“New York Gov. Andrew Cuomo recently signed legislation that will effectively prohibit ambulance and first response service providers from disclosing or selling patient data to third parties for marketing purposes.

The bill was signed into law on October 7. The new law bans the sale of patient data, or individually identifying information to third parties, outside of sales to health providers, the patient’s insurer, and other parties with appropriate legal authority.

Under the law, all information that can be used to identify a patient is protected from sales for marketing purposes, such as advertising, detailing, marketing, promotion, or any activity used to influence sales.”

Details from HealthIT Security.

“Companies doing business in California may face a heightened risk of litigation when the state’s new privacy law takes effect in January, litigation and privacy attorneys say,” reports Bloomberg’s Sara Merken.

“The California Consumer Privacy Act clears the way for state residents to sue companies for data breaches involving certain information, if a company fails to maintain reasonable security. Californians can seek damages of between $100 and $750 per consumer per incident under the law. That may mean millions of dollars for some companies, attorneys said.”

” Corporate and plaintiffs’ attorneys alike expect some questions to be fleshed out in litigation, including what constitutes sufficient reasonable security and an adequate cure, because neither are defined under the law, attorneys said.“ “California’s preexisting data breach statute allows for a private right of action, but the reality is that proving damages in a data breach case can be a heavy lift,” Cruz said. “The CCPA eliminates that hurdle for some plaintiffs by dispensing with the need to prove actual damages.”

Details from Bloomberg Law.

A new study estimates the costs of California Consumer Privacy Act (CCPA) compliance:

“California’s new privacy law could cost companies a total of up to $55 billion in initial compliance costs, according to an economic impact assessment prepared for the state attorney general’s office by an independent research firm.”

“On the low end, the researchers estimated that firms with fewer than 20 employees might have to pay around $50,000 at the outset to become compliant. On the high end, firms with more than 500 employees would pay an average of $2 million in initial costs, the researchers estimated.”

Details from CNBC.

The California Attorney General has issued long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which is scheduled to take effect in 2020.

High level takeaways:
  • Big emphasis on disclosure and transparency: both format and content of the privacy notices.
  • Separation between the privacy notice for “at or before collection of information” and the “website privacy policy.”
  • Emphasis on reasoning for taking actions (e.g. not deleting per request, etc.).
  • Specific instructions on how to respond to requests (Hint: can’t wait until day 44 to reply).
  • Guidance on timing for response (Hint: time needed to verify does not extend the 45 days).
  • Detailed guidance on how to verify the identity of a requesting consumer.
  • Expanded requirements for companies collecting information of 4 million or more consumers (Hint: disclose stats on consumer requests and median time it takes to respond).
  • Guidance on the methods for exercising the rights.
  • Detailed guidance on how to calculate the value of the consumer’s information in order to provide a legal financial incentive.
  • Detailed guidance re: CCPA-specific training.
  • New records retention requirement for consumer request logs.
  • Possible to express an opt-out request through browser preferences/user-enabled privacy controls.

Read the full text of the draft regulations.

A local  Munich court has interpreted the right of access under Article 15 of GDPR and German law. Here are some key takeaways for GDPR and for consumer access requests under CCPA:

  • The right of access under GDPR is a comprehensive right concerning the stored or processed personal data.
  • It includes all data, such as name or date of birth, as well as any characteristics that can make a person identifiable, eg health data, account number, etc.
  • It does not include the business’ internal actions, such as endorsements, any changes in correspondence, information the person concerned is already knows, legal reviews or analyzes. (A view not necessarily supported by GDPR.)
  • No specific form is required for the information. While there is an obligation to produce copies of the information, this may not be required if the relevant content is produced otherwise.
  • In certain cases, disproportionate effort for the business in producing the information may be an exception to the requirement to produce information.
  • Unfairness may also be an exception to the right of access.

Read the full text of the opinion.

New York City lawmakers have proposed three bills that would regulate the use of facial-recognition software by business owners and landlords, The Wall Street Journal reports.

If passed, landlords and business owners would be required to:

  • register the technology with a public database
  • post signage stating the tech is being used

Landlords would also have to provide manual keys if they have an electronic entry system.

Details from the International Association of Privacy Professionals.

The Singapore Personal Data Protection Commission has issued guidance on privacy disclosures:

  • Highlight information that may be of particular concern to individuals, such as purposes of use or situations where personal data will be disclosed.
  • Use headings, titles and sections especially when the notification is expected to convey a lot of information.
  • Use a layered notice that lists the most important or basic information more prominently.
  • Use just in time notice
  • Use a font size that is comfortable to the eye.
  • For mobile — use a mobile-friendly format.
  • Manage the overall length of the notification by being clear and to the point.
  • Use visual illustrations, if necessary, to emphasize or direct readers to important information.

Details from Singapore’s Personal Data Protection Commission.

The Irish Data Protection Commission (DPC) does not have any power to order an organization to pay compensation to an affected data subject.

In the case of administrative fines, any funds collected from these fines go to the state exchequer. In addition to the powers the DPC has to enforce data subjects’ rights, individuals are also open to take private civil actions against organizations where his or her rights have been infringed – although the DPC does not have any formal role in this process.

A data protection action can be taken before the courts by an individual or by a not-for-profit body, organization or association on behalf of the individual. Individuals are entitled to both make a complaint to the DPC as well as taking a data protection action against an organization, as the right to take such an action is ‘without prejudice’ to the other rights or remedies available to individuals.

Read the Irish DPC’s full statement.

The DSK, the joint coordination body of the German data protection authorities, has recently set out a new model for calculating EU General Data Protection Regulation fines, which, if adopted and applied, is likely to lead to higher GDPR fines, more frequently at the top end of the maximum fine limits under Article 83.

Some German authorities have started applying this new model in practice; for example, the Berlin data protection commissioner has already announced her intention to impose multimillion-euro GDPR fines based on this model.

Some of the first cases defending clients against fines calculated under this new model are being heard.

Per the guidelines, parent companies and subsidiaries are regarded as an economic unit, so that the total turnover of the group of companies is taken as the basis for calculating the fine.

Details from the International Association of Privacy Professionals

A U.S. online privacy bill is not likely to come before Congress this year, three sources told Reuters.

Lawmakers disagree over issues like whether the bill should preempt state rules. While the sources, who are involved in the negotiations, still think it is possible at least one discussion draft of the bill could land before the year ends, congressional negotiators must still agree on whether it is adequate to simply ask consumers to consent to collection of personally identifiable information and give them the opportunity to opt out and how the new law would be enforced.

They are also negotiating how much information should be deemed private and where one should draw the line in terms of exchange of consumer information with third parties, the sources said.

Details from Reuters.