Major United States Municipalities are lining up to limit the ability of the private sector to use technologies to collect biometric identifiers and information. While Portland, Oregon, was perhaps the most dramatic, banning the use of face recognition technologies earlier this year, New York City will see a significant change on this front later this week. Effective this Friday, July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Moreover, it will be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information under the new NYC law.

Continue Reading The Eyes are Watching: New York City Commercial Establishments Beware – NYC is the Latest Major US Municipality To Restrict the Use of Technology Collecting Biometric Identifiers, Effective July 9

            On June 4, 2021, the European Commission adopted modernized standard contractual clauses (“SCCs”) for use in international data transfers (collectively the “Clauses”). These updated Clauses reflect new requirements under the EU’s General Data Protection Regulation (GDPR) and take into account the EU Court of Justice’s Schrems II decision, which invalidated the U.S.-E.U. Privacy Shield program in July 2020. The Clauses also address known short-comings with the old SCCs.

The GPDR restricts transfers outside of the EU unless an exception applies. Generally, this means a controller (i.e., a person or entity that is in charge of how data is processed) or processor (i.e., a person or entity processing at the direction of a controller) may transfer personal data internationally only if it has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for EU citizens are available. For international transfers of data to countries such as the U.S., SCCs are therefore essential for compliance with the GDPR. Following is an overview of some of the more notable changes and what to plan for if you rely on SCCs as a data transfer mechanism.

Continue Reading A New Standard in Standard Contractual Clauses

Apple is days away from releasing the public version of iOS14.5, which will bring a seismic shift in the way the operating system functions with respect to privacy. In particular, the operating system introduces two major changes.

The first change is a requirement that all apps must include a privacy nutrition label within the App Store that helps users better understand the app developer’s privacy practices prior to download (this feature is actually already live). The second change is a requirement that all apps that use information for tracking purposes must obtain opt-in consent from the user prior to engaging in such tracking.

As a privacy lawyer in the ad tech space, I’ve been closely watching the dialogue around iOS14 since these changes were unveiled at WWDC last June, and I thought it would be helpful to provide my thoughts on these changes. This post reflects my own opinion, and not those of the firm or anyone else.

Continue Reading iOS 14.5: An Imperfect Step Forward for Privacy

Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law. Continue Reading Virginia is for Privacy, Apparently

On January 14, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”).  The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (“GDPR”), WP 250.  The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.

Continue Reading European Data Protection Board Issues Guidelines on Data Breaches

January 28 is data privacy day, and I thought it an appropriate time to take a step back.  One of my greatest regrets as a practitioner is that we are always under so much crisis pressure – deadlines, both real and imagined – to get to an answer or to a piece of advice or to a deal closing, that we fail to think big. I am jealous of my peers in academia who get to read, write, and think for extended periods of time. For myself, the pandemic has afforded me a little more ability to luxuriate in big thoughts (even losing that LA freeway commute time helps). So, this post is not about the CCPA, the CPRA, cross-border data transfers, the potential for federal legislation, or any of those other strictly legislative or regulatory matters, at least not on the surface. But it is about where we find ourselves today in terms of consumer privacy, where we are going, and what those of us in the private sector should be thinking about as we travel this path.

I found inspiration for this post in an unlikely place. Conceptions of privacy sometimes meet us in unexpected ways. Dilemmas that seem new, or unanticipated, are really very old. They are concerns that have preyed upon our idealized picture of humanity for many years, but are suddenly brought to life by new technologies or new social or political realities. This one came to light for me during story time, and the big thinker in this case was writing in 1961 (or before).

During life in lockdown, I am always home for bedtime. Every other night, my eight year old daughter and I read together from a chapter book. Right now we are completing The Phantom Tollbooth. Somehow I never read it, in school or otherwise. Last night we read Chapter 18, “Castle in the Air.” As I read those words out loud and in real time, I was astonished to imagine that, sixty (60) years ago, Norton Juster had such uncanny insight. Juster saw latent threats to personal privacy and dignity that we now see playing out in our daily lives, with potentially disastrous consequences. I want to talk about the character of the Senses Taker. Continue Reading Thoughts on Data Privacy Day 2021 – Lessons Learned From a 1961 Children’s Novel

As anticipated, on September 29, 2020, Governor Newsom signed into law Assembly Bill 1281 incorporating an extension of time for the sunset of the employee and business to business exemptions of the California Consumer Privacy Act of 2018 (“CCPA”) to January 1, 2022. Continue Reading Don’t Let the Sun Go Down – Governor Newsom Signs Off on the Extension of Key CCPA Exemptions for Employee and B2B Data

Last week, the LA City Attorney announced that it has agreed to settle its lawsuit against The Weather Channel over alleged improper location data practices. The settlement serves as reminder about the increasing scrutiny over location data, and the need to revisit policies and practices in preparation for the launch of iOS 14.

Continue Reading Takeaways from The Weather Channel Settlement over Location Data Practices

The Office of Administrative Law’s (OAL) approval of the California Attorney General’s proposed regulations to the CCPA on August 14, 2020 was just the news we needed in 2020. Even better, because the OAL graciously approved the finalized regulations on a Friday afternoon, the weekend was spent thinking about best legal practices moving forward. One thing for sure, the finalized regulations are effective immediately.

In case you forgot how we got here, let’s rewind and tell the story of how the finalized regulations came to be. A long time ago, back in October of 2019, Continue Reading Finally, the CCPA Regulations Are Finalized…For Now

Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.

 

What is Privacy Shield and What Happened to Change it?

The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”

Continue Reading European Court of Justice Invalidates EU-U.S. Privacy Shield and Upholds Standard Contractual Clauses