General Data Protection Regulation (GDPR)

A survey shows that most companies are not yet ready for the California Consumer Privacy Act (CCPA), and this includes companies that have undergone compliance processes for the EU General Data Protection Regulation (GDPR).

CCPA is not GDPR or a subset of GDPR. It’s a different law with different requirements, for which preparation will require time and attention.

More from Forbes.

Privacy law experts warn companies not to assume they can comply with the California Consumer Privacy Act (CCPA) because they are in compliance with the EU’s General Data Protection Regulation (GDPR).

“The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) at a privacy panel at RSA 2019.

Details from SC Magazine.

GDPR does NOT:

  • prohibit a hairdresser from telling a customer what hair color they used on their hair
  • prevent the fire department from telling a property management company whether there had been a fire in one of its properties
  • ban or impede the sharing of medical or health data when needing to attend to an unconscious patient

It does require that organizations consider – in advance, at a policy level – how to carry on such data sharing practices while still ensuring personal data are adequately protected.  In an effort to address misconceptions about the privacy regulation, the Irish Data Protection Commissioner has issued the first of a series busting GDPR myths.

Details from the Irish DPC.

If it makes the individual go “huh, why did that (use of my information) happen?”  you, company that provides a service utilizing data, may have a data protection problem on your hands.

This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.

“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”

Details from the International Association of Privacy Professionals.

The European Data Protection Board (EDPB) has weighed in on the ePrivacy Regulation:

  • EU legislators should intensify efforts towards the adoption of an ePrivacy Regulation, which is necessary to complete the EU’s framework for data protection and confidentiality of communications.
  • The ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive 2002/58/EC and must complement the GDPR by providing additional strong guarantees for all types of electronic communications.
  • The ePrivacy Regulation is necessary to ensure a level playing field and legal certainty for market operators.

Details from the EDPB.

Data protection and political campaigns – European Data Protection Board (EDPB) issues a statement.

Key points:

  • Personal data revealing political opinions is a special category of data under the GDPR, and, in most cases, processing it will require explicit, specific, fully informed, and freely given consent.
  • Using personal data made public, like on social media, or otherwise shared by individuals, is still subject to obligations concerning transparency, purpose specification and lawfulness.
  • Companies must provide sufficient information to the individuals who are being analyzed and whose personal data are being processed, even if they are data brokers and not consumer-facing.
  • Automated profiling connected to targeted campaign messaging may, in certain circumstances, cause “similarly significant effect” requiring explicit consent of the individual.
  • In case of targeting, companies should provide adequate information explaining why the person is receiving a particular message, who is responsible for it and how the person can exercise his/her rights as a data subject.

Cookies and trackers sat on a wall, cookies and trackers had a great fall…

Dutch data protection authority, Autoreitpersoonsgegevens (AP), holds that the practice of a cookie banner that does not allow you to enter a website unless you accept tracking cookies (known as a “cookie wall”) is not permissible under the EU General Data Protection Regulation (GDPR).

If companies want to track people using tracking cookies, tracking software or other digital methods, they must get the users’ consent for this. In the case of so-called ‘cookie walls’ on websites (no permission means no access), consent is not duly given. This is because under GDPR, consent must be “freely given”. If you do not have real or free choice or cannot refuse to give consent without adverse consequences – the consent is not deemed freely given. AP has stated that it will intensify its monitoring of compliance in this area.

Details from the AP.

Much like your credit report, where you can look and check who has been accessing and using your credit information and make corrections, so should be the case with the rest of your personal information – says, Sen. Reuven Carlyle, D-Seattle, the sponsor of Senate Bill 5376, passed by the Senate of Washington state.

The privacy bill, taking pages from the European Union’s General Data Protection Regulation (GDPR), would require companies to disclose what information they are collecting and to give individuals the ability to access, correct and sometimes delete it.

It also would require an individual’s consent for the use of facial recognition in order to profile people in places open to the public — such as retail stores.

The bill, which passed the Senate by a vote of 46-1, now goes to the state’s House of Representatives for consideration.

Details from The Seattle Times.

The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:

  • Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
  • This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
  • The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
  • The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
  • The credit card data can also be used in the fight against payment card fraud.
  • Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
  • When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.

Details from CNIL.

“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations” – says Adam Stevens, Head of Intelligence at the UK Information Commissioner’s Office. (ICO).

In a sweep conducted by the ICO, as part of the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, 356 companies in 18 countries were contacted.

Findings include:

  • 25 percent of companies had no programs in place to conduct self-assessments and/or internal audits.
  • More than 50 percent of companies indicated that they have documented incident response procedures, and maintain up-to-date records of all data security incidents and breaches. However, some indicated that they have no processes in place to respond appropriately in the event of a data security incident.
  • Nearly 75 percent of companies appointed an individual or team to ensure compliance with relevant data protection rules and regulations.

Details from the ICO.