By almost 1.5 million votes, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”).  The CPRA amends and expands the California Consumer Privacy Act of 2018 (“CCPA”) and is affectionately referred to as “CCPA 2.0.”  While the CPRA’s requirements do not take effect until January 1, 2023, the CPRA ushers in

We’re all guilty of it.  We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday.  While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant.  From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose.  Consequently, the more information a company loses, the higher the financial and reputational costs.
Continue Reading Less is more: The Role of Data Retention Policies in Cybsesecurtity Preparedness

On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country.  California enacted the CCPA in June and it takes effect on January 1, 2020.  Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses.  Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles.  Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months.
Continue Reading California Governor Approves Revisions to Consumer Privacy Act

On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data.  This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems.  This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies must comply with the overarching GDPR principles and requirements.
Continue Reading Denmark Implements Email Encryption Requirement, What Countries Will Follow?

On July 5, 2018, the EU Parliament passed a non-binding resolution encouraging the European Commission to suspend the EU-US Privacy Shield Program unless the US is fully compliant by September 1, 2018.  The EU Parliament believes that the current Privacy Shield program does not provide an adequate level of protection required by European law.  This comes roughly two years after the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law.  But a lot has changed in two years. 
Continue Reading EU Commission Recommends Suspension of Privacy Shield; Recent FTC Efforts May Be Too Little Too Late

You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date.  Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures.  Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.”
Continue Reading California Gets Its Very Own GDPR with Statutory Damages

Today, the European General Data Protection Regulation (“GDPR”) takes effect. The GDPR is the most comprehensive and complex privacy regulation currently enacted. The GDPR can apply to a business or organization (including a non-profit organization) anywhere in the world and its potential financial impact is huge; fines can reach up to € 20 million Euros (over $23 million USD) or 4% of an entity’s total revenue, whichever is greater. Not surprisingly, the potential for this type of penalty has caused concern and chaos leading up to the May 25, 2018 effective date. In light of this significant international development, all organizations should consider the following:
Continue Reading Three Important Considerations For All Businesses in Light of GDPR

In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations.  However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).

To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.  
Continue Reading Canada Releases New Data Breach Regulations

In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties.  In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.
Continue Reading Grindr Grinds Users Gears by Reportedly Sharing Users’ HIV Status