Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications.
Consent requirements
The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the [...] Read more
The FBI recently published its 2017 Internet Crime Report highlighting trends and statistics compiled by the FBI’s Internet Crime Complaint Center (“IC3”) during 2017. The report compiles data from a total of 301,580 complaints which reported losses of over $1.4 billion. In addition to an explanation of the IC3’s history and operations, the report includes five “hot topics” from 2017: business email compromise (“BEC”), ransomware, tech support fraud, extortion, and the Justice Department’s Elder Justice Initiative.
Business Email Compromise: This category of attack targets [...] Read more
Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR.
While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more
Under a Vermont law that recently came into effect, data brokers that process information regarding Vermont residents are now subject to registration and security requirements. Included in the new law are three notable components: (1) a broad statutory definition of a “data broker,” (2) an annual registration requirement for data brokers, and (3) reporting on data broker security breaches.
Definition of a “Data Broker”
The law takes a technology-neutral approach to its definition of a “data broker,” instead defining the term based on the normal functions of the business. The statute [...] Read more
On June 12, 2018, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) passed a resolution calling on the European Commission to suspend the EU-U.S. Privacy Shield unless the U.S. fully complies with the framework’s requirements by September 1, 2018. With a vote of 29 votes in favor, 25 opposed, and 3 abstentions the LIBE passed the draft resolution calling on the European Commission to
(1) ensure that the Privacy Shield fully complies with the GDPR and the EU charter so as to not create loopholes or competitive advantage for US companies; and
(2) restart [...] Read more
Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”). The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments. [...] Read more
In early May, a group called Californians for Consumer Privacy gathered enough signatures for the Consumer Right to Privacy Act (CRPA) to qualify for the November 2018 ballot.
The ballot initiative builds on existing California laws directed at protecting the privacy of California consumers’ personal information, including the Shine the Light law (Civil Code §1798.83) and the California Online Privacy Protection Act (CalOPPA, Business & Professions Code §§22575-22579).
The CRPA sets forth a statutory framework that: 1) gives consumers the right to know what categories of personal [...] Read more
The GDPR entered into force on May 25, 2018. One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy. DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make. Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more
The GDPR entered into force on May 25, 2018. One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy. DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make. Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, --- S.E.2d ----, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such [...] Read more
