmative opt in

Privacy Notice

  • Still need to describe the categories of third parties to whom information was sold or disclosed, by category of information collected

For an in-depth analysis of the revised regulations, read my detailed analysis.

  • Connected cars are “terminal equipment” and consent under the ePrivacy regime is required.
  • Connected cars are IoT devices.
  • Geolocation is very sensitive; don’t collect unless necessary.
  • Implement data protection by design and default at every stage.
  • Connected cars pose unique challenged for transparency and consent – you must find ways to overcome them.

These are some of the key takeaways from the European Data Protection Board’s draft guidelines on connected vehicles.

For details, read my in-depth analysis.

What do the proposed revisions of draft CCPA regs mean for your….methods of submitting consumer requests:

  •  If you operate exclusively online, an email address to receive requests is enough.
  • If you have brick and mortar locations, consider methods such as a paper form,  a tablet or portal that allows filling the form online or a phone that calls the business’ toll-free number.
  • Two-step confirmation method for requests to delete is optional not mandatory.

Read my detailed analysis of the updated regulations.

The California Attorney General has published extensive proposed amendments to the CCPA draft regulations.

In

  • The four types of required notices
  • Greater transparency requirement
  • WCAG2.1 accessibility requirements
  • Just in time notice for unexpected use
  • Opt out button design
  • Permitted internal uses for service providers
  • Examples on discrimination / not discrimination

Out

  • Requirement to get written attestation from sources of data
  • Listing some bits by specific category(?)
  • “Typical consumer” as method of calculating value
  • Hours of much needed sleep for CCPA practitioners

For details, read my detailed analysis.

“GDPR is not a snapshot in time; it’s an ongoing deal. You have to keep going and keep reassessing; it’s an ongoing compliance process. Even companies that have done a fair amount of work likely still have more to do and maintain.”

It was a pleasure speaking with Business News Daily about GDPR 20 months in and what compliance looks like for US-based companies subject to it.

Read the full article.

“State Rep. Shannon Zimmerman said he’ll begin circulating the proposed Wisconsin Data Privacy Act, which could fine companies up to $20 million — or assess a portion of their annual revenue — if they don’t abide rules established in three bills”.”

“The first bill would allow Wisconsin residents to learn what data businesses have collected. With some limitations, businesses would be required to release a record of what they’ve collected and what they intend to do with it, according to the legislation. The bill also calls on third parties that have received users’ data to disclose what personal data they received.”

“The second bill would give Wisconsinites the right to demand a company stop collecting the data and to delete it, while the third bill outlines strict rules companies must follow for collecting personal data and how consent would be applied.”

“The third bill prohibits — with some exceptions — companies from collecting or selling personal data.”

Details from Rivertowns.net.

Marketers will need to show that they are compliant with data privacy laws.

What’s clear from all this new regulation is that:
  • “Consumers are now more aware of their data and that it is valuable.”
  • “Personalization as we have come to know it, is dead. The Holy Grail of marketing – the ability to target the right consumer, at the right time, in the right location, on the right platform, with the right message – is now even harder, because consumer consent must be sought, across all touchpoints. This makes first-party data more valuable than ever.”
  • “As third-party, cross-website cookie tracking is being phased out…the capacity of marketers to ‘know’ or identify online consumers will get harder.”
  • “New regulations change the data landscape, but there are opportunities for brands to present themselves as ‘privacy first’ to consumers who are wary of how their data is being used .”
  • “It’s important for brands to be trustworthy and transparent around consumer data – not only is it the right thing to do, it’s also good for business.”

Details from WARC.