General Privacy & Data Security News & Developments

If it makes the individual go “huh, why did that (use of my information) happen?”  you, company that provides a service utilizing data, may have a data protection problem on your hands.

This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.

“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”

Details from the International Association of Privacy Professionals.

Despite their distrust in tech giants and lack of confidence in their privacy practices, people aren’t likely to go out of their way to safeguard their information, shows a survey of nearly 4,000 people across generations.

Per the survey:

  • 33 percent of respondents claim to read end user license agreements
  • 66 percent either skim through or ignore EULAs entirely
  • 47 percent know which permissions their applications have
  • 53 percent use password managers
  • 29 percent reuse the same passwords across websites, for Millennials, that number was 37 percent

    Details from Dark Reading.

Much like your credit report, where you can look and check who has been accessing and using your credit information and make corrections, so should be the case with the rest of your personal information – says, Sen. Reuven Carlyle, D-Seattle, the sponsor of Senate Bill 5376, passed by the Senate of Washington state.

The privacy bill, taking pages from the European Union’s General Data Protection Regulation (GDPR), would require companies to disclose what information they are collecting and to give individuals the ability to access, correct and sometimes delete it.

It also would require an individual’s consent for the use of facial recognition in order to profile people in places open to the public — such as retail stores.

The bill, which passed the Senate by a vote of 46-1, now goes to the state’s House of Representatives for consideration.

Details from The Seattle Times.

FTC, the De Facto Privacy Regulator.

The Federal Trade “Commission has settled or litigated more than 60 law enforcement actions against businesses that allegedly failed to take reasonable precautions to protect consumers’ data,” said FTC Bureau of Consumer Protection Director Andrew Smith in testimony before a Senate Homeland Security and Government Affairs Subcommittee.

Cases included: manufacturers of consumer products like smartphones, computers, routers, and connected toys, as well as against companies that collect consumers’ sensitive personal information.

Other points discussed:

  • The FTC brings cases under provisions of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children’s Online Privacy Protection Act.
  • It has used its authority under Section 5 of the FTC Act to stop companies who allegedly engage in unreasonable data security practices, or made misleading statements or omissions about data security.
  • FTC supports new data protection legislation that would give it the ability to seek civil penalties for effective deterrence; and jurisdiction over nonprofits and common carriers.

Details from the FTC.

“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations” – says Adam Stevens, Head of Intelligence at the UK Information Commissioner’s Office. (ICO).

In a sweep conducted by the ICO, as part of the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, 356 companies in 18 countries were contacted.

Findings include:

  • 25 percent of companies had no programs in place to conduct self-assessments and/or internal audits.
  • More than 50 percent of companies indicated that they have documented incident response procedures, and maintain up-to-date records of all data security incidents and breaches. However, some indicated that they have no processes in place to respond appropriately in the event of a data security incident.
  • Nearly 75 percent of companies appointed an individual or team to ensure compliance with relevant data protection rules and regulations.

Details from the ICO.

The Federal Trade Commission should be the primary enforcer of a federal privacy bill and to do so would need a larger budget. That is one point that seemed to be in consensus at the Senate Committee on Commerce, Science, and Transportation hearing held on February 27, 2019 in connection with a U.S. Federal privacy law.

Additional points discussed included:

  • The role of state AGs in enforcement
  • Whether the FTC should be able to fine for a first offense
  • Whether consumers should have the right to deletion and whether the collection of sensitive data should be an opt-in choice for consumers
  • Whether the U.S. should look to the EU and its passage of the General Data Protection Regulation as a model, or, perhaps, the California Consumer Privacy Act
  • How heavily consumer choice should factor into a federal law

Details from the International Association of Privacy Professionals

Thailand’s Parliament passed the Personal Data Protection Act, a bill created to offer citizens similar protections to the EU General Data Protection Regulation.

The data protection law, effective after a one-year transition period, will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behavior monitoring.”

The Thai Parliament also passed the National Cybersecurity law which allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated “serious cyber threats.”

Details from Reuters.

To U.S. Federal Privacy Law or To Not U.S. Federal Privacy Law, that is the question.

At a House Committee on Energy and Commerce hearing February 26, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill. The discussion revolved around how prescriptive a federal law should be and its potential impact on small businesses and vulnerable populations.

Two points discussed:

  • A law as prescriptive as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) is expensive to comply with and may lead to a barrage of litigation. This may adversely effect small and medium businesses which may end up closing shop.
  • Individuals should be given rights to access and correct the data companies collect and store about them online. Often, those impacted by misinformation (inaccuracies on credit scores, debts owed, criminal records, etc.) are minorities or low-income individuals who may be unable to fight for their rights.

Details from the International Association of Privacy Professionals.

Under a proposed amendment to the California Consumer Privacy Act (CCPA) filed Feb. 22, companies that amass user data could be the target of class-action litigation from state consumers if they’re accused of violating the CCPA.

This expands the existing private right of action under CCPA which currently applies only to data breaches. Other proposals include:

  • requiring data brokers to register with the Attorney General’s office
  • requiring companies to inform users if their data may be sold to third parties
  • requiring companies to disclose the monetary value of users’ data
  • allowing consumers and business to continue engaging in loyalty programs that otherwise may have been viewed as discriminatory under the CCP

Details from Bloomberg.

Read the full text of the private right of action amendment.

What’s in store for CCPA?

Narrower definitions? Broader private right of action? Increased funding?

All were discussed at a hearing regarding the California Consumer Privacy Act (CCPA) held at the California State Assembly in Sacramento, CA.

Supervising Deputy Attorney General on Consumer Protection Stacey Schesser indicated that her office would seek to expand the private right of action provision within the CCPA. Schesser also indicated to the lawmakers that the Attorney General will be asking for increased funding to help the office enforce the CCPA.

At the hearing, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA, including the broad definitions of the terms “personal information”, and “consumer”.

Details from the International Association of Privacy Professionals.