Prep for CCPA now, enjoy compliance later.

The Future of Privacy Forum’s Stacey Gray and Polly Sanderson’s comparison of two federal privacy bills shows that steps businesses are taking to comply with the CCPA will serve them well if a federal law is passed:

  • Revise your privacy notice; draft by category: Both bills require detailed public privacy policies, including: categories of data collected/transferred, processing purposes, retention practices, and how to exercise rights.
  • Address access requests: Both bills require companies to provide individuals with a copy “or accurate representation” of their data upon “verified request” and the names of third parties to whom it has been transferred.
  • Address delete requests: both bills require to correct or delete covered data of an individual and inform service providers and third parties of the request.
  • Mind your opt outs: both bills establish a right to object to certain data transfers.

Closer than Apart: Comparing Senate Commerce Committee Bills

Beware the federal privacy bill.

“Although there are key differences, the two [federal privacy] bills also have important similarities:

  •  a set of individual rights combined with boundaries on how businesses collect, use, and share information.
  • individual rights including access, correction, deletion and portability for personal information, along with rights to give “affirmative express consent” before the collection and processing of “sensitive” categories of information and to opt out of the sale or transfer of personal data.
  • business obligations including data minimization, use limitations, data security, and the responsibility to bind other companies that receive personal information to the same obligations. “
  • expanded FTC enforcement authority, with state attorney general enforcement authority as force multipliers, and give the agency power to interpret specific provisions by adopting rules and expanded legal authority.
  • concepts from the California Consumer Privacy Act (CCPA) and European Union GDPR, which provide benchmarks for federal enactment.

Read the full piece from the Brookings Institution below.

Game on: What to make of Senate privacy bills and hearing

If at first you GDPR, CCPA, CCPA again.

A new CCPA fact sheet published by the California Attorney General provides a concise summary of the law and sets forth some steps that entities subject to GDPR may need to take to comply with CCPA.

This includes:

  • Additional data mapping to reflect the different requirements under CCPA.
  • Review and reconcile the different definitions of personal information and applicable rules on verification for handling consumer requests.
  • Updating the privacy notice to address CCPA requirements.
  • Review and adapt contracts with service providers to reflect requirements under CCPA.

Join Peter Hense and me on December 11, 2019 at 10 am EST (1600 CET) for a webinar to discuss these and other things GDPR controllers and processors should do for CCPA compliance.

A new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act (COPRA), has been introduced by Senate Commerce Committee Ranking Member Maria Cantwell (D-Wash.) and Senators Ed Markey (D-Mass.) Brian Schatz (D-Hawaii) and Amy Klobuchar (D-Minn.).

Key novel provisions per International Association of Privacy Professionals (IAPP) Research Director Caitlin Fennessy:

  • individual consent for data processing, including express affirmative consent for processing sensitive data
  • “duty of loyalty,” prohibiting covered entities from engaging in deceptive or harmful practices
  • right to correct and delete covered data
  • include retention timelines, and the identity of each third party to which covered data is transferred in privacy notices
  • entities may only process covered data for specific purposes, subject to necessity and proportionality standards
  • annual impact assessment for accuracy, fairness, bias and discrimination for some algorithmic decision making
  • mandatory appointment of qualified privacy and security officers
  • enforcement authority for Federal Trade Commission and state attorneys general, as well as private citizens
  • preempt state laws that directly conflict with COPRA but not state laws that create separate and more onerous requirements

Details from the IAPP.

Read about competing federal privacy legislation in Bloomberg Law.

The Digital Advertising Alliance has published guidance on the use of a tool for opt out requests under CCPA under its (voluntary) self-regulatory principles.

  • Both the entity that owns and operates the digital property and collects Personal Information directly from a consumer (publisher) and a third party that indirectly collects Personal Information through the publisher’s digital property (third party) are required to honor California “Do Not Sell” requests.
Third Parties:
  • When a consumer exercises their California “Do Not Sell” rights through the CCPA Opt-Out Tool, third parties may use and transfer such Personal Information only for certain operations and system management purposes.
  • Must display a California “Do Not Sell My Personal Information” link leading to a notice that describes the third party collection of personal information and links to the DAA CCPA Opt-out Tool.
  • Must place a flag that can be read by third parties indicating the link(s) have been placed; and
  • If a publisher collects Personal Information and transfers it to a third party, it must provide a “Do Not Sell” choice. and inform parties with whom is shared information in the past 90 days of such consumer choice.

Details from the Digital Advertising Alliance.

The International Association of Privacy Professionals is holding its 2019 Europe Data Protection Conference in Brussels. Partner Odia Kagan, who is in attendance, shares some takeaways from day two of the event.

The Importance of Informed Consumers

When consumers feel they are more knowledgeable about the provisions of GDPR, they are more comfortable with online behavioral advertising and with sharing their data, said Caroline Wren (nee Rushton).

Data Protection Takes a Village

“Just like it takes a village to raise a child, it takes a community to keep one’s data safe,” says Margarethe Vestager, European Commissioner for Competition.

