Last week a new privacy law limiting what businesses can do with biometric data (for example, facial recognition information and fingerprints) took effect in New York City. The new ordinance requires commercial establishments that collect biometric information to post notices to customers explaining how their data will be used. The law applies to a wide range of businesses, including stores, restaurants, and theaters. The ordinance defines “biometric identifier information” as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” The law does, however, permit the collection, use, and retention of biometric identifying data if a notice to customers in “plain, simple language” is clearly displayed. The NYC Commissioner of Consumer and Worker Protection is expected to issue further guidance detailing the exact requirements that businesses must follow to comply with the law.
Continue Reading Biometrics Privacy Law Takes Effect in NYC

On June 24, 2021, Google announced that it would extend the phase-out timeline for Chrome’s support of third-party cookies by nearly two years. Although Google originally planned to remove third-party cookie support by early 2022, the revised deadline for late 2023 represents Google’s intent to “move at a responsible pace” that will allow further discussion and engagement with the public and regulators, and to give publishers and the advertising industry at large more time to adjust their services.
Continue Reading Google Extends Phase-Out Timeline for Third-Party Cookies

With the release of iOS 14.5, Apple introduced new App Tracking Transparency (ATT) standards requiring iOS app developers to either cease engaging in user and device data tracking or request permission to continue doing so. According to Apple, “tracking” occurs when user or device data is either (1) linked with information that identifies such user or device collected on apps, websites and other locations owned by third parties for the purposes of targeted advertising or advertising measurement, or (2) shared with data brokers.
Continue Reading iOS Tracking Analysis

On April 26, 2021, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation, jointly released the draft Interim Regulations on the Administration of Personal Information Protection for Mobile Internet Applications. The Draft Interim Regulations apply specifically to data collection via mobile applications and are intended to function alongside China’s currently proposed omnibus data protection legislation, the Personal Information Protection Law. The Draft Interim Regulations were open for public comment until May 26, 2021, and the US-China Business Council submitted comments from its members, including Perkins Coie.
Continue Reading China Proposes Draft Regulations for the Protection of Personal Information Collected Via Mobile Applications

On May 18, 2021, a consumer filed a putative class action lawsuit against a tech company in California federal court. The consumer alleges that the company violates users’ privacy by selling their personally identifiable information (PII) to third parties in connection with a real-time bidding system it uses for digital ad sales. In his complaint, the plaintiff alleges that the company represented in its privacy policy, terms of service, and elsewhere that a user’s PII would not be shared with third parties without the user’s consent. However, the complaint avers that the company purportedly sold users’ PII—including user location data, browsing history, and demographic and health information—to third parties that participate in the company’s ad bidding auction process, and that it did so without ever informing users that their data was being shared. The complaint alleges that this conduct violates the Electronic Communications Privacy Act (ECPA) as well as a range of consumer privacy and contract rights under California constitutional, statutory, and common law.
Continue Reading Class Action Lawsuit Alleges Improper Sale of PII for Ad Bidding Purposes

California Deputy Attorney General Lisa Kim shared insights on the California Consumer Privacy Act (CCPA) enforcement and rulemaking at a live webinar hosted by the IAPP and California Lawyers Association Privacy Law Section on April 22, 2021. She pointed out key areas of focus for businesses as they develop and improve their CCPA compliance efforts. Here are some key takeaways from her remarks:

Continue Reading California Deputy Attorney General Addresses CCPA Enforcement and Rulemaking, Anticipating CPRA

On March 19, 2021, Colorado State Senators Richard Rodriguez (D) and Paul Lundeen (R) introduced Senate Bill 21-190 as part of a bipartisan effort to make Colorado the latest state to implement comprehensive legislation establishing certain consumer data privacy rights. Dubbed “A Bill for an Act Concerning Additional Protection of Data Relating to Personal Privacy,” SB 21-190 largely follows in the footsteps of California’s CCPA, Virginia’s CDPA and the European Union’s GDPR with a stated intent to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate.”
Continue Reading Colorado Joins Ranks of States Introducing Consumer Data Privacy Legislation

Guest Author Bird & Bird, Anna Shashina, Partner

On March 1, 2021, substantial amendments to the Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses that publish or use personal data on the internet. In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorize the processing of their data in the public domain. Data subjects also have a right to request that data operators that are disseminating their data (and any company down the data processing chain) cease transferring such data.

What Are the Key Amendments?
Continue Reading Russia: Overhaul of Publicly Disseminated Data Processing

As the California legislature reconvened in Sacramento in January with hopes for a more regular legislative session in 2021, it again returned its focus to address the potential for bias and discrimination from the use of automated decision systems (ADS) by businesses. Assemblymember Ed Chau, chair of the Assembly Privacy and Consumer Protection Committee, is spearheading a bill—AB 13, or the Automated Decision Systems Accountability Act of 2021. AB 13 would require any business in California that provides a person with a program or device that uses an ADS to “to take affirmative steps to ensure that there are processes in place to continually test for biases during the development and usage of the ADS.”
Continue Reading California Legislature Returns Its Focus to Automated Decision Systems