GDPR – Post Effective Date

Are you collecting, using or disclosing personal information (PI) of Canadian residents in the course of commercial activities? If so, you may be subject to Canada’s Breach of Security Safeguards Regulations(Regulations), under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Under the Regulations, which went into effect on November 1, 2018, organizations that are subject to PIPEDA are required to report security breaches involving PI that “pose a real risk of significant harm,” notify affected individuals of the breach, and maintain records of every breach, reported or not, for at least two years. Businesses that fail to comply with the Regulations may be subject to fines of up to CA$100,000 per offense.
Continue Reading Canada’s New Breach Regulations

Under the GDPR, individuals have the following rights relating to their personal data:

  1. Right to access various information about their personal data;
  2. Right to rectify to ensure the accuracy of their personal data;
  3. Right to request erasure of their personal data;
  4. Right to restrict the processing of their personal data;
  5. Right to retrieve or transmit their personal data (i.e., portability request);
  6. Right to object to the processing of their personal data; and
  7. Right to not be subject to automated decision-making.

Continue Reading Responding to Individuals’ Rights Requests Under the GDPR

While the California Consumer Protection Act (CCPA) bears a resemblance to the General Data Protection Regulation (GDPR), there are several notable differences, and companies should not assume that GDPR compliance means CCPA compliance whatsoever. Among the differences between the CCPA and the GDPR are the following:
Continue Reading CCPA vs. GDPR: Know The Differences

Does your company handle data analytics to target California consumers? If so, it is imperative that you pay close attention to the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA goes well beyond the General Data Protection Regulation (GDPR); however, if you’ve achieved compliance with the GDPR, you are well on your way to achieving CCPA compliance.

Once in effect, the CCPA will require businesses processing the personal information (PI) of 50,000 or more California consumers (defined as California residents) to comply with new regulations governing the processing of their PI. Businesses will have to respond to eight (8) specific consumer rights, observe restrictions on data monetization business models, and update their privacy notices to provide detailed disclosures about their data collection, sales and business disclosures.
Continue Reading Update for Financial Institutions Regarding the California Consumer Privacy Act—This New Law May Apply to You

The California Consumer Privacy Act (CCPA) will require businesses processing personal information (PI) of 50,000 or more California consumers, earning more than $25 million in annual gross revenues, or deriving at least 50% of their annual revenue from PI sales to comply with new regulations governing the processing of consumers’ PI. The definition of PI is broader than the General Data Protection Regulation (GDPR) in that it includes any PI that identifies “households” and not just individuals. Further, the PI definition includes a business’s proprietary “inferences” drawn from other PI to develop consumer profiles or other analytics. Under the CCPA, companies will be obligated to respond to the following eight consumer rights:
Continue Reading The California Consumer Privacy Act – Consumer Rights

Privacy and data security are front page news. Companies know they need a privacy compliance strategy but are often daunted by the prospect of how and where to begin. There is a plethora of global and U.S. laws, e.g., the GDPR50 different state standards for data breach notification, sector-specific laws, and the first state attempt to put comprehensive privacy protections in place for its residents.
Continue Reading Best Practices for Creating a Comprehensive Privacy Program

Are you in compliance with the recent changes in privacy law? Over the past year, there have been game-changing developments in privacy and data security laws around the world. In May 2018, the General Data Protection Regulation (GDPR) went into effect in the European Union (EU), ushering in a new, sweeping privacy law framework that affects not only businesses located in the EU, but also companies that offer goods and services to EU residents or monitor their behavior. Then, in June, the California Consumer Privacy Act was passed—a landmark law that, like the GDPR, will impose far-reaching requirements on businesses to protect consumers’ personal information. Other notable developments include Vermont passing a data broker law in May, Chicago introducing a data protection ordinance in June, Japan and the EU agreeing on a reciprocal finding of adequacy in July, and China enacting its Cybersecurity Law last year. This is a fast-evolving field, and more changes are certain to come.
Continue Reading Topline Compliance