Additional points:

  • Treating data as the new oil doesn’t do the status of data justice. It is more complex than just a commodity and is intrinsically tied with human dignity.
  • When using the internet we forget that data goes both ways. Whenever we search Google, Google also searches us. 
  • Not having control of our data makes us vulnerable. It allows businesses and politicians to understand us better, but also to take advantage of us.
  • Protecting data is an absolute necessity for creating a digital world that works well for humans.
  • Data should serve the consumers and not the other way around.
  • As long as there is competition, new services can emerge to help us take control and decide for themselves.
  • Competition cannot be the only component. They need to be complemented by data protection rules, like GDPR, which are effectively enforced.
  • We cannot expect people to read all terms and conditions and make a decision if the use is appropriate. We need strong enforcement by authorities.
Privacy by Design

When designing Privacy by Design ensure that, by default, only personal data which are necessary for each purpose are processed.

This includes:

  • amount of personal data
  • extent of processing
  • period of storage; and
  • accessibility

This according to Veronica Buer of Datatilsynet NorwayThe software developers, she says, play a key role in privacy by design.

Where California leads, others follow.

Washington state legislators will push for new regulations governing data privacy and facial recognition in 2020, reports GeekWire. The rules apply to companies located in Washington and companies that target services to Washington customers. Businesses that derive more than 50 percent of their revenue from the sale or processing of personal data are also subject to the regulations, even if they have fewer than 100,000 customers.

Key provisions:

  • Consumers’ right to access, delete, correct and move their data.
  • Consumers’ right to opt-out of data collection.
  • Companies that collect personal information must be transparent.
  • Regular risk assessment for companies.
  • Limitation on use of facial recognition technology by state or local government.
  • Consent required for use of facial recognition in public spaces.
  • Enforcement by AG but no private right of action.

Details from GeekWire.

The International Association of Privacy Professionals is holding its 2019 Europe Data Protection Conference in Brussels. Partner Odia Kagan, who is in attendance, shares some takeaways from day one of the event.

Irish Data Commission Plans Cookie Banner Guidance

Irish Data Protection Commissioner Helen Dixon says the commission has completed a search and sweep of website cookie banners and will publish guidance on the subject using examples from the field as best practices and examples of what not to do.

Regulators Predict Next Frontiers in Privacy Regulation

  • Ulrich Kelber, German Federal Commissioner for Data Protection and Freedom of Information: Artificial Intelligence.
  • Helen Dixon, IDPC: genomics and personal health and connected cars.
  • Marie Laure Denis, president of French Data Protection Authority, CNIL: facial recognition and the associated technological, societal and ethical risks.

Regulators List Enforcement Priorities

Helen Dixon, IDPC

  • Majority of resources is dedicated to handling individual complaints.
  • Key sectors in complaints are social media, banking and telcos.
  • Majority of complaints are regarding access requests ignored completely or only partially responded to.
  • There has been a big increase in erasure requests.
  • DPC has not been able to set its own enforcement priorities. NGOs like Quadrature du Net and NYOB are setting the tone.
  • Fines are only one aspect of enforcement, not the most important.

Wojciech Wiewiórowski, assistant supervisor, European Data Protection Supervisor

  • We try not to be only complaints driven.
  • Ban of operations is a more important tool than fines.

Mathias Moulin, director of the Protection of Rights and Sanctions Directorate at CNIL

  • 70% of the complaints are from private sector
  • The goal isn’t to sanction, it’s to obtain compliance. If infringement is substantial, then yes, but the first move is not to sanction.

Karolina Mojzesowicz, deputy head of data protection at the European Commission

  • Sanctions need to be proportionate but also dissuasive.
  • Fines are helpful and useful tool.

EPDB Revising WP29 Guidance on Data Controller, Data Processor Concepts

CNIL’s Nana Botchorichvilli provided an update that the EDPB is currently revising the WP29 guidance on the concepts of “data controller” and “data processor.”  The guidelines will:

  • define the concepts and address the consequences of the status.
  • explain what the Article 28 Data Processing Agreement should contain and how it should be implemented
  • describe how a joint controllership relationship should be formalized: the form, the allocation of responsibilities, how to address the data subject right and how to communicate this to data subjects
  • focus on practical examples and illustrations.

Draft guidelines are expected Q1 2020.

CCPA is different from GDPR, but the two privacy laws have some similarities. CCPA imposes obligations that retailers and restaurants should pay attention to. It was a pleasure deciphering CCPA and what it means for retailers and restaurants for Reforming Retail. Click on the image below to read the full Q&A.


CCPA Is Typical Legislative Overreach, But It Could Affect You Big Time

The Spanish AEPD has published guidelines on patient health data protection.

The guidelines track the requirements of GDPR as applicable to patient data including the obligation to provide adequate disclosure under Article 12 and data subject rights.

Key Takeaways

  • In the field of health care the right to suppression of clinical history data is very limited. This is because this data is meant to guarantee adequate patient assistance; but it is also necessary for judicial, epidemiological, public health, research or teaching purposes as well as for public interest or compliance with legal obligations.
  • Only the healthcare professional can determine whether the health data can be deleted.
  • Access controls must be strictly observed in a hospital setting.
  • A doctor is not authorized to know confidential information of a patient with whom they don’t have a professional relationship.
  • You may ask that your medical information be rectified. However as it’s medical data, it will be the health administration professional that decides if they are rectified.