Privacy policies are meant for a host of audiences, including consumers, regulators and advocates. One way to make your privacy policy more accessible to consumers is to include a short form privacy notice at the start of a policy. Short form notices deliver essential elements of how information is treated and protected, provide means to access the full policy, and often include essential privacy choices, such as opt-ins or opt-outs.
Continue Reading Should You Provide a Short Form Privacy Notice?

The second annual review of the EU-U.S. Privacy Shield framework is currently underway, with the European Commission planning to release a report detailing its findings regarding the effectiveness of the Privacy Shield by January 1, 2019. The Privacy Shield framework was created to act as a conduit between the respective privacy approaches of the European Union and the United States. In July, the European Parliament warned that it would suspend the EU-U.S. Privacy Shield agreement unless the United States took steps to demonstrate its obligations under the framework. Since then, the United States has been collaborating with the European Union to preserve the international data flows in place under the Privacy Shield, emphasizing its importance for both EU and U.S. consumers and businesses.
Continue Reading Is the Privacy Shield Here to Stay?

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations(Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense.
Continue Reading Canada’s New Breach Regulations

You might have heard of data brokers—entities that collect personal information and analyze, append, and repackage it for sale to third parties—from reports such as the FTC’s 2014 study or a 2017 proposed congressional bill that would have imposed breach notification obligations on brokers following the Equifax breach. But you may have never thought that your company’s practices could land you in this category.

Beginning on January 1, 2019, Vermont will be the first state in the nation to regulate data brokers that process personal information regarding its residents. This new law incorporates a very broad definition of “data broker” and requires businesses defined as such to register annually and report on security breaches to the Secretary of State. 
Continue Reading Vermont Data Broker Law – Could You Be a Data Broker?

Does your company use mobile apps, Internet of Things, AI, health tech or other technologies to develop consumer profiles, create products or deliver targeted advertising? If so, you should be aware that the technologies used to perform these tasks are highly regulated and the subject of multiple privacy and data security laws. Specifically, it is worth asking your digital marketing department whether it is using persistent unique identifiers (or IDs) to track users. Persistent IDs are the tools that marketers use behind the scenes to connect consumers with their devices. The information gathered is used for marketing, product development and analytics.
Continue Reading Persistent Identifiers Used in Digital Marketing Are Personal Information and Governed by Multiple Privacy Laws

Privacy and data security are front page news. Companies know they need a privacy compliance strategy but are often daunted by the prospect of how and where to begin. There is a plethora of global and U.S. laws, e.g., the GDPR50 different state standards for data breach notification, sector-specific laws, and the first state attempt to put comprehensive privacy protections in place for its residents.
Continue Reading Best Practices for Creating a Comprehensive Privacy Program