Join us in our latest Tech Law Talks podcast series as we explore the regulatory topic du jour: eComms. What are eComms and why are they resulting in fines in the hundreds of millions of dollars for some of the world’s largest banks? The answer is simultaneously simple and complex: rapidly changing technology means keeping up with the variety of eComms, or electronic communications, used by businesses and applying decades-old regulations to new functionality is more challenging than ever before.
On October 6, 2021, the Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative that emphasizes accountability for conduct that could increase cybersecurity threats to the government. This initiative supports the Biden administration’s goals and efforts to improve U.S. cybersecurity generally. Those who do business with the government or receive federal…
In a recent Q&A conducted by Divonne Smoyer and Karen Lee Lust with Connecticut Attorney General (AG) William Tong published in the IAPP Privacy Advisor, the AG discusses how he has continued Connecticut’s role as a privacy leader among the states, partnering with the U.S. Federal Trade Commission on data privacy-related matters and other compliance…
The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that…
The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations.
The Accountability Framework consists of ten categories where the ICO expects companies to be able to demonstrate compliance:
- Leadership and oversight;
- Training and awareness;
- Contracts and data sharing;
- Records management and security;
- Policies and procedures;
- Individuals’ rights;
- Records of processing and lawful basis;
- Risks and data protection impact assessments; and
- Breach response and monitoring.
Companies have been challenged with respect to their cookie policies and their implementation due to the entry into force of the GDPR earlier than the proposed ePrivacy Regulation
Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The…
On October 10, 2019, California Attorney General Xavier Becerra issued proposed regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The draft regulations address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing nondiscrimination practices. The regulations are currently in draft form, with…
In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts.
In the complaint filed last week, AG James alleges that Dunkin’, by failing to notify consumers of the breaches or to take sufficient steps to investigate and safeguard consumer data, violated not only its internal data security procedures but also New York data breach notification and consumer protection laws.
In 2015, Dunkin’ was the target of a series of brute force attacks, in which automated software was used to gain access to accounts by guessing various combinations of usernames and passwords. The lawsuit alleges that despite being notified of these attacks by one of its mobile app developers, Dunkin’ did not notify its customers – in violation of the New York data breach notification law – nor did it conduct any security protocols to prevent future attacks, such as resetting passwords or freezing accounts.…
Another potentially groundbreaking California ballot initiative has been announced, just as companies began to digest and incorporate the amendments to the California Consumer Privacy Act (CCPA) into their compliance plans and learned the draft CCPA regulations will be issued by the California Attorney General in October. Last week, the primary advocate for and co-architect of the CCPA announced a new privacy initiative for California’s November 2020 ballot – the California Privacy Rights and Enforcement Act of 2020 (CPREA), which would revise and expand upon the CCPA.
The new law would:
- Create new rights around the use of sensitive personal information including race, ethnicity, geolocation, health and financial information.
- Provide enhanced protection for children’s privacy by requiring opt-in consent to collect data from individuals under 16 and tripling CCPA fines on children’s privacy violations.
- Require transparency around automated decision-making and profiling regarding employment, housing, credit, and politics.
- Establish a new authority, the California Privacy Protection Agency, to enhance enforcement of the law and provide guidance to consumers.
- Require corporations to disclose whether and how they use personal information to influence elections.
- Require that future amendments are limited to furthering the law.
Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.
- The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
- The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
- The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
- The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
- The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.