Do you know that your car knows if you are 2fast2furious?

The California Senate Judiciary Committee approved with bipartisan support SB 346, a bill by Sen. Bob Wieckowski (D-Fremont) regarding consumer choice related to the installation and use of in-vehicle cameras.

Key points:
  • Require that consumers be prominently informed at the time of purchase if a camera is installed inside a car.
  •  Prohibit video recordings from being used for advertising or sold to third parties.
  •  Prohibit any recording obtained through operation of an in-vehicle camera by the manufacturer from being retained at any location other than the vehicle itself without the affirmative written or electronic consent of the user.
  • Prohibit a person or entity from compelling a manufacturer or other entity providing the operation of an in-vehicle camera to build specific features for the purpose of allowing an investigative or law enforcement officer to monitor images through that feature.

An in-vehicle camera is defined as any device included as part of a vehicle by the manufacturer that is designed to, or is capable of recording images or video inside the cabin of the vehicle.

Read the full text of the bill.

West Virginia has gotten into the data privacy bill game with House Bill (HB) 3159 on Consumer Data Privacy.

The legislation is similar to the California Consumer Privacy Act + the following key points:

  • Right to opt out of the sale or sharing of information for the purpose of advertising. New definition of “share” which includes:
    1. Allowing a third party to use or advertise to a consumer based on a consumer’s personal information without disclosure of the personal information to the third party; or
    2. Monetary transactions, nonmonetary transactions and transactions for other valuable consideration between a business and a third party for advertising for the benefit of a business.
  • Retention limitation until the earlier of:
    1. one year after the consumer’s last interaction or
    2. after satisfaction of the initial purpose/duration of a contract.
  • Opt-in consent is between 13-15 (not 16) and opt-in parental consent is 12 (not 13).
  • Requirements for the contract between the business/service provider and business/third party.
  • Subcontractors must abide by data protection terms.
  • Private right of action for data breaches.
  • Enforcement by Division of Consumer Protection with a 30-day cure.

Read the full text of the legislation.

The European Data Protection Board has issued final guidelines on connected vehicles, making few changes from the draft it issued for public comment, and with a big to do list for OEMs and other stakeholders.

  • Data collected by a connected car is personal data even if it is not directly linked to a name, but to technical aspects and features of the vehicle because it still concerns the driver or the passengers of the car.
  • A car is terminal equipment and you need consent for collecting data under the ePrivacy directive unless an exception applies.
  •  You need a separate legal basis under GDPR for further processing, but in many cases that would be consent too.
  • You need to operationalize transparency but it won’t be easy.
  • You need to operationalize consent: that won’t be easy either.
  • You must implement data protection by design and by default.
  • A connected vehicle is a type of Internet of Things (IoT) device. As such, it is prone to the same information security concerns as IoT devices, but with potentially greater stakes.

Full details in this OneTrust Data Guidance article.

If at first (and second) you don’t succeed, try try again. The European Union and United States are gearing up for “Privacy Shield 2.0” to address the difficulties faced by tens of thousands of companies in the wake of the Court of Justice of the European Union’s Schrems II decision.

“The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the  Schrems II case.”

U.S. Secretary of Commerce Gina Raimondo and European Commissioner for Justice Didier Reynolds issued a press release saying: “Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.”

“These negotiations underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies.”

Read the full statement from the U.S. Department of Commerce.

I’ll take it as a yes? You still need notice and consent even when using email-based identifiers.

The age of email-based identifiers is nigh. But are these cookie replacements actually as transparent about consent as promised? Digiday’s Kate Kaye says maybe not.

“Because many identity technologies, including Unified ID 2.0, use email addresses and other information gathered when people interact directly with a brand or publisher to build encrypted IDs, the companies that make and use them suggest they are created with people’s knowledge and consent”.

“Although these companies are modernizing their means of tracking people online, they have yet to update their methods of notifying them when these systems capture individuals’ email addresses to transform them into identifiers that can be passed throughout the ad tech ecosystem.”

“So basically, the age-old problem continues its aged oldness: Consumers have no idea how their data is being used. For instance, some publishers aren’t specifically notifying people that their personal info will be used to power an identifier that will be shunted into an ad marketplace.”

Read the full Digiday article.

