This Week in Data Privacy

This Week in Data Privacy, we are covering a lot of subjects, including seven (!) new privacy laws being introduced in six states brought to our attention by David Stauss , a massive settlement from The Economist , Red Clover Advisors ' own Annual Data Privacy Goals for 2023, and Phil Lee 's analysis of the readability of privacy notices from the public and private sector!

Before we jump into the news, I want to take a moment to celebrate the fact that Red Clover Advisors has its first registered trademark!

Meet, PrivacyOps. It is core to what we do here, and we are excited to share it with the world!

Read more here. Now, let's get into some news!

What's New with the US State Privacy Laws from David Stauss

Lawmakers continue to introduce consumer data privacy bills with seven bills introduced in six states