Some basics about how the California Consumer Privacy Act applies to selling children’s personal information:

  • Businesses subject to CCPA cannot sell the personal information of consumers who are 16 years old or younger without prior authorization.
  • If the minor is less than 13 years old, the businesses must obtain authorization from a parent or guardian.
  • If the minor is between the ages of 13 and 16 years old, businesses can obtain authorization from the minor.
  • Businesses will be held liable as having actual knowledge if the business willfully disregards the consumer’s age.”Willfully disregard” is not defined in the law but based on other California laws and judicial interpretation could mean an affirmative decision to not inquire about the age of consumers.

Details from the International Association of Privacy Professionals.

Spotlight on adequate/reasonable protections to personal information – Part 1 – France.

CNIL fined a real estate company 400,000 EUR for failure to implement adequate protections to personal data in violation of GDPR.

In this case, the URLs on the company’s website were the problem. By changing a character, you could gain access to documents belonging to other individuals.

CNIL accessed the accounts of 9,446 different people with information including copies of identity cards, vital cards, tax notices, death certificates and marriage certificates, certificates of affiliation to Social Security, certificates issued by the family allowance fund, invalid pension certificates, divorce decrees, account statements, bank identity or rent receipts.

In all, 290,870 files were exposed due to this vulnerability. The absence of proper access control to personal data has been identified as one of the most widespread vulnerabilities and has already resulted in the issuance of numerous public financial penalties for similar acts.

The high fine was due to the nature of the vulnerability, number of records, nature of the data and time it took to remediate.

First we take Sacramento, then we take Albany…

The New York Privacy Act, a privacy bill proposed by State Sen. Kevin Thomas, D-N.Y., bears similarities to the California Consumer Privacy Act.

Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, request that it be corrected or deleted, and avoid having their data shared with or sold to third parties altogether. However, it includes a private right of action and would apply to companies of any size within the state of New York.

Notably, the New York bill would prohibit using, processing or transferring personal information to a third party, unless the consumer provides express and documented consent and would require businesses to act as so-called “data fiduciaries,” the most basic obligation of whom is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from.

Thus the bill would prohibit companies from using data in a way that causes users some sort of financial or physical harm or in a manner that would be “unexpected and highly offensive to a reasonable consumer.

Details from Wired.

What is sold in Vegas, can be opted-out-of in Vegas.

Nevada’s new privacy law will go into effect October 1, providing consumers with a right to opt out of the sale of their personal information.

Key provisions:

  • Applies to an “operator of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada.
  • Contains carve-outs for financial institutions subject to GLBA, entities subject to HIPAA and certain persons who manufacture, service or repair motor vehicles.
  • “Consumer” is defined more narrowly than in CCPA to mean: “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator.”
  • An operator that receives a verified request submitted by a consumer is required to refrain from selling any covered information.
  • “Sale” is defined more narrowly than in CCPA to mean: “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”

Read the full text of the law.

Could the voluntary National Institute of Standards and Technology’s Privacy Framework help avoid missed connections in privacy, forestalling the next data breach or privacy scandal by baking data protection into new products from conception?

Is “true privacy engineering” possible? Caitlin Fennessey argues that it may well be able to do that. NIST modeled the Privacy Framework on its successful Cybersecurity Framework.

“Much like the CSF, the Privacy Framework is organized around the functions an organization must undertake to manage privacy risk, the profile of the organization using it, and a tiered implementation structure. Organizations are encouraged to move to a higher ‘tier’ or more sophisticated risk management program based on the privacy risk their data processing operations create.”

“The ‘core’ outlined in each framework is, as the name implies, the heart of the matter. The Privacy Framework core is divided into five functions: identify, protect, control, inform and respond.”

The framework draft is open to public comment and will evolve as NIST’s consultation process proceeds.

Details from Caitlin Fennessey.

CCPA is coming to a data broker near you?

If passed, AB 1202, one of the amendments making its way through the California legislature, will:

  • require data brokers to register with the California Attorney General and provide some information
  • impose penalties on the failure to register
  • specifically apply all CCPA obligations to data brokers, including the requirement to allow individuals to opt out of the sale of their personal information

Read the text of the amendment.

Risk & Insurance quoted Fox Partner Odia Kagan in an article on on preparing for year two of GDPR.

“GDPR compliance isn’t something that is a snapshot in time, it’s an ongoing process, a ‘chronic condition’ for the skeptics or a ‘healthy routine’ for the advocates… Companies need to complete setting up their key compliance mechanisms and then reassess and tweak and implement each time a new process, new product or new service provider starts up.”

“The toughest compliance issue is to accomplish the shift in thinking with respect to how one needs to handle the information, explaining that understanding the information beyond SSN and driver’s license or bank account information not only is important, but it’s also important where you get your information, what people think you will do with it, etc.”

“In any event, it is important to do something, be on the path, rather than be daunted into inaction…For example, do a risk assessment, then devise and plan and start executing on it. This will be taken into consideration by regulators if it ever comes up.”

Read the full article in Risk & Insurance.

The Irish Data Protection Commission has issued guidance on CCTV and GDPR.

Key takeaways:

  • Put in place clear signs to advise people that CCTV recording is taking place, and to outline the purposes for it.
  • The signs should also provide the contact details of the relevant data controller or their agent.
  • CCTV footage may be recorded based on a business’s legitimate interest to protect their premises and property from crime or damage, or to ensure the health and safety of staff members and the public.
  • If relying on legitimate interest the data controller must explain to you how they have justified this based on necessity and proportionality.
  • CCTV should not be employed in areas where employees spend their free time unless it can be justified, for example, based on a need to monitor safety and security. Use of CCTV in break rooms, changing rooms, and bathroom areas is difficult to justify.
  • If you are aware that your image or recorded footage has been published on a social media platform online, you can request that the social media platform used remove it.

Read the full guidance.

Standard Contractual Clauses: we’ll see you in (European) Court (of Justice).

“The European Court of Justice (ECJ) will hear a landmark privacy case regarding the transfer of EU citizens’ data to the United States in July, after Facebook’s bid to stop its referral was blocked by Ireland’s Supreme Court on Friday.”

“The Irish High Court, which heard Schrems’ case against Facebook last year, said there were well-founded concerns about an absence of an effective remedy in U.S. law compatible with EU legal requirements, which prohibit personal data being transferred to a country with inadequate privacy protections.”

“The High Court ordered the case be referred to the ECJ to assess whether the methods used for data transfers – including standard contractual clauses and the so called Privacy Shield agreement – were legal.”

“Facebook took the case to the Supreme Court when the High Court refused its request to appeal the referral, but in a unanimous decision on Friday, the Supreme Court said it would not overturn any aspect the ruling.”

Full details from Reuters.

A new Illinois bill seeks to regulate the use of artificial intelligence in the recruitment process.

The bill, titled the “Artificial Intelligence Video Interview Act” provides that an employer that asks applicants to record video interviews and uses an artificial intelligence analysis of applicant-submitted videos:

  • must notify each applicant in writing before the interview that artificial intelligence may be used to analyze the applicant’s facial expressions and consider the applicant’s fitness for the position;
  • must provide each applicant with an information sheet before the interview explaining how the artificial intelligence works and what characteristics it uses to evaluate applicants; and
  • must obtain written consent from the applicant to be evaluated by the artificial intelligence program.
  • may not use artificial intelligence to evaluate applicants who have not consented to the use of artificial intelligence analysis
  • may not share applicant videos, except with persons whose expertise is necessary in order to evaluate an applicant’s fitness for a position.

Read the full text of the bill.