Headlines that Matter for Privacy and Data Security.
California Exemptions for B2B and Employee Data Set To Expire
With August 31 marking the last day of the legislative session, the California legislature’s failure to extend business-to-business and employee data exemptions may result in new requirements for companies within the California Privacy Rights Act’s (CPRA) scope that previously benefitted from these carveouts. Specifically, the exemptions apply to personal information reflecting communications where a covered individual is acting in a business-to-business commercial transaction and to the personal information of job applicants, employees, and independent contractors. Currently, in these situations, businesses are not required to comply with certain sections of the California Consumer Privacy Act (CCPA) that govern retention, data subject rights, use, and selling. However, without action, this will come to an end on January 1, 2023. Instead, companies within the CPRA’s scope that handle business-to-business and employee information will now be subject to all requirements of the CPRA. As this is a major change, businesses should start preparing to comply with the CPRA not only for consumer data, but also for business and employee data as soon as possible.
California AG Sends Letters to Hospitals To Inquire About Algorithms in Healthcare
California Attorney General Rob Bonta sent requests to 30 hospital CEOs to gather information about how algorithms are used in the healthcare context, with a particular focus on racial and ethnic disparities and discrimination. As algorithms are a growing focus for regulators in California and across the nation, hospitals and all businesses using them should be careful to conduct a privacy impact assessment and review the input and outputs of such decision-making tools. For the AG press release, please see here.
Timing Is Everything: Ninth Circuit Addresses Chatbot Consent Requirements
According to the Ninth Circuit’s recent ruling in Javier v. Assurance IQ LLC and Active Prospect Inc., obtaining consent prior to using recording technologies is required for purposes of the California Invasion of Privacy Act (CIPA). This ruling is notable for website operators as it signals that obtaining targeted consent before using commonly deployed website features – such as chat bots and lead verification recording programs – can nip burgeoning CIPA “wiretapping” lawsuits in the bud. Additionally, businesses should:
Fully inform consumers of their privacy practices
Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices
Fully understand at which point in user engagement consumers are notified that their interactivity is monitored and stored
For more information, please see our alert here.
California Legislature Passes Age Appropriate Design Code Act
The California Legislature recently passed Assembly Bill 2273, The Age Appropriate Design Code Act. The Bill is California’s latest privacy protection for minors age 17 and under and applies to businesses that provide an online service, product, or feature likely to be accessed by children. It requires businesses to incorporate heightened privacy settings for children and feature clear and concise privacy language suited to the age of children likely to access that online service or product. Additionally, the Bill would require a business to complete a Data Protection Impact Assessment for any new online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as it is likely to be accessed by children. If enacted, the Bill will effectuate on January 1, 2024.
California Business Representatives Ask Regulators To Delay Enforcement of the CPRA, Citing Delays in the Rulemaking Process as the Reason More Time Is Needed
As the CPRA effectuation date-January 1, 2023-nears, business representatives push for more time to consider how they’ll meet new requirements. Calling the proposed regulations (Regulations) confusing and citing delays in the rulemaking process, representatives were adamant in their stance at the California Privacy Protection Agency’s August 24 and 25 public hearings. Some commenters told regulators they’re underestimating how much it will cost businesses to comply. Others stated that the time needed to design complex policies should be taken into account. One commenter asked the agency to clarify the Regulations’ opt out sections. Another stated that the Regulations are overbroad. Find more information on the Regulations here.
California AG Fines Retailer $1.2 Million for CCPA Violations
California AG Rob Bonta recently settled with a large retailer based on CCPA violations involving consumers’ right to opt out of the sale of their data. Specifically, the complaint alleged that the retailer failed to honor the CCPA requirement to provide consumers the ability to opt out of the sale of their personal data in two main ways, despite the use of analytics cookies on the site, which the AG determined to constitute a “sale” under the CCPA definition. The violations included: (1) language in their online privacy statement indicated that they “do not sell” personal information, (2) failure to provide a “Do Not Sell My Personal Information” link on the website, and (3) failure to honor user-enabled controls such as the Global Privacy Control (GPC). For reference, the AG has indicated that when it comes to cookie data, the GPC should be treated the same as users who have clicked the “Do Not Sell My Personal Information” link. Additionally, these issues were not cured within the 30-day period currently allowed by the CCPA.
