On August 20, 2021, the Personal Information Protection Law (PIPL), regarded as China’s GDPR, was signed into law, and will become effective on November 1, 2021. The PIPL supplements China’s Cybersecurity Law and the Data Security Law, expanding China’s legal framework for the protection and regulation of data security and personal information. The PIPL has an extraterritorial scope, imposing broad disclosure, consent, and cross-border transfer obligations on organizations that provide products or services to or analyze activities of people within China.
Guest Author: Jodi Daniels, Founder and CEO of Red Clover Advisors
Data privacy is one of the most complicated and important issues facing modern businesses. With laws varying from state to state, even country to country, and best practices frequently changing, it may be more efficient for companies to outsource their privacy program to an expert who specializes in consumer data privacy.
Fractional privacy officers (FPOs) provide high-level privacy consulting and strategy on a part-time, contract basis. They deliver invaluable assistance in translating and applying the requirements of new and established data privacy legislation to existing business practices and are fully qualified to develop new processes if needed for compliance.
There are four main areas where an FPO’s privacy prowess can be highly beneficial: Continue Reading Outsource Your Privacy to an Expert
On August 24, 2021, the office of the California Attorney General (AG) Rob Bonta issued a press release notifying the public of healthcare data privacy guidance that AG Bonta sent to stakeholder organizations, including the California Hospital Association, the California Medical Association, and the California Dental Association, that day. According to the press release, the guidance was sent to stakeholders as a bulletin that, in part, reminded the entities of their obligation to notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been breached.
In July 2021, the Uniform Law Commission (ULC) voted to approve the Uniform Personal Data Protection Act (UPDPA), a model data privacy bill that, when finalized, will be promulgated to state legislatures across the United States for consideration and possible adoption as early as January 2022.
There have been several notable developments this month at the California Attorney General’s office relating to the CCPA. First, California Attorney General (AG) Rob Bonta held a press conference and issued a press release regarding CCPA enforcement in the past year. AG Bonta signaled that under his leadership, as under prior California Attorneys General, such as now Vice President Kamala Harris and United States Department of Health and Human Services Secretary Xavier Becerra, the AG’s office will continue its focus on privacy. AG Bonta emphasized the importance of the CCPA at a time when so much of our lives has moved online due to the COVID-19 pandemic and that “there’s more work to be done.” He reported “great progress” in CCPA enforcement, noting that 75% of businesses that received a notice of violation came into compliance within the CCPA’s 30-day cure period, while the remaining 25% are within the cure period or currently under active investigation. Continue Reading Recent Developments at the California Attorney General’s Office Concerning the CCPA and Enforcement
On June 25, 2021, the U.S. Supreme Court in TransUnion LLC v. Ramirez (No. 20-297, slip op.) clarified that for standing purposes in federal courts, an important difference exists between (i) a plaintiff’s statutory cause of action to sue over a violation of law, and (ii) a plaintiff suffering concrete harm because of the violation of law. The Court stated that “an injury in law is not an injury in fact” and held that only those plaintiffs who suffer a “concrete injury” apart from the violation of law alone have standing to sue. This case involved TransUnion’s alleged inaccurate reporting of class members as potential threats to America’s national security. Only a subset of the class, however, was the subject of these incorrect reports provided to third parties, and the Court acknowledged only these individuals as having standing to sue. Continue Reading Recent Federal Court Decisions Creating Uncertainty Around CCPA Standing
Last week a new privacy law limiting what businesses can do with biometric data (for example, facial recognition information and fingerprints) took effect in New York City. The new ordinance requires commercial establishments that collect biometric information to post notices to customers explaining how their data will be used. The law applies to a wide range of businesses, including stores, restaurants, and theaters. The ordinance defines “biometric identifier information” as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” The law does, however, permit the collection, use, and retention of biometric identifying data if a notice to customers in “plain, simple language” is clearly displayed. The NYC Commissioner of Consumer and Worker Protection is expected to issue further guidance detailing the exact requirements that businesses must follow to comply with the law. Continue Reading Biometrics Privacy Law Takes Effect in NYC
On June 24, 2021, Google announced that it would extend the phase-out timeline for Chrome’s support of third-party cookies by nearly two years. Although Google originally planned to remove third-party cookie support by early 2022, the revised deadline for late 2023 represents Google’s intent to “move at a responsible pace” that will allow further discussion and engagement with the public and regulators, and to give publishers and the advertising industry at large more time to adjust their services. Continue Reading Google Extends Phase-Out Timeline for Third-Party Cookies
With the release of iOS 14.5, Apple introduced new App Tracking Transparency (ATT) standards requiring iOS app developers to either cease engaging in user and device data tracking or request permission to continue doing so. According to Apple, “tracking” occurs when user or device data is either (1) linked with information that identifies such user or device collected on apps, websites and other locations owned by third parties for the purposes of targeted advertising or advertising measurement, or (2) shared with data brokers. Continue Reading iOS Tracking Analysis
On June 8, the Colorado General Assembly passed Senate Bill 190, the Colorado Privacy Act (“CPA”). The bill now awaits signature from Gov. Jared Polis, who has ten days to sign off on or veto the bill.