Colorado has introduced the “Colorado Privacy Act” bill (SB21-190).

Key things to note:
  •  Recital notes that the “EU GDPR is emerging as a model for countries across the globe in data privacy.”
  • Consumer rights: access, correction, deletion, data portability and right to opt out of general collection and use of personal data not just use for sale.
  • Opt-in consent for processing sensitive data.
  • Affirmative obligation for information security.
  • Requirement for clear, transparent privacy disclosure,
  • Requirement for data protection assessments (for targeted advertising, sale, sensitive data).
  • Enforcement by AG.
  • Definition of “consent” modeled after Article 7 of GDPR.
  • Different definition of “de-identified data” which is similar to that under HIPAA.
  • Processing must be necessary, reasonable and proportionate to the specific purpose disclosed.
  • Controller is liable for a processor’s actions.
  • Requirement for controller/processor agreement but no specifics.

Read the full text of the legislation.

An Arizona bill relating to personal data (HB 2865) was reintroduced on February 11, 2021  in the Arizona House of Representatives and passed its second reading on February 15, 2021.

Key provisions:
  • Carve out for employee and B2B data.
  • Uses both “personal data” and “personal information” terms.
  • “Sale” requires monetary consideration. A sale is presumed if there is an exchange of personal data and if contract terms with the third party do not limit the use of personal information by the third party.
  • Definition of sensitive information includes precise geolocation.
  • Consumer rights including: right to know; disclosure of copies of personal information held; notice at collection; correction of inaccurate information; deletion (without undue delay); restriction of processing if consumer contests accuracy of the data; processing is unlawful, controller no longer needs the personal data or the consumer’s interests outweigh the controller’s legitimate grounds; data portability; objection to processing of personal data for purposes of targeted advertising.
  • Third party obligation to respect requests for objection to processing.
  • Enforcement by AG.

Read the full text of the bill.

“… Gathering consent on a connected TV requires striking a tricky balance between complying with the law, meeting consumer expectations, avoiding consent fatigue and not messing with the user experience.”

“Most consumers don’t read consent screens, privacy policies or T&Cs while they’re leaning back in their living room with a bowl of popcorn in their lap. People just want to watch TV. But if they click without reading, does that count as informed consent?”

“But it’s important to at least begin introducing the concept of consent collection for connected TV so that consumers are aware of the collection of their data,” says Romain Gauthier,  CEO and co-founder of Didomi, a consent management platform.

“By the same token, advertisers, publishers and ad tech vendors need a systematic, standardized way to collect and share consent signals.”

“It’s crucial that people be given an opportunity to say no and that it works when they do – that is the main role of a CMP (Consent Management Platform),” Gauthier said. “Many users might not care right now, but they might care in the future, and so we need to start educating them now.”

Read the full article in AdExchanger.

“First, there needs to be a bigger emphasis on security for user data – as a good business practice and for regulation purposes,” says Zora Senat, VP of Partnerships at Infutor Data Solutions.

“When organizations focus more heavily on the collection of first-party data, the result is more data to protect. The latest consumer data privacy laws in Virginia, California, the EU and elsewhere make it essential that user data is well protected.”

  • Second – Brush up on consumer disclosures and privacy rights
  • Third – Understand the rules and requirements around first-party data linkage – especially since new privacy laws are creating restrictions about linking certain kinds of data without consent.
  • Fourth – Actively test new ID resolution solutions
  • Fifth – Understand the true value of consent – brands need to assess new incentives so users will voluntarily share more of their data but also ensure these “data for benefits” approaches are cleared with privacy law experts.

Details in AdExchanger.

“We are all trying to be pragmatic and open-minded and ambitious and quick about this because for us it’s been seven weeks in the new administration but the world has been waiting eight months since the ‘Schrems II’ ruling, so there is a real sense of urgency on our part. There is also an opportunity to restart the trans-Atlantic relationship, and there is so much great cooperation going on between our leadership right now,” says Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff .

“We also do want it to be as future proof as possible, so it’s a tricky conversation and balance.” he said

“There’s very little movement on the U.S., and there’s a very high bar to reach on the European side. There’s a feeling that we just have another agreement that is going to be killed rather soon.” – says Max Schrems.

Details from the International Association of Privacy Professionals.