Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Latest from Eye On Privacy

In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)
Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts

The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.

These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of
Continue Reading What Should We Do About the Draft CPRA Regulations?: Collection and Notice

On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of
Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies

On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of
Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies

The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published). 
Continue Reading Updated Timeline for DoD’s Cybersecurity Certification Program

Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:
Continue Reading Maryland Amends Data Security and Breach Notice Obligations

On June 7, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. The letter raised concerns that this information may be sold to third-party purchasers or data brokers who compile it with personal data collected from other sources often associated with advertising and exploited for other uses. The Committee also raised concerns that such data could be used for nefarious purposes including
Continue Reading Senate Banking Committee Sends Letter to Yellen on Collection, Use of Consumer Data

The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the same time the need for breach disclosures to be accurate. These comments appeared in the FTC blog, and underscore the agency’s continuing trend to exercise its enforcement authority under the FTC Act in the data security and data breach context.

When discussing breach notification, of focus for the FTC were situations when disclosing information to an individual might have “mitigate[d] reasonably
Continue Reading FTC Weighs In On Data Breach Notification

The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously voted to adopt a new policy statement on education technology and COPPA. These actions follow its March COPPA settlement with TickTalk Tech.
Continue Reading FTC Continues Focus on Children’s Privacy

In April, Kentucky (HB 474) and Maryland (SB 207) adopted insurance data security legislation based on the National Association of Insurance Commissioners (NAIC) model law. A total of 15 states have adopted the NAIC Model Law. We previously discussed the requirements of the model law in our insurance certifications round-up, including its recent adoption by other states. Among other things, the model law further calls for insurers to quickly report and investigate data breaches and certify their compliance efforts annually with security provisions. 

Maryland’s law takes effect on October 1, 2022 and Kentucky’s law goes
Continue Reading Kentucky and Maryland Enact Insurance Data Security Laws

The European Commission recently released a set of FAQs for the new EU standard contractual clauses (SCCs). The FAQs are based on feedback received from various stakeholders and currently address 44 different questions. Additional content is expected to be added as new questions come up. The long-awaited SCCs for transfers out of the EEA were adopted about one year ago. Among other changes, two of the biggest differences in the new cross-border SCCs is the modular approach and provisions to address Schrems II. The FAQs cover some general questions about the SCCs for companies that might be newer to
Continue Reading Working Through the New EU SCCs? European Commission Releases FAQs

Dark patterns have been a recent regulatory focus. The FTC issued an enforcement policy late last year, and the European Data Protection Board followed suit with guidelines this spring. The two have slightly different takes on what constitutes a dark pattern. The European focus is on misleading consumers into providing more information than they would have otherwise, or in providing unwitting consent for use of information. For the FTC, the focus is on programs that “trick” consumers into making purchases, including signing up for ongoing services. For both entities, the concern is on misleading consumers into providing unwilling consent or
Continue Reading What’s the Big Deal About Dark Patterns?

California federal Judge William Alsup dismissed various claims against Mint Mobile LLC based on a data breach that exposed personal information of Mint customers. Plaintiff Daniel Fraser alleged that Mint, a mobile virtual network operator using the T-Mobile network infrastructure, was hit with a data breach in June 2021. According to Fraser, the breach resulted in disclosure of his and others’ personal information, including names, addresses, email addresses, phone numbers, account numbers, and passwords.
Continue Reading Mint Gets Data Breach Claims Dismissed

Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law

As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and participate with their local countries’ “accountability agent.” There are currently seven participating economies, which include the US, Canada, Japan. Those participating economies recently announced the development of a “Global CBPR Forum.” The Forum is tasked with, inter alia, creating an international certification system, reviewing members’ privacy standards, and ensuring that the program is “interoperable with other data protection and privacy frameworks.”
Continue Reading Formation of CBPR Forum Signals Continued Movement