“We see your CCPA and we raise you some GDPR,”  says Washington state with a new privacy bill.

If passed, the Washington Privacy Act would go into effect on July 31, 2021 and would enact a comprehensive law that includes individual rights that go beyond CCPA.

Key provisions that go beyond CCPA:
  • Strong provisions that align with GDPR (e.g data minimization, purpose limitation, controller processor distinction)
  • Commercial facial recognition provisions
  • Obligations to perform data risk assessments
  • Opt-in consent for the processing of sensitive data (including information from a “known child”)
  • Opt out of profiling in furtherance of decisions that produce legal, or similarly significant effects
  • Consumer rights exceptions for processing “pseudonymous data”
  • Exceptions to the right of access
Key similarities with CCPA:
  • Broad definition of personal data
  • Similar requirement re: privacy notice (transparency)
  • Individuals’ core rights to access and delete data
  • Right to opt out of sale of information
  • Right not to be discriminated against
  • Exclusive enforcement by AG; no private right of action

Details from the Future of Privacy Forum.

A new study has found only 11.8% of the most popular Consent Management Platforms (CMPs) used on UK websites meet the minimal requirements under GDPR and Europe’s eDirective regulations regarding cookies and consent.

The researchers’ scraper was used to determine whether a consent form met GDPR and eDirective requirements.

The rules say consent must be explicit. So, for example, users must click a button rather than just hop straight through to the website; all aspects of consent must be equally easy to reject as to accept; and pre-ticked boxes are not allowed.

Of the 10,000 websites scraped that used a CMP form, the researchers found that implicit consent is present on a third of websites. The researchers also found that CMPs make rejecting all tracking “substantially more difficult than accepting it.”

Details from ZDNet.

“In California we are rebalancing the power dynamic by putting power back in the hands of consumers. I encourage all Californians to take a moment to understand their new rights and exercise these rights to take control of their personal data,” wrote California Attorney General Xavier Becerra.

“Becerra has issued an advisory for consumers highlighting their new rights as part of the California Consumer Privacy Act (CCPA), which went into in effect on January 1, 2020. The advisory describes consumers’ basic privacy rights under the CCPA and methods for consumers to exercise those rights, information about the data broker registry, and new guidelines related to data security.”

Read the full advisory.

“Adequacy” seems to be the hardest word.

On the brink of Brexit and the UK becoming a “third country” without a so called “adequacy” status for the cross border transfer of personal data from the European Union — Could California have its own Privacy Shield arrangement separate from the rest of the U.S.?

This question emerged during the third annual review of the data-transfer agreements at the European Parliament. If the Court of Justice of the EU invalidates Privacy Shield, and California applied for an adequacy decision, would the European Commission consider such an application?

“The response from the commission was, in principle: yes. ‘The GDPR provides expressly for the possibility to recognize as adequate a territory at sub-federal level…So the Californian process is ongoing…but in principle, the answer is yes.’”

The harder, and more substantive questions of “Whether the California law would be adequate, whether it would have comparable independent oversight, whether data could be retained within California or whether the state has the constitutional power to ask for such an agreement were not within the scope of the hearing.”

Details from the International Association of Privacy Professionals.

On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out.

AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research.

Specific carve-outs:
  • De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information
  • “Business associates”
  • Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule.
  • Personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information or medical information.
Additional change:

Required disclosure, in the privacy notice, of whether information de-identified under HIPAA has been disclosed/sold in the preceding 12 months and if so, whether it had been de-identified using the “expert method” or the “safe harbor method”

Details available on the California Legislative Information website.

How much is that privacy in the window? Researchers behind experiments on people’s willingness to pay for privacy, including Angela Winegar, Cass Sunstein and Alessandro Acquisti argue that consumers’ behavior and preferences aren’t a reliable indicator of how they value their own privacy, let alone how a society as a whole should value it.

“Study after study has found that people’s valuations of data privacy are driven less by rational assessments of the risks they face than by factors like the wording of the questions they’re asked, the information they’re given beforehand, and the range of choices they’re presented. They’re easily manipulated by small, immediate incentives, and easily deterred by something like requiring a single extra click.

As long as [privacy is] viewed in economic terms, as a good to be bought, sold, and traded off between consumers and corporations, tech companies will have the upper hand, because individuals’ choices are so easily manipulated. An alternative, suggests Acquisti, is to view privacy more like a human right: something everyone deserves, whether they fully grasp its value or not.

Will Oremus of One Zero, a Medium publication about technology and science, explores the debate over the true value of online privacy. 

Wherefore art thou GDPR?

Some EU supervisory authorities are voicing dissatisfaction with enforcement of GDPR to date.

“After nearly one and a half years we must concede that we have a huge problem with the enforcement of cross border processing especially by globally acting companies,” says a spokesperson for the Hamburg data protection authority authority, referring to cases that concern web users in more than one country. “It is absolutely unsatisfactory to see that the biggest alleged data protection violations of the last 15 months with millions of individuals [concerned] are far away from being sanctioned.”  

Politico provides an in depth overview of complaints against failure to enforce, specifically by the supervisory authorities of Ireland and Luxembourg, and what can be done about this.

Read the full piece in Politico.

French Data Protection Authority CNIL has weighed in on CCTV surveillance in schools.

CNIL received 25 complaints regarding systematic surveillance of students throughout their day, whether during their recess, during their lunch in the canteen or even during their class time. These cameras also made it possible to film almost constantly a part of the staff.

“It is possible to film access to buildings (entrances and exits) and circulation areas, in particular to ensure the safety of students, agents and property and to avoid, in particular, malicious intrusion,” the agency said. “But, except in exceptional circumstances, a video surveillance system placing pupils or employees under systematic and continuous surveillance in their places of life and work is excessive.”

Details from CNIL.

“Though it’s hard to predict what will happen with regard to a federal privacy bill in 2020, the reality is that the CCPA is here and other states will surely follow,” writes Jedidiah Bracy of the International Association of Privacy Professionals.

“In addition to driving policy talks in the nation’s capital, the CCPA may also become a blueprint for other U.S. states to issue their own laws. New York, Illinois and Washington state are all expected to issue draft laws in 2020…”

“States will also continue to pass more sectoral privacy laws. Last year, Maine and Nevada passed sector-specific privacy laws, and Illinois is expanding privacy protections for users of genetic testing kits. New York’s Stop Hacks and Improve Electronic Data Security Act goes into effect March 21, 2020, and “is bound to have far-reaching implications for (chief information security officers) from Wall Street to Upstate.”

Read the full article.

The Digital Advertising Alliance (DAA) announced that its web- and app-based tools are expected to go live on Jan. 1, 2020, as the California Consumer Privacy Act (CCPA) takes effect.

The web-based tool will enable consumers to express an opt out from sale of their personal information, including its use for interest-based advertising, by companies that collect data across sites and are offering a CCPA opt out to the sale of information through the tools. (An app version of the tool will provide the same breadth of control for companies in the in-app world).

The tool allows opt out from sales by third parties of data collected on publishers websites. The DAA has said that publishers should seek their own technical tools to help them meet their requirements under the DAA’s guidelines and the CCPA itself.

Consumers will be able to access the tools through standardized CCPA-specific links on publisher sites and apps that include a new green icon similar to the existing YourAdChoices and PoliticalAds icons.

The web tool also can be accessed directly at www.privacyrights.info, while the app will be available through the major app stores and the DAA’s YourAdChoices site.

More details here from the DAA.