With the California Consumer Privacy Act (CCPA) coming into effect on January 1 and the announcement on 14 January from Google that it will be phasing out third party cookies within the next two years, it seems that 2020 will be a significant year for the adtech industry as industry players react with solutions and

Washington state’s lawmakers started the 2020 legislative session with a renewed focus on consumer privacy through the introduction of ten privacy-related bills across the state House and Senate on January 13. Chief among these proposals was the comprehensive Washington Privacy Act (WPA), a new version of which was re-introduced in the Senate after the previous bill died in the House in 2019. The WPA continues to draw comparisons to the now-effective California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR). It borrows the concepts of data controllers and processors from the GDPR and the right to opt out of personal data sales from the CCPA, among other similarities between these forerunners of far-reaching privacy regulation. In addition to the new version of the WPA, Washington’s House introduced nine accompanying bills covering various aspects of consumer privacy, including: (i) granting more rights over biometrics (for which Washington has an existing law); (ii) artificial intelligence in employment decisions; (iii) requiring transparency over device connectivity; (iv) mandating notice and consent for voice data collection; and (v) strengthening oversight through the state’s chief privacy officer. Each of these bills highlights various isolated issues that would complement the foundational framework for data protection that the WPA proposal seeks to establish.
Continue Reading New year, new laws: Washington re-introduces comprehensive privacy act among flurry of 2020 consumer privacy bills

Despite intensive lobbying from industry groups, multiple amendments before its effective date, and extensive proposed regulations from the California attorney general, the California Consumer Privacy Act (CCPA) went into effect earlier this month with still many questions left unanswered:

Continue Reading Proposed CCPA amendment would provide significant clarity to health care and life sciences companies

Background

On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?Continue Reading The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.

BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.Continue Reading Biometric privacy: The year in review and looking toward 2020

Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22.

“Selling” and CCPA challenges for digital. Those who have been actively preparing for CCPA’s implementation on January 1 know by now that pursuant to section 1798.115(d) of the CCPA, a company that has personal information about a consumer may not onward “sell” (as defined in the CCPA) such information to another party without the consumer (1) having received explicit notice of the sale of the personal information and (2) being given the right to opt out pursuant to section 1798.120. Under the CCPA, even if consumers opt out of having their personal information sold, the information may be shared with third parties acting as “service providers” for limited purposes, but the party disclosing the personal information (that is, the “business”) is very specifically limited in its ability to use any data it received that is deemed “personal information.”

Current information sharing practices. Currently, in the programmatic advertising ecosystem, publishers may pass personal information about visitors to their website to downstream participants (the Downstream Participants) who then may pass such information on to others in the supply chain. These Downstream Participants include providers such as:

  • supply-side platforms (SSPs)
  • demand-side platforms (DSPs)
  • ad exchanges
  • ad networks
  • ad tech platforms
  • data management platforms (DMPs)

Downstream Participants also include the advertiser who ultimately purchases the ad, funds the ecosystem, and, in many cases, expects to have ready and trusted access to information associated with its advertising activity and consumer behavior in response to such advertising.Continue Reading IAB issues CCPA compliance framework for public comment

On October 10th, the Attorney General of California, Xavier Becerra, delivered the highly anticipated text of the proposed California Consumer Privacy Act (CCPA) regulations. However, untouched and unexplained were the Health Insurance Portability and Accountability Act, California Medical Information Act, and clinical research exemptions. The industry has and will continue to grapple with

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with

Another potentially groundbreaking California ballot initiative has been announced, just as companies began to digest and incorporate the amendments to the California Consumer Privacy Act (CCPA) into their compliance plans and learned the draft CCPA regulations will be issued by the California Attorney General in October. Last week, the primary advocate for and co-architect of the CCPA announced a new privacy initiative for California’s November 2020 ballot – the California Privacy Rights and Enforcement Act of 2020 (CPREA), which would revise and expand upon the CCPA.

The new law would:

  • Create new rights around the use of sensitive personal information including race, ethnicity, geolocation, health and financial information.
  • Provide enhanced protection for children’s privacy by requiring opt-in consent to collect data from individuals under 16 and tripling CCPA fines on children’s privacy violations.
  • Require transparency around automated decision-making and profiling regarding employment, housing, credit, and politics.
  • Establish a new authority, the California Privacy Protection Agency, to enhance enforcement of the law and provide guidance to consumers.
  • Require corporations to disclose whether and how they use personal information to influence elections.
  • Require that future amendments are limited to furthering the law.

Continue Reading A new California privacy initiative seeks to further bolster individual privacy rights