In addition to this action, the AG’s press release indicates there are continued enforcement actions against a “wide array” of businesses. New examples of notices to cure are available on the AG website and include:
1. An enforcement sweep of businesses operating loyalty programs that offered financial incentives such as discounts, free items, or other rewards, in exchange for personal information without providing consumers with a notice of financial incentive;
2. An online advertising business that’s privacy disclosures were not understandable to the average consumer and did not include the required information; and
3. A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.
CARU Issues Compliance Warning for Child-Directed Advertising in the Metaverse
BBB National Programs’ Children’s Advertising Review Unit (CARU) recently issued a compliance warning to advertisers, brands, influencers, endorsers, and developers, putting them on notice that CARU’s Advertising Guidelines (Guidelines) apply to advertising in the metaverse and that it plans to “strictly enforce” the Guidelines against metaverse advertising. The warning instructs that advertising should be neither deceptive nor unfair to the children to whom it is directed and that the Guidelines apply to all advertising, in any medium, directed to children under 13. Advertisers should be particularly cautious to avoid advertising that blurs the distinction between advertising and non-advertising content; uses manipulative tactics, including but not limited to social pressure or validation, deceptive door openers, or misleading design techniques; or fails to make clear and conspicuous disclosures to children where needed. Further, advertisers must be sure to disclose influencer and endorser advertising.
Recent State and Federal Cases Provide Guidance on Browsewrap, Scrollwrap, Clickwrap, and Sign-in Wrap Agreements
UK ICO Publishes Guidance on Privacy Enhancing Technologies
The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organizations unlock the potential of data by putting a data protection by design approach into practice. Though data protection law does not define PETs, the guidance defines PETs as technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and/or empowering individuals. The different types of PETs include PETs that: (1) derive or generate data which reduces or removes the identifiability of individuals; (2) focus on hiding or shielding data; and (3) split datasets or control access to certain parts of the data. The draft PETs guidance explains the benefits of PETs, as well as how they can help organizations comply with data protection law. It is part of the ICO’s draft guidance on anonymization and pseudonymization, and the ICO is seeking feedback to improve the final guidance.
Israeli MOF and US DOT Announce Finalization of a Memorandum of Understanding on Cybersecurity Cooperation
The US Department of Treasury (DOT) and Ministry of Finance of the State of Israel recently announced the finalization of a bilateral Memorandum of Understanding (MoU) on Cybersecurity Cooperation. This follows a November 2021 bilateral partnership geared toward protecting critical infrastructure in the financial sector and a commitment to deepening cooperation on cybersecurity. The MoU formalizes and strengthens the close partnership between both agencies. It enhances cooperation in the following areas:
Information sharing relating to the financial sector including cybersecurity information on incidents and threats;
Staff training and study visits to promote cooperation in the area of cybersecurity; and
Competency-building activities such as the conduct of cross-border cybersecurity exercises.
Find the press release here.
Rwanda’s National Cyber Security Authority Publishes Guidance on How Data Subjects Can Exercise Their Right to Object
Rwanda’s National Cyber Security Authority (NCSA) published guidance to further explain how data subjects can exercise their right to object, as outlined in Rwanda’s law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. Data subjects can exercise their right to object at any time in writing or electronically by contacting the data controller or data processor to request the ceasing of processing of personal data. Notably, the NCSA described that data subjects can object when processing of personal data is likely to cause loss, sadness, or anxiety to the data subject and/or when personal data is processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. However, the right to object can be rejected if the data processor or controller which processes the personal data can demonstrate compelling legitimate grounds for the personnel data processing. If a data subject is not happy with the response to their right to object, he/she may appeal to the NCSA within thirty days from the date of receipt of the response. Find the law here in Bantu only.