Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Google Play’s “data safety form” is now live. Developers can now submit the form for early review and feedback. Starting in April 2022, Google will require this label and a privacy policy for all new and existing apps. This is similar to Apple. Before, only apps that collected personal and sensitive user data needed to share a privacy policy in Google’s store.
Continue Reading Google’s Privacy “Data Safety” Form Is Now Available

The Office of the Australian Information Commissioner issued a determination earlier this fall about 7-Eleven’s use of “faceprints.” The OAIC found the convenience store improperly collected faceprint information without getting individuals’ consent in violation of the Privacy Act.
Continue Reading Australia Objects to 7-Eleven’s In-Store Use of Facial Recognition Technology

The SEC’s enforcement action with a leading seller of market data (App Annie Inc.) signals its concern with misleading data use representations. While the data at issue was not “personally identifiable” information, but instead corporate confidential information, the SEC’s concerns mirrored those that we have previously seen from that agency, as well as others, regarding representations made about personal information.
Continue Reading Implications of SEC’s Scrutiny of Data Use Representations

The Chinese agency charged with implementing and enforcing the new Personal Information Protection Law has issued draft measures for cross-border data transfers. Comments are due by November 28. As we detailed previously, the law requires that the Cyberspace Administration of China (CAC) conduct security assessments prior to certain information transfers out of China. Those situations included if the information transferred reached “significant” thresholds. Those thresholds have now been clarified in the draft.
Continue Reading China Draft PIPL Measures Outlines Thresholds for CAC Security Assessments

The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program. The program applies to those who serve as contractors and suppliers to the DOD. As described in our sister blog, the new version of the program – “CMMC 2.0” – has several important differences from the original program. CMMC 2.0 is anticipated to go into effect anywhere from nine to 24 months from now.
Continue Reading Updates Announced to Department of Defense Cybersecurity Certification Program

The Federal Trade Commission recently issued a new enforcement policy statement about “dark patterns:” programs that attempt to “trap” consumers into service contracts. These programs usually take the form of negative option marketing programs, according to the FTC, and are regulated under most states’ laws as well as the Restore Online Shoppers Confidence Act (ROSCA).
Continue Reading FTC To Focus Enforcement Efforts on Dark Patterns

The FTC recently announced a final rule updating its GLBA Safeguards Rule to “strengthen the data security safeguards” of consumer financial information. The FTC reported that it was making these changes in response to widespread data breaches and cyberattacks.  As we reported in our sister blog, the changes will mean that a broad range of non-banking financial institutions may need to make updates to their data security policies and procedures. The new requirements go into effect in November 2022.
Continue Reading Non-Banking Institutions Will Want to Review Security Measures in Light of Update to Safeguards Rule

Apple has issued new guidelines for apps that let people create accounts. The guidelines will require these apps to give people a way to delete their accounts. This requirement is broader than CCPA and GDPR deletion rights, as it applies to all users (not just those from specific territories). The requirements go into effect for submissions starting January 31, 2022.
Continue Reading Apple To Require Ability to Delete Accounts In-App

California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of “personal information” genetic data. The information needs to be “reasonably protected.” While many other states have similar “reasonable protection” requirements in their data security laws, California is one of a handful to specifically list genetic information.
Continue Reading California Broadens Security and Breach Laws, Includes Genetic Data

California’s governor recently signed SB 41 into law. The bill enacts the Genetic Information Privacy Act (GIPA). The governor rejected a similar bill last year over concerns about COVID-19 public health efforts. To address that concern, this bill exempts tests used to diagnose whether an individual has a specific disease.
Continue Reading California Enacts New Privacy Law for Genetic Data

In the wake of increased ransomware attacks over the course of the last several months, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has updated a guidance it released last year on potential sanction risks if facilitating ransomware payments. As indicated in the original guidance, OFAC has designated several threat actors as “malicious cyber attackers,” including the developers of Cryptolocker, SamSam, WannaCry, and Dridex. OFAC has indicated that it will impose sanctions on those who financially (or otherwise support) these actors, including by making ransomware payments to them. Sanctions can range from non-public (for example No Action
Continue Reading Do You Have a Risk-Based Sanctions Compliance Program?: In the Event of a Ransomware Attack, OFAC Wants to Know