General Data Protection Regulation (GDPR)

The Ohio Personal Privacy Act, also known as House Bill 376, is being considered in the Buckeye State.

Here are a few takeaways:

  • Enforcement by Attorney General only
  • Affirmative defense for companies that maintain and comply with a written privacy program that reasonably conforms with the NIST Privacy Framework.
  • “Business” include non-profits
  • Similar to Virginia

As always, it was great fun speaking with Future of Privacy Forum’s lovely and knowledgeable mobility guru Chelsey Colbert during Part 2 of OneTrust DataGuidance’s connected vehicles and data protection presentation.

Here are some takeaways from our chat:

  • In the Cold War spy series “The Americans,” characters kept changing their route to and from their

CNIL, the Commission Nationale de l’Informatique et des Libertés, which is France’s Data Protection Authority, publishes framework to deal with post-Schrems II cross border transfers following the European Data Protection Board’s final guidelines on supplemental transfer measures:

Step 1
  • Inventory your transfers (involve: DPO, information systems department, purchasing department, operational managers of services, digital service

Third country laws – more than meets the eye. In practice – problematic legislation in disguise.

The European Data Protection Board has issued a “Transformers” style plan for assessing whether or not you can transfer information to a third country.

  • Controllers and processors are to conduct a thorough risk assessment of the laws of the

Maybe someone is reading them after all? European Commission opens for consultation its report of the sector inquiry into consumer internet of things (IoT) devices.

The report shows that in addition to quality, brand reputation and privacy, the number of users plays a crucial role in competition. The privacy notice of the relevant device is

Several German Data Protection Authorities commence independent investigation of cross border transfers of personal data in violation of Schrems II.

The investigation has commenced by sending companies questionnaire regarding among other things, the use of service providers for:

  • sending e-mails
  • hosting of websites
  • web tracking
  • the administration of applicant data
  • the internal exchange of customer

C is for ‘cookie,’ and that’s not good enough for me.

NOYB, the privacy organization based in Vienna, Austria, is moving on hundreds of companies who use unlawful cookie banners. They have sent over 500 draft complaints so far, hoping to end “cookie banner terror.”

Per NOYB, “users must be given a clear yes/no option.

The UK Information Commissioner’s Office is calling for collaboration with UX and design firms for the implementation of the Age-Appropriate Design Code.

Per the ICO:

“We know that the aims of the design community align with this vision set out in the Children’s Code and can see design practices evolving. Designers are more conscious of

Hey voice assistant: you’ve got some complying to do.

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants.

Some key points:
  • Transparency is key but is also not easy to do well: 30 pages of single-spaced privacy notice won’t cut it. Think