FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says the amendments are meant to, “better protect consumers and provide more certainty for business.”

NIST Privacy Framework

The National Institute of Standards and Technology (NIST) released working draft of a standard Privacy Framework meant to, “help organizations: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.”

AG Racine Proposes Changes to Data Breach Law

District of Columbia AG Racine introduced legislation to amend the District’s current data breach law in an effort to provide greater protection over personal data.  Specifically, the AG proposes:

  • Holding companies accountable for safeguarding a broader range of private information;
  • Creating security requirements for companies that handle personal information;
  • Requiring companies to provide identity theft protection if they expose Social Security numbers; and
  • Requiring companies to inform consumers of their rights when a data breach occurs.

Internet of Things (IoT) Cybersecurity Improvement Act of 2019

Bipartisan legislation meant to improve the cybersecurity of Internet-connected devices was introduced in the Senate and the House of Representatives. The legislation would require that devices purchased by the U.S. government meet certain minimum security requirements.

 

On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act).  In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.

This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.

Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen.  For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data. Continue Reading Rethinking Biometric Data Collection Practices After Rosenbach: Takeaways and Compliance Strategies for Employers

On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law. Continue Reading Federal Cartel Office vs. Facebook: When Data Privacy and Competition Law Collide

At Password Protected we strive to inform readers of recent developments in data privacy law.  While California Consumer Privacy Act (CCPA) is forcing new changes to data privacy policies, procedures and practices, we want to remind you of an older California data privacy statute, called Shine the Light Law (STL), which still remains in effect following passage of the CCPA.  The STL may have fallen to the wayside in your compliance program with all the fervor surrounding the CCPA, and before that, the European Union’s General Data Protection Regulation.  However, with a significant uptick in STL class action lawsuits in California, we felt it was noteworthy to bring this to your attention. Continue Reading Consider California’s Shine The Light Statute When Updating Your Privacy Policy

Welcome back to our two-part series examining CNIL vs. Google: 10 lessons from the largest data protection fine ever issued.  In this post we continue our analysis of CNIL vs. Google by taking a closer look at the additional lessons we can learn from this important decision. 

6. …tell data subjects exactly what you’re doing with their data

CNIL found that it was hard for users to understand what Google was doing with their data. They commented: “Users are not able to fullly understand the extent of the processing operations… the purposes of processing are described in too generic and vague a manner and so are the categories of data processed for these various purposes.”

The lesson here is: tell data subjects clearly what data you are collecting and what you are using it for. Do not try to obfuscate it. Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued Part Two

In January 2019, the French data protection authority, CNIL (Commission Nationale de l’informatique et des libertés), announced that it had fined Google 57 million euros (approximately £44 million or USD$65 million) for breaching the EU’s General Data Protection Regulation (GDPR) through its use of targeted advertising.

The fine arose out of complaints made against Google to CNIL by privacy activists immediately after the GDPR came into force in May 2018. At the time of writing, it is the largest data protection fine ever issued – but what can we learn from CNIL’s decision? Continue Reading CNIL vs. Google: 10 lessons from the largest data protection fine ever issued

The California Attorney General is currently on a California tour soliciting public comment on the CCPA.[i] To date, the Attorney General has held public forums in San Francisco (January 8th), San Diego (January 14th) and Riverside (January 24th) and will continue on to Los Angeles (January 25th), Sacramento (February 5th), and Fresno (February 13th). These hearings are being held pursuant to a CCPA requirement that the Attorney General “solicit broad public participation and adopt regulations to further the purposes” of the CCPA. Specifically, the Attorney General is directed to seek public feedback on the following areas: expanding the definition of “personal information,” establishing additional exceptions to compliance, establishing rules and procedures for facilitating consumer opt-out requests, just to name a few. Continue Reading Recent Developments on the California Consumer Privacy Act (CCPA)

 

As 2019 begins, we are one year away from the highly anticipated California Consumer Privacy Act of 2018 (CCPA or the Act) going into effect.  As companies update their privacy policies to comply with the CCPA, it is essential to determine whose personal information the Act protects.  Two issues businesses should consider when updating their data privacy policies are:  (i) the geographic residence of the individuals whose information is collected; and (ii) whether the Act applies to their employees. Continue Reading Defining “Consumer” Under The California Consumer Privacy Act

Recent developments in privacy law and a rise in class action lawsuits related to data collection offer a cautionary tale about understanding legal and ethical boundaries of monitoring “on-the-clock” employee conduct. With a hodgepodge of federal, state, and local legislation governing employee privacy rights, employers are often left to navigate a complicated legal landscape while balancing the practical need to understand how employees are using company information and equipment.  Employers, for example, have a legitimate interest in protecting company trade secrets, detecting unlawful transmission of unlicensed material, and improving work productivity.  Employees, on the other hand, may have a reasonable expectation of privacy in certain contexts while at work.

This quandary begs the question, where do employers draw the line? Continue Reading Workplace Monitoring: Where Do Employers Draw The Line?