Rep. Katie Porter (D-Calif.) is preparing to take on the largest credit reporting bureaus with a data security proposal that would give consumers the right to sue after data breaches.

Porter’s bill would amend the Fair Credit Reporting Act (FCRA) to include a reasonable data security standard for credit reporting agencies… as well as other entities subject to the law.

Establishing that requirement would give consumers the ability to sue using the FCRA’s existing private right of action. Porter’s bill, which could be introduced as early as September, would fall under the purview of the Financial Services Committee and avoid the jurisdictional hurdles that have been an impediment to broader privacy legislation.

The bill also wouldn’t prescribe specific cybersecurity standards. That would mean the hundreds of much smaller credit reporting agencies—many of which specialize in collecting specific types of consumer information like payday loans, bank accounts, or utilities—wouldn’t be held to the same data security standards as the three giant CRAs.

Details from Bloomberg Law.

“U.S. Senators Dick Durbin (D-IL), Ed Markey (D-MA), and Richard Blumenthal (D-CT) today sent letters to numerous education technology (EdTech) companies inquiring about data collection practices on American students.

The Senators raised concerns that the learning tools used by these companies could pose a serious risk to students, parents, and educational institutions as a result of the potential for massive amounts of personal information to be stolen, collected, or sold without their permission or knowledge. Durbin, Markey, and Blumenthal also sent letters to numerous data brokers expressing similar concerns.”

“We urge you to make a clear statement to students that you are committed to transparent and fair data collection practices. We encourage you to adopt a comprehensive data privacy policy that ensures your company is directly obtaining informed consent from parents and students, and allows parents and students to fully delete any data retained by your company”

Details from the office of Sen. Richard Durbin.

“Companies need to be vigilant as they set up their consumer response processes. This ‘verified consumer’ part is no small thing. It requires a robust commitment to accurately sourcing your verification data, skill in identifying dubious requests, and some healthy skepticism wouldn’t hurt. The emphasis now is to bend over backward to help consumers to invoke their new rights, but if this is not done well, consumers will ultimately be hurt by fraudsters tampering with their data using the consumer request mechanism.

It’s ironic that this next-gen data breach could arise out of well-meaning efforts to comply with a new privacy law. But that’s the kind of big data world we live in. A gap in expertise of this breadth — fraudsters will find a way to take advantage of this gap. With awareness and commitment, organizations will be able to dedicate resources to address such requests properly. Concurrently, perhaps this will be a topic of guidance from the California attorney general’s office.”

Full details here from the International Association of Privacy Professionals.

Meant for small and medium enterprises, a draft GDPR code of conduct for Data Processors has been submitted for approval in the Netherlands.

It contains detailed requirements for data processor compliance including:

  • Documented data protection plan
  • Information security management system based on a recognized standard
  • At least annual evaluation of your privacy and information security framework
  • Store client data separately from other clients
  • Render data inaccessible within no more than three months after client agreement ends

Read a detailed analysis with useful takeaways.

The UK ICO published a Code of Practice for use of Data in Political Campaigning for public consultation which ends October 9, 2019.

Though it officially applies to UK-based political campaigns, the code contains deep analysis of GDPR issues and can serve as useful, actionable guidance on compliance to companies and organizations subject to GDPR on topics such as: How to provide privacy notice information and how to determine whether your profiling might have a legal or similarly significant effect.

Read my detailed analysis.

A study by business process outsourcer Parseq shows shows an upsurge in data subject asset requests under GDPR.

  • Almost two thirds of London firms (62 percent) saw an increase in data access requests from customers and their own employees in the 12 months following the GDPR’s introduction in May 2018.
  • More than one in ten (13 percent) businesses in the capital experienced an increase of more than 50 percent in the volume of requests.
  • Almost nine in ten (87 percent) firms that have seen an increase in requests reported that they’d found effectively responding to them challenging, citing cost (58 percent) and complexity (55 percent) as the biggest obstacles.
  • Two fifths (40 percent) of businesses in London that had experienced an increase in data access requests cited a reliance on paper documentation as a barrier.

Details from the online publication LondonLovesBusiness.

Tell me don’t sell me.

In a new settlement order with the Federal Trade Commission, Unrollme was ordered to notify all its active users of the fact that it accesses or collects email purchase receipts for use in market research products that are sold to third parties and to delete the information of anyone that hadn’t given express consent.

Unrollme sold a service to unsubscribe from services you don’t use but actually also scanned inboxes for receipts and invoices and shared analytics on them with third parties.

Prior to May 2017, Unrollme did not state anywhere on its homepage, in its “frequently asked questions” webpage, or on any screen,that it collects, maintains, or sells information from users’ e-receipts. In addition, in response to user queries Unrollme responded with statements such as “Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff.”

Unrollme has been ordered to make this notification by an email, consisting solely of the very detailed information the FTC required (as an exhibit to the order) with the subject line “Update: How We Use and Share Your Information.”

Details from the FTC.

Much has been discussed about the recent cookie guidance by the UK ICO and the French CNIL, but what do other data protection authorities think? In a detailed position paper, the Association of German Data Protection Authorities (Datenschutzkonferenz, or DSK) sets out its worldview on cookies and provides a very helpful, detailed guide to conducting a legitimate interest analysis.

Read my full analysis.

CISO members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published a white paper to help cybersecurity leaders in retail and hospitality prepare for compliance with the California Consumer Privacy Act (CCPA).

Key recommendations from the white paper:

  • Consider contract language that prevents third-parties from selling personal information sold to them unless the consumer has received explicit notice and has been provided the opportunity to exercise their right to opt-out
  • Consider expanding cookie opt-out functionality to go beyond Interest Based Advertising/Online Behavioral Advertising
  • Geotracking of company vehicles may be considered tracking of consumers
  • Conduct process-centric data mapping identifying all internal and external business processes that process personal information and data flows
  • Establish a governance program
  • Appoint stakeholder(s) to be in charge of CCPA compliance (see photo below for potential candidates)
  • Appoint stakeholder(s) to be in charge of data access/deletion requests
  • Involve stakeholders from all relevant departments
  • Gain buy-in by emphasizing the additional benefits of performing a data mapping/inventory beyond privacy

Read the full white paper.

The UK’s Information Commissioner’s Office (ICO) has announced a completion deadline for their code that will translate General Data Protection Regulation (GDPR) requirements into design standards that protect children who access online services.

The code is being refined following a consultation period and will be made final on November 23, 2019.

The ICO stated that it will allow a transition period and will support organizations through this transition period in implementing privacy obligations for companies processing children’s personal data.

“The GDPR already sets out rules on how data can be used and the importance of protecting children. Our code will make the requirements clearer and help designers and developers understand what is expected of them.”

“We understand that delivering the standards set out in the code will bring challenges for the tech, e-gaming and interactive entertainment industries. There may be shifts in the design processes for online services which make greatest use of children’s data.”

“We do not want to see an age-gated internet, where visiting any digital service requires people to prove how old they are… We want providers to set their privacy settings to ‘high’ as a default, and to have strategies in place for how children’s data is handled.”

Read the ICO announcement.