Tag Archives: compliance

California attorney general issues draft CCPA regulations

On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with … Continue Reading

With latest lawsuit, New York attorney general continues to demand cybersecurity compliance

In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts. In the complaint filed last week, AG … Continue Reading

A new California privacy initiative seeks to further bolster individual privacy rights

Another potentially groundbreaking California ballot initiative has been announced, just as companies began to digest and incorporate the amendments to the California Consumer Privacy Act (CCPA) into their compliance plans and learned the draft CCPA regulations will be issued by the California Attorney General in October. Last week, the primary advocate for and co-architect of … Continue Reading

Last minute amendments likely finalize CCPA language for January 1 deadline.

Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the … Continue Reading

German DPA released audit checklist for GDPR readiness

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations over the last couple of months regarding their implementation of the requirements of the General Data Protection Regulation (GDPR), and is currently finalising the audits. On 7 August 2019, the Lower Saxony DPA released the checklist that it used … Continue Reading

$5 billion Federal Trade Commission settlement with Facebook represents largest privacy enforcement penalty ever

The Federal Trade Commission’s (FTC) recent $5 billion settlement with Facebook is unprecedented in multiple respects: The $5 billion penalty represents the largest privacy and data security settlement in history – it is almost 20 times larger than the recent Equifax Inc. settlement and dwarfs recent EU data protection enforcement actions. As part of the … Continue Reading

FTC settlement and warning letters over cross-border personal data transfers

The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In … Continue Reading

What businesses should know about the upcoming CCPA rulemaking

With barely half a year until the California Consumer Privacy Act (CCPA) takes effect in January 2020, the landmark privacy law is in a state of flux. The already-amended landmark law is likely to face further rounds of revision, and the California Attorney General is required to hammer out many key compliance requirements through an … Continue Reading

September 4, 2018: NYDFS Cybersecurity Regulation Compliance date arrives

As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, … Continue Reading

Implementing the GDPR: Reed Smith Webinar on Planning your Path to Compliance in 2017

We are hosting a webinar on January 30, 2017, to discuss the new obligations global organisations with interests in Europe will need to meet to comply with the GDPR. With just over 16 months to go until the Regulation will be enforced, it is vital that you understand the requirements and that you are able to … Continue Reading

Information Commissioner’s Office issues updated code of practice on conducting Privacy Impact Assessments

In February, the UK Information Commission’s Office (ICO) issued an updated code of practice on conducting Privacy Impact Assessments (PIA), with a six-point process for organisations to follow (the Code). A PIA is intended to focus the attention of an organisation on the way that data is held and used in any project, and reduce … Continue Reading

Hong Kong’s Office of the Privacy Commissioner for Personal Data releases Best Practice Guide on Privacy Management Programmes

This post was written by Cynthia O’Donoghue. Last month, Hong Kong’s Office of the Privacy Commissioner for Personal Data (OPCP) released a Best Practice Guide on Privacy Management Programmes (PMP) (the Guide). Striking a similar chord to the UK Information Commissioner’s Office in the recently released code of practice on conducting Privacy Impact Assessments, the … Continue Reading

Indian Centre for Internet and Society issues call for comments on draft Privacy (Protection) Bill

This post was written by Cynthia O’Donoghue. A nonprofit research organisation, the Indian Centre for Internet and Society (ICIS), has issued an open call for comments on its draft Privacy (Protection) Bill 2013 (the Bill). Consultations on the Bill started in April 2013, with a series of seven roundtable talks being held in partnership with … Continue Reading

Theft of Unencrypted Flash Drive Causes OCR to Issue Settlement and Corrective Action Plan for Physician Practice

This post was also written by John E. Wyand. The Department of Health and Human Services’ Office for Civil Rights (OCR) opened an investigation of Adult & Pediatric Dermatology, P.C. (APDerm) after a report was made regarding the theft of an unencrypted flash drive. To settle potential violations of the Health Insurance Portability and Accountability … Continue Reading

Department for Business, Innovation & Skills Publishes Impact Assessment for European Commission Proposed Cybersecurity Directive

The UK Government Department for Business, Innovation and Skills (BIS) has issued an impact assessment (IA) at the end of September on the draft Network and Information Security Directive (the Directive) proposed by the European Commission on 7 February 2013. The Directive aims to achieve a common high level of network and information security across … Continue Reading

UK Office of Fair Trading Consults on Consumer Protection Principles for Children’s Online Games and Apps

With more than six million apps currently in existence, the ‘appification’ of society is increasingly a topic of discussion, and certainly it was prominent at the 35th International Conference of Data Protection and Privacy Commissioners in Warsaw in September. Apps often collect large amounts of personal data and therefore have significant potential privacy implications. Young … Continue Reading

European data protection watchdog proposes stricter regulation of profiling

The EU data protection watchdog, Article 29 Working Party (Art. 29 WP), has issued the Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation. The document underlines the significance of creating profiles based on interlinked personal data, especially given the latest developments in geo … Continue Reading

Colombia fills the gaps in its new data protection framework.

This post was written by Cynthia O’Donoghue. After its first data protection law came into force in April this year, Colombia has now introduced implementing regulations (Decree No. 1377). The legislation, which was released in late June, provides greater clarity on a number of areas contained in the data protection law (Statute Law No. 1581). … Continue Reading

Spanish data protection watchdog publishes one new guidance on cookies and two on cloud computing

The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has issued three new guidance documents dealing with (1) the use of cookies, (2) cloud computing from a customer perspective and (3) cloud computing from a service provider perspective. The guides provide useful information on how to use modern IT solutions in conjunction … Continue Reading

ICO Information Rights Strategy 2012 – UK regulator identifies information security as continuing priority while targeting Financial Services, Health and Telecoms/New Media for close attention

This post was written by Nick Tyler. The Information Commissioner’s Office (ICO), the UK’s data protection and freedom of information regulator, has launched a high level “Information Rights Strategy”. In it, the ICO identifies the following priority areas: Internet and mobile services; health; credit and finance; criminal justice; and information security. The ICO will focus on … Continue Reading

Privacy Compliance: Not Just a Luxury Anymore

This post was also written by David Z. Smith. On August 29, 2011, a Google shareholder filed a derivative action against the company’s directors stemming from Google allegedly allowing and supporting Canadian and other foreign pharmacies to advertise and ship prescription drugs to American consumers through Google’s AdWords advertising program in violation of U.S. law. The … Continue Reading
LexBlog