It’s 2021 and people will (hopefully) soon be back to planning vacations and staying at hotels.

In this 30 minute video for HospitalityNet, Odia Kagan, a partner in Fox Rothschild’s Privacy & Data Security Practice, discussed the five top things hotels should think about relating to data privacy compliance.

  1. Privacy disclosures: Are they complete? Do they talk about offline collection of data too? Are they specific enough? Are they clear?
  2. Do Not Sell My Personal Information link: Do you need one? How do you put one in? Does the California Attorney General care about cookies? (Hint: yes).
  3. California Privacy Rights Act (CPRA): What to do to prepare? Look at data minimization, retention limitation, profiling and privacy risk assessments (DPIA).
  4. Federal Trade Commission: Do you have robust data governance? A person in charge of privacy? internal policies? Data breach response plan?
  5. What can you, in light of the Schrems II decision, do (besides cry) if you are a multinational chain that shares data between EU and U.S. entities?

California Consumer Privacy Act-like regulations may be coming to a New York business near you. State lawmakers have reintroduced two key pieces of data privacy legislation for the new session.

New York state’s  “do not sell my personal information” bill was reintroduced in the Senate and referred to the Senate Consumer Protection Committee.

The bill has many similarities to CCPA including that it

  • Requires businesses to disclose collection of information
  • Requires businesses to disclose the categories of personal information sold and the identify of the third parties to whom it was sold.
  • Also gives individuals the right to opt out of such sale.
  • Requires businesses to provide two methods for submitting the requests (website and toll free phone number).
  • Requires a “do not sell my personal information link” on the homepage.

In addition, the bill:

  • Provides a private right of action to individuals.
  • Allows cities and counties to set additional (higher) requirements.
  • Requires the New York Attorney General to set forth regulations on a number of topics.

At the same time, the New York Privacy Act was reintroduced in the New York State Assembly and referred to the Assembly Committee on Consumer Affairs and Protection.

This bill also has some similarities to CCPA and contains General Data Protection Regulation concepts like objection to processing, rectification of inaccurate information and limitations on automated decisions based on profiling.

In addition, the bill:

  • Creates a concept of “data fiduciary” and prohibits a business to use, process or transfer to a third party personal data of consumers without the consumer’s express and documented consent.
  • Requires businesses to exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to security the personal data.
  • Prohibits a business from using personal data or data derived from it in any way that will benefit the service provider to the detriment of the consumer.
  • Requires a business to take steps to ensure that the parties with whom it shares personal data fulfill the duties of care, loyalty and confidentiality also, including periodic auditing.
  • Contains a detailed definition of “privacy risk.”
  • Addresses the concept of a number of controllers and the allocation of liability among them.

Spanish Agencia Española de Protección de Datos – AEPD has issued a press release on the data protection implications of’IoB’ (internet of body) devices. These are devices connected to the Internet that monitor and/or act on vital signs, biometric data, and health indicators (e.g. physical activity, sleep quality, and sports activity).

IoB devices include external, implicated and body fused devices.

Key takeaways:
  • Reliability, robustness against cyberattacks and the resilience of all the processing in which the devices are framed must be the maximum possible.
  • Apply the principles of data protection by design and by default, in addition to security measures.
  • Be mindful of connectivity through the internet incorporates the generation of metadata, including geolocation data, which could lead to the profiling of individuals, obtaining data on emotional reactions, cognitive abilities, mental health, preferences etc.
  • Assess the risks of the processing operations in which these devices are incorporated, not only of the devices themselves.
  • Assess third-party access to the data.

Read the full release.

The Australian Cyber Security Center has published a guide on identifying cyber supply chain risks in suppliers, manufacturers, distributors and retailers.

A key area flagged is foreign control, influence and interference and suggests a questionnaire for the suppliers which includes the following questions:

  • What access might a foreign government gain in controlling or interfering with the business?
  • What access does the business’ products or services have within their customers’ environments?
  • Where does the business operate?
  • Where is the business headquartered?
  • Who has controlling shares in the business?
  • What are the nationalities of board members and key employees?
  • What ties do board members and key employees have to the government of countries they operate in?
  • Is there any evidence of corrupt or criminal activities by board members or key employees?

Other areas flagged include:

  •  Poor security practice
  •  Lack of transparency
  • Access and privileges

Read the full text of the Australian Cyber Security Center guide.

A new New York state law prohibits the use of biometric technology in New York state schools until the later of (i) July 1, 2022 or (ii) the Commissioner of Education completes a study and issues a report to facilitate the creation of a comprehensive statewide regulatory system governing the use of such technology. The report is required to consider:

  • the privacy implications of collecting, storing, and/or sharing biometric information individuals entering a school
  • the potential impact of the use of biometric identifying technology on student rights; and
  • whether, and how such technology may be used for school security.

The bill provides a detailed definition of the term biometric information: “any measurable physical, physiological or behavioral characteristics that are attributable to a person, including but not limited to facial characteristics, fingerprint characteristics, hand characteristics, eye characteristics, vocal characteristics, and any other characteristics that can be used to identify a person including, but not limited to: fingerprints; handprints; retina and iris patterns; DNA sequence; voice; gait; and facial geometry.”

Read the full text of the law.

In atypical 2020 fashion, Santa actually gave UK the #1 present on its Christmas list: adequacy for cross-border data transfers from the EU as part of an overall trade deal.

Bloomberg reports the deal will include an interim solution for a maximum of 6 months while the European Commission considers a full adequacy decision for the UK.

The deal also requires the U.K. to suspend its own data protection rules until the adequacy decision has been finalized.

Details from Bloomberg.

Do any of these things pertain to your business?

  • Are you outsourcing your HR, IT or payroll function to a UK-based organization?
  • Are you using a UK-based marketing company to send marketing communications to your customer database?
  • Is your occupational health provider based in the UK?
  • Is your pension scheme based in the UK?
  • Are you using translation/transcribing services of a UK-based company where you might be sending personal data of employees, customers or suppliers?
  • Are you using a UK-based company to analyze data on visitors to your website?
  • Are you storing data in the UK on a server or in the cloud?

If yes to any, and you are an EU entity, then you are transferring data to the UK and need to make arrangements with the UK leaving the EU on December 31, says the Ireland Data Protection Commission in a guidance on post Brexit data transfers.

In the absence of an adequacy decision you will need to incorporate standard contractual clauses into your agreement with UK entities and will need to conduct a Schrems II transfer impact assessment to determine what supplemental measures may be needed in addition to the clauses.

Read the full text of the guidance.

Winter is coming.

“I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while,” European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski told Reuters

“If you ask me what will be the attitude of the new administration towards the possible changes in American law on national security … that is first of all a question of our American friends and I don’t know if the Biden administration will take this topic as the most important,” Wiewiorowski said.

Details from Reuters.

Norway’s Datatilsynet does not mince words in its Brexit guidance:

“On 31 December 2020, the Brexit transition period will end. This means, among other things, that anyone who transfers personal data to the United Kingdom after this date must follow the rules on the transfer of personal data to third countries.”

“If the European Commission does not give the UK an adequacy decision before the New Year, companies that transfer personal data to the UK must ensure a transfer basis and comply with the additional terms of the Schrems II ruling if they are to continue transferring personal data after 31 December.”

Both data transmission and remote access are considered as the transfer of personal data.

Complete details from Datatilsynet.

On the first night of Hannukah, the California Department of Justice gave to me … a fourth set of amendments to California Consumer Privacy Act regulations … and a form opt out button (!?)

Key changes:

Offline notice:  A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt out and provide instructions on how to submit a request to opt out.

  • If in a brick-and-mortar location, it can be on the paper forms that collect personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.
  • If over the phone , notice can be provided orally during the call when the information is collected.

The regs propose a form “opt out button.” The suggested button may be used in addition to, but not in place of, the opt out notice and the “Do Not Sell” link.

No alternative text description for this image

  • If used, the button is to be placed to the left of the “Do Not Sell” link, link to the same internet webpage as the DNS link and be the same size as other buttons on the website.

A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.