A survey shows that most companies are not yet ready for the California Consumer Privacy Act (CCPA), and this includes companies that have undergone compliance processes for the EU General Data Protection Regulation (GDPR).

CCPA is not GDPR or a subset of GDPR. It’s a different law with different requirements, for which preparation will require time and attention.

More from Forbes.

Privacy law experts warn companies not to assume they can comply with the California Consumer Privacy Act (CCPA) because they are in compliance with the EU’s General Data Protection Regulation (GDPR).

“The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) at a privacy panel at RSA 2019.

Details from SC Magazine.

GDPR does NOT:

  • prohibit a hairdresser from telling a customer what hair color they used on their hair
  • prevent the fire department from telling a property management company whether there had been a fire in one of its properties
  • ban or impede the sharing of medical or health data when needing to attend to an unconscious patient

It does require that organizations consider – in advance, at a policy level – how to carry on such data sharing practices while still ensuring personal data are adequately protected.  In an effort to address misconceptions about the privacy regulation, the Irish Data Protection Commissioner has issued the first of a series busting GDPR myths.

Details from the Irish DPC.

If it makes the individual go “huh, why did that (use of my information) happen?”  you, company that provides a service utilizing data, may have a data protection problem on your hands.

This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.

“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”

Details from the International Association of Privacy Professionals.

The European Data Protection Board (EDPB) has weighed in on the ePrivacy Regulation:

  • EU legislators should intensify efforts towards the adoption of an ePrivacy Regulation, which is necessary to complete the EU’s framework for data protection and confidentiality of communications.
  • The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC and must complement the GDPR by providing additional strong guarantees for all types of electronic communications.
  • The ePrivacy Regulation is necessary to ensure a level playing field and legal certainty for market operators.

Details from the EDPB.

Data protection and political campaigns – European Data Protection Board (EDPB) issues a statement.

Key points:

  • Personal data revealing political opinions is a special category of data under the GDPR, and, in most cases, processing it will require explicit, specific, fully informed, and freely given consent.
  • Using personal data made public, like on social media, or otherwise shared by individuals, is still subject to obligations concerning transparency, purpose specification and lawfulness.
  • Companies must provide sufficient information to the individuals who are being analyzed and whose personal data are being processed, even if they are data brokers and not consumer-facing.
  • Automated profiling connected to targeted campaign messaging may, in certain circumstances, cause “similarly significant effect” requiring explicit consent of the individual.
  • In case of targeting, companies should provide adequate information explaining why the person is receiving a particular message, who is responsible for it and how the person can exercise his/her rights as a data subject.

Despite their distrust in tech giants and lack of confidence in their privacy practices, people aren’t likely to go out of their way to safeguard their information, shows a survey of nearly 4,000 people across generations.

Per the survey:

  • 33 percent of respondents claim to read end user license agreements
  • 66 percent either skim through or ignore EULAs entirely
  • 47 percent know which permissions their applications have
  • 53 percent use password managers
  • 29 percent reuse the same passwords across websites, for Millennials, that number was 37 percent

    Details from Dark Reading.

Cookies and trackers sat on a wall, cookies and trackers had a great fall…

Dutch data protection authority, Autoreitpersoonsgegevens (AP), holds that the practice of a cookie banner that does not allow you to enter a website unless you accept tracking cookies (known as a “cookie wall”) is not permissible under the EU General Data Protection Regulation (GDPR).

If companies want to track people using tracking cookies, tracking software or other digital methods, they must get the users’ consent for this. In the case of so-called ‘cookie walls’ on websites (no permission means no access), consent is not duly given. This is because under GDPR, consent must be “freely given”. If you do not have real or free choice or cannot refuse to give consent without adverse consequences – the consent is not deemed freely given. AP has stated that it will intensify its monitoring of compliance in this area.

Details from the AP.

Much like your credit report, where you can look and check who has been accessing and using your credit information and make corrections, so should be the case with the rest of your personal information – says, Sen. Reuven Carlyle, D-Seattle, the sponsor of Senate Bill 5376, passed by the Senate of Washington state.

The privacy bill, taking pages from the European Union’s General Data Protection Regulation (GDPR), would require companies to disclose what information they are collecting and to give individuals the ability to access, correct and sometimes delete it.

It also would require an individual’s consent for the use of facial recognition in order to profile people in places open to the public — such as retail stores.

The bill, which passed the Senate by a vote of 46-1, now goes to the state’s House of Representatives for consideration.

Details from The Seattle Times.

FTC, the De Facto Privacy Regulator.

The Federal Trade “Commission has settled or litigated more than 60 law enforcement actions against businesses that allegedly failed to take reasonable precautions to protect consumers’ data,” said FTC Bureau of Consumer Protection Director Andrew Smith in testimony before a Senate Homeland Security and Government Affairs Subcommittee.

Cases included: manufacturers of consumer products like smartphones, computers, routers, and connected toys, as well as against companies that collect consumers’ sensitive personal information.

Other points discussed:

  • The FTC brings cases under provisions of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act.
  • It has used its authority under Section 5 of the FTC Act to stop companies who allegedly engage in unreasonable data security practices, or made misleading statements or omissions about data security.
  • FTC supports new data protection legislation that would give it the ability to seek civil penalties for effective deterrence; and jurisdiction over nonprofits and common carriers.

Details from the FTC.