The United Kingdom’s Information Commissioner’s Office has issued guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses (SCCs) which are currently in use for such transfers.

According to the ICO press release, “the new guidance has been designed to be accessible and to ensure they support all organizations, from (small and medium-sized enterprises) without the benefit of large legal budgets to multi-national companies”

The guidance has three documents:
– Guidance on conducting Schrems TIAs
– Guidance on International Data Transfer Agreements
– Addendum to new SCCs

My thoughts on the first two are forthcoming.

But regarding the SCCs: The ICO endorses use of the new SCCs issued by the European Commission subject to the use of an addendum which applies the clauses to UK-third country transfers, subjecting them to ICO/UK court jurisdiction.

Read the full draft here:

Move over sobriety checkpoints. Soon your vehicle may actually include technology that keeps people from driving impaired.

The U.S. Congress is working on a $78 billion surface transportation bill as part of the larger $1 trillion infrastructure package. The bipartisan bill includes a significant safety provision that will aim to reduce the number of impaired drivers behind the wheel if it becomes law.

The anti–drunk driving portion of the bill is being promoted by U.S. Sen. Gary Peters and Representative Debbie Dingell, both Democrats from Michigan.

The bill would establish a new “advanced drunk and impaired driving prevention technology safety standard.” This standard would go into effect at least three years after the bill is signed and will require new vehicles to have technology that prevents impaired drivers from being able to operate them.

The bill doesn’t specify what kind of anti-impaired driving technology would be part of this standard, just that NHTSA will verify that it’s effective. Currently, ignition-interlock devices with breathalyzers that prevent the driver from starting the car if alcohol is detected are commonly used in the U.S. for those who have been convicted of drunk driving.

What are practical lessons learned from the $85 million Zoom settlement?

  • You can have big ticket enforcement dollars even without GDPR or CCPA.
  • When you integrate a third party feature – including via a Software Development Kit (SDK) that shares information with a third party and especially when that third party can use the information for marketing, advertising or other purposes – you need to, at minimum, disclose  clearly it. (It is also important to disclose what the third party does with the data and the implications to the consumer. We saw this with  Commission Nationale de l’Informatique et des Libertés (CNIL) enforcements and now we see it in the US too.)
  • Be careful about unequivocal statements about your security measures (“We use end-to-end encryption”) or privacy (“We take your privacy seriously”). These types of statements have been enforced by the Federal Trade Commission as deceptive/misleading statements.
  • It is important to have strong information security measures in practice.
  • For large companies, it is also very important to have policies and procedures that allow the information security measures to happen. (Think of alignment with ISO 27001, NIST CSF, CIS Top 20.)

A copy of the complaint may be read here.

A copy of the settlement may be read here.

New York City has passed a bill limiting data sharing by food delivery apps and food service establishments.

What does that mean?

Here are some key takeaways:

  • A third-party food delivery service may not share customer data applicable to an online order if such customer requests that such data not be shared in relation to such online order.
  • The customer is presumed to have consented to the sharing of such customer data applicable to all online orders unless such customer has made such a request in relation to a specific online order.
  • The third-party food delivery service needs to provide in a conspicuous manner on its website a means for a customer to make such request and clearly and conspicuously disclose to the customer the customer data that may be shared with the food service establishment and identify the food service establishment fulfilling such customer’s online order as a recipient of such data.
  • Third-party food delivery services that share customer data must provide the data in a machine-readable format, disaggregated by customer, on an at least monthly basis.
  • Food service establishments that receive customer data must not sell, rent, or disclose such customer data to any other party in exchange for financial benefit, except with the express consent of the customer from whom the customer data was collected. They also must enable customers to withdraw their consent for the food service establishment to use the data and must enable customers to request and receive deletion of their customer data.
  • This does not apply to telephone orders.

We are back in the US federal privacy bill game!

Sen. Roger Wicker, a Mississippi Republican, has re-introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act,” also known as the “SAFE DATA Act.”

Here are some key takeaways:

  • Employee and publicly available data are excluded
  • The concept of “sensitive covered data” is broader than GDPR special category data, and includes precise geolocation data, content of personal communications and account log in credentials.
  • There is a prohibition on discrimination for the exercise of consumer rights.
  • There is mandatory privacy policy disclosing the identity of the covered entity, categories of data, processing purposes, data transfers, individual rights, data security practices and data retention practices.
  • Requires prior and direct notification to the individual of a material change in the policy.
  • Right of access (within 90 days), as well as right of correction, of deletion and of portability.
  • Exceptions to rights include: that it’s impossible or demonstrably impractical to comply, results in the release of a trade secret or requires disproportionate effort.
  • Allows the option under certain circumstances to delete instead of provide access.
  • Requires the enactment of regulations within 1 year.
  • Requires individual consent to process or transfer sensitive covered data and opt out re: processing or transfer (other than some exceptions).
  • Limits collection to what is reasonably necessary proportionate and limited to provide the product or service or reasonably anticipated.
  • Requires notice and opt out for data sharing as part of bankruptcy proceedings.
  • Requires due diligence before engaging a service provider or transferring data.
  • Requires a privacy impact assessment for any processing activity involving heightened risk.
  • Certain exceptions for small businesses.
  • Requires study of algorithmic transparency.
  • Requires registration of data brokers.
  • Requires reasonable administrative, technical and physical information security policies.
  • Requires designation of data privacy officer and data security officer.
  • Requires internal controls and reporting structures to ensure that appropriate senior management officials of the covered entity are involved in assessing risks and making decisions for compliance.
  • Enforcement would be by the FTC as an unfair or deceptive act or practice.
  • Civil actions by state Attorney Generals would be possible.
  • Contemplates voluntary certifications for compliance with provisions of the Act.
  • Preempts all state privacy laws other than re: data breach notification.
  • Carves out certain federal laws (like COPPA, GLBA etc), which would not be preempted.

I had the pleasure of speaking recently with Jamal Ahmed on the PrivacyPros Podcast about privacy enforcement and privacy career trends.

Among the questions I tried to address:

  • What does the new Network Advertising Initiative (NAI) and its opt outs of hashed email targeted advertising mean?
  • Why should everyone read George Orwell’s “1984” and Carol Dweck’s “Mindset”?
  • What does the end of third-party cookies mean for data processing?
  • Why should women overcome the often natural tendency to open with an apology?
  • Why should we care about cookies even under U.S. data protection laws?
  • Why should privacy professionals (and everyone) listen to Brené Brown’s awesome “Dare to Lead” and “Unlocking Us” podcasts?
  • Where are U.S. data protection regulations going?
  • Why do you need to be passionate about what you do to be a successful privacy professional?
  • Why do I intersperse so many “likes” when I speak spontaneously? (Sorry, no good answer to that one. But I’ll accept commiseration.)


Federal Trade Commission authority boost?

H.R. 2668 – The Consumer Protection and Recovery Act – has passed in the U.S. House of Representatives.

The bill amends the Federal Trade Commission Act to provide the FTC with explicit authority to require bad actors to return money earned through illegal activity and to seek both injunctive and monetary relief for consumers in Federal courts (reversing a recent decision by the Supreme Court which limited its Section 13(b) authority).

The White House issued a press release saying: “The Administration supports House passage of H.R. 2668, the Consumer Protection and Recovery Act. … The Administration applauds this step to expressly authorize the FTC to seek permanent injunctions and pursue equitable relief for all violations of law enforced by the Commission and ensure that the cost of illegal practices falls on bad actors, not consumers targeted by illegal scams.”

Have you been leisurely following California Consumer Privacy Act (CCPA) litigation thinking, “That’s only for data breaches, not ‘soft’ violations.”

Think again.

California Attorney General Rob Bonta’s office has been busy enforcing CCPA for the past year.

Per a new enforcement report, you had better make sure that:

  • Your privacy policy is easily understood.
  • You have notices at collection, online and offline.
  • Your “Do Not Sell” link is there and works. (Links to DAI/NAA opt out pages are not enough!)
  • You disclose your financial incentives.
  • Your service provider agreements have the right limitations.

The AG also has added a new reporting tool for individuals to report faulty or missing “Do Not Sell” links.

You can take a deeper dive into the issue by reading this OneTrust DataGuidance article.

The Ohio Personal Privacy Act, also known as House Bill 376, is being considered in the Buckeye State.

Here are a few takeaways:

  • Enforcement by Attorney General only
  • Affirmative defense for companies that maintain and comply with a written privacy program that reasonably conforms with the NIST Privacy Framework.
  • “Business” include non-profits
  • Similar to Virginia and Colorado, “consent”  uses the GDPR formulation of “freely given, specific, informed and unambiguous”
  • Excludes data in the employment context
  • Narrow definition of “publicly available” (only government records)
  • “Sale” – monetary or other valuable consideration; transfer to affiliate is exempted
  • GLBA financial institutions and HIPAA CE and BAs, higher ed institutions and B2B transactions – exempted
  • Long list of data including health related – exempted
  • Exemption for fraud and identity theft detection

Consumer rights:

  • Right to know – via privacy notice which needs to include, in addition to what we saw in the other laws:
    1. details regarding the business and any affiliate to which personal data is transferred
    2. data retention practices
    3. information security practices
    4. notification of material changes to the policy (this requires affirmative consent or a notice + opt out 60 days in advance, as well as a need to provide direct notification where possible)
  • Right of access (by at least one method out of a provided list) covering the preceding 12 months
  • Right to delete (by at least one method), but exceptions include the written records retention schedule
  • Right to opt out of sale (with verification required); compliance with COPPA required for the sale of children’s information; required to notify third parties of the request and request that they comply.
  • No discrimination
  • Agreement between business and processor is required (but no prescriptive provisions)

Failure to maintain a privacy policy that reflects the data privacy practice to a reasonable degree of accuracy is an unfair and deceptive practice (but not privacy right of action).

The European Data Protection Board has issued final guidelines on virtual voice assistants.

The guidelines appear to be largely unchanged from the draft issued in February for public consultation.

The main change is noting that even if VVAs are themselves a software service, they always operate through a physical device such as a smart speaker or smart TV. VVAs use electronic communication networks to access these physical devices that constitute “terminal equipment” in the sense of the e-Privacy Directive.

Therefore, the provisions of Art 5(3) of the e-Privacy Directive apply whenever a VVA stores or accesses information in the physical device linked to it.