Privacy law experts warn companies not to assume they can comply with the California Consumer Privacy Act (CCPA) because they are in compliance with the EU’s General Data Protection Regulation (GDPR).

“The fact is, CCPA is not GDPR, and it is different. There certainly are things that you probably built for GDPR that will be helpful, but CCPA deserves its own attention,” said J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP) at a privacy panel at RSA 2019.

Details from SC Magazine.

If it makes the individual go “huh, why did that (use of my information) happen?”  you, company that provides a service utilizing data, may have a data protection problem on your hands.

This was a key takeaway from the U.S. Senate Committee on the Judiciary hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation”.

“Here is my basic concern”, said Sen. Josh Hawley, R-Mo, “Americans have not signed up for this, they think the products [they are being offered] are free; they’re not free. They think they can opt out; they can’t opt out. It’s kind of like that old Eagles’ song, ‘You can check out any time you like, but you can never leave.’ And that’s a problem for the American consumer; it’s a real problem.”

Details from the International Association of Privacy Professionals.

Data protection and political campaigns – European Data Protection Board (EDPB) issues a statement.

Key points:

  • Personal data revealing political opinions is a special category of data under the GDPR, and, in most cases, processing it will require explicit, specific, fully informed, and freely given consent.
  • Using personal data made public, like on social media, or otherwise shared by individuals, is still subject to obligations concerning transparency, purpose specification and lawfulness.
  • Companies must provide sufficient information to the individuals who are being analyzed and whose personal data are being processed, even if they are data brokers and not consumer-facing.
  • Automated profiling connected to targeted campaign messaging may, in certain circumstances, cause “similarly significant effect” requiring explicit consent of the individual.
  • In case of targeting, companies should provide adequate information explaining why the person is receiving a particular message, who is responsible for it and how the person can exercise his/her rights as a data subject.

Cookies and trackers sat on a wall, cookies and trackers had a great fall…

Dutch data protection authority, Autoreitpersoonsgegevens (AP), holds that the practice of a cookie banner that does not allow you to enter a website unless you accept tracking cookies (known as a “cookie wall”) is not permissible under the EU General Data Protection Regulation (GDPR).

If companies want to track people using tracking cookies, tracking software or other digital methods, they must get the users’ consent for this. In the case of so-called ‘cookie walls’ on websites (no permission means no access), consent is not duly given. This is because under GDPR, consent must be “freely given”. If you do not have real or free choice or cannot refuse to give consent without adverse consequences – the consent is not deemed freely given. AP has stated that it will intensify its monitoring of compliance in this area.

Details from the AP.

Much like your credit report, where you can look and check who has been accessing and using your credit information and make corrections, so should be the case with the rest of your personal information – says, Sen. Reuven Carlyle, D-Seattle, the sponsor of Senate Bill 5376, passed by the Senate of Washington state.

The privacy bill, taking pages from the European Union’s General Data Protection Regulation (GDPR), would require companies to disclose what information they are collecting and to give individuals the ability to access, correct and sometimes delete it.

It also would require an individual’s consent for the use of facial recognition in order to profile people in places open to the public — such as retail stores.

The bill, which passed the Senate by a vote of 46-1, now goes to the state’s House of Representatives for consideration.

Details from The Seattle Times.

The French Data Protection Authority, CNIL, issues guidance on credit card data in remote transactions:

  • Merchants who collect credit card detail to facilitate a transaction, need the consent of their customers to keep their bank details beyond such transaction, to facilitate their subsequent purchases.
  • This consent is not presumed and must take the form of an unambiguous act of will, for example by means of a checkbox (not pre-checked by default).
  • The acceptance of the general conditions of use or sale is not considered as a sufficient mechanism of the collection of the consent of the persons.
  • The e-merchant should integrate directly into the merchant site a simple way to withdraw, without charge, the consent given.
  • The credit card data can also be used in the fight against payment card fraud.
  • Merchants can rely on their legitimate interest to keep the credit card data of those of their customers who subscribe to a subscription in order to benefit, free or not, of additional services to facilitate their purchases.
  • When doing so merchants must (1) disclose retaining this data, (2) allow an opt out, (3) allow deletion and (4) implement appropriate security measures.

Details from CNIL.

“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations” – says Adam Stevens, Head of Intelligence at the UK Information Commissioner’s Office. (ICO).

In a sweep conducted by the ICO, as part of the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, 356 companies in 18 countries were contacted.

Findings include:

  • 25 percent of companies had no programs in place to conduct self-assessments and/or internal audits.
  • More than 50 percent of companies indicated that they have documented incident response procedures, and maintain up-to-date records of all data security incidents and breaches. However, some indicated that they have no processes in place to respond appropriately in the event of a data security incident.
  • Nearly 75 percent of companies appointed an individual or team to ensure compliance with relevant data protection rules and regulations.

Details from the ICO.

Thailand’s Parliament passed the Personal Data Protection Act, a bill created to offer citizens similar protections to the EU General Data Protection Regulation.

The data protection law, effective after a one-year transition period, will apply not only to companies located in Thailand, but also overseas companies which collect, use, or disclose personal data of subjects in Thailand, specifically for advertisements and “behavior monitoring.”

The Thai Parliament also passed the National Cybersecurity law which allows the National Cybersecurity Committee (NCSC) to summon individuals for questioning and enter private property without court orders in case of actual or anticipated “serious cyber threats.”

Details from Reuters.

To U.S. Federal Privacy Law or To Not U.S. Federal Privacy Law, that is the question.

At a House Committee on Energy and Commerce hearing February 26, industry professionals and advocates made their pitches for what should be contained within a federal privacy bill. The discussion revolved around how prescriptive a federal law should be and its potential impact on small businesses and vulnerable populations.

Two points discussed:

  • A law as prescriptive as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) is expensive to comply with and may lead to a barrage of litigation. This may adversely effect small and medium businesses which may end up closing shop.
  • Individuals should be given rights to access and correct the data companies collect and store about them online. Often, those impacted by misinformation (inaccuracies on credit scores, debts owed, criminal records, etc.) are minorities or low-income individuals who may be unable to fight for their rights.

Details from the International Association of Privacy Professionals.