?? Privacy agent

Lucid folks,

Another federal judge has allowed a tracktech class action to proceed, this time against a mental health platform, Headway. The issue? Headway used Google Analytics that plaintiffs allege caused sensitive information (e.g. including appointment bookings) to be sent to GA without the user’s informed consent.?

We’ve said it before and we’ll continue to beat this drum: putting up a cookie banner alone is not enough. If you are using third-party tags and other embedded technologies on your website, checking the configurations for leakage should become a standard part of your enablement process. Case in point, Google is clear it does not want any human-identifying let alone HIPAA or other specially regulated data.

In this issue:

• Singapore is building out its DPO registry
• Our new blog expands our past coverage of authorized agents
• In a first, Maryland bans sensitive processing

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

Were You Contacted? Singaporean Authorities Want to Know About Your DPO

Singaporean authorities, specifically the Personal Data Protection Commission (PDPC), are busy contacting organizations regarding Data Protection Officers (DPOs) in order to reinforce compliance with the Personal Data Protection Act (PDPA).

The background: The PDPA mandates that all organizations, regardless of size or industry, appoint a DPO to oversee data protection responsibilities.?

• Like with the GDPR, PDPA DPOs are appointed to ensure compliance accountability, provide guidance, liaise with the PDPC in the event of a breach or another issue, and promote trust between organizations and the public.
• Unlike under the GDPR where both controllers and processors can face civil penalties for non-compliances, the PDPA focuses responsibility primarily on the controller.?
• Under the PDPA, processors (“data intermediaries”) have fewer direct obligations and are mainly responsible for data security.

What’s expected: Under the PDPA, every controller operating in Singapore must appoint a DPO, either internally or through outsourcing.

• Organizations don't need to be based in Singapore, but the DPO's contact details are publicly available to address inquiries, complaints, or data requests.?
• The PDPC is requiring that organizations file their DPO details by 30 September 2024.
• Like with the GDPR, controllers must publish their DPO’s contact information in a Singapore-facing privacy notice (or section).
• Controllers must register their DPOs with the PDPC through a guided process.?

Zooming out: The PDPC’s alerts should not come as too surprising for UK/EU facing organizations. Nor the fact that anyone can look DPOs up through the government’s ACRA Register. What is surprising is the government asking organizations for permission to opt their DPOs into… marketing communications. (Nice of them to ask and not pretick the box.)

-RW

Blog: Let’s Talk About Authorized Agents

This blog continues the discussion we started in our recent issues and What’s What tables.

If your company receives consumer privacy requests (aka data subject requests), you’ve probably received requests from third parties who claim they are operating on behalf of a consumer. And lately, the number of authorized agents (“AAs”) seems to be growing.

Lucid’s McKenzie Thomsen and Alex Krylov talk about where all these third-party agents come from, their legal obligations and limitations, and the common challenges companies face when working through AA-powered requests.?

Given that Optery is the newest AA on the scene, they also shed some light on Optery’s practices.

Continue reading?

Blog: Why Am I Getting CIPA Legal Threats?

Lucid’s Ben Isaacson reflects on the steady rise of novel and persistent tracktech lawsuits like the one against Headway.?

“While it is the opinion of this attorney that these claims are entirely without merit, select judges have been unwilling to automatically dismiss these claims which has led to a ‘litigation factory’ where every website with a third party pixel tag is now at risk of being sued or drawn into arbitration to defend their business practices.”

Continue reading

Read and Listens

Another week, another set of picks from our personal queues:

• IAPP: Organizational Digital Governance Report: Struggling to keep up with digital governance? You’re not alone. According to a Thomson Reuters report, 45% of organizations don’t even monitor the cost of compliance with evolving regulations. As businesses face new regulations and risks, this recently released, IAPP report offers practical insights into aligning governance structures. With starting from the C-suite responsibilities and to functional governance models, it’s packed with tools to help organizations get on track. Whether you’re just starting to build your governance muscle or are a well oiled machine, there is something here for everyone.?
• IAPP: When AI Meets PI. The burden of AI governance and compliance on organizations is fast moving and becoming increasingly complex. Last week’s IAPP/Osano webinar covers the intersection of AI and data protection governance frameworks. Worth a listen.

-RGE, RW

Other Happenings

1. Maryland Boldly Goes Where No Priv Law Has Gone Before. Move over, California! Maryland just passed a consumer privacy law that’s about to shake things up. Their bold move? Banning the sale of sensitive data—no exceptions, not even with consent. Yep, you read that right. The law covers genetic, biometric, and even geolocation data, with a side of racial, health, and sexual orientation info thrown in. Sounds strict? Well, there's a catch: a few loopholes let companies squeak through under the guise of "consumer direction." So, is this the ultimate privacy win or just another warping of The Patchwork? Either way, adjust your sensors for MODPA come 2025.
2. US DoC Explores Reporting by 'Frontier' AI and Compute Vendors. The US Department of Commerce’s Bureau of Industry and Security is proposing new rules to compel “the most powerful” AI developers and their cloud providers to report on their activities. The move is part of a patchwork of efforts to regulate AI in the void of Congressional action. Mandated reports would focus on cybersecurity measures and red-teaming dangerous scenarios out of a Terminator: Zero nightmare. The initiative follows President Biden’s 2023 Executive Order aimed at protecting the country from irresponsible AI development and harmful use. Have you thanked Siri lately?
3. Will Governor 'Not Ahnold' Newsom Veto AI Terminator Bill? Governor Gavin Newsom faces a tough decision on SB 1047, a bill designed to prevent AI disasters. While the bill addresses extreme risks like AI causing deaths or massive cyberattacks, those scenarios are purely theoretical. The real concern? Stifling California’s booming AI industry. If Newsom signs, he’ll take on massive industry backlash and potentially chill the state's AI growth. Former Speaker Nancy Pelocy, Microsoft/OpenAI and the U.S. Chamber of Commerce among others are urging him to terminate the bill. Newsom could either make a bold move and sign, or veto to preserve California’s AI leadership and let Congress handle the sector's long-term regulation. He has until Sept 30 to decide.
4. Underwhelming Down Under: AUS Priv Reforms a Missed Opportunity. After almost four years, Australia’s privacy reforms have arrived… with a fizzle. The new bill brings a statutory tort for serious privacy invasions and hints at a future children’s privacy code, but it’s mostly business as usual. The fundamental issues—like outdated definitions and small business loopholes—remain untouched. Aussies are still left vulnerable to data tracking and breaches, and the much-needed “fair and reasonable” standards are nowhere in sight. It’s like getting a new coat of paint on a crumbling house: a nice touch, but hardly a solution…

-RGE, RW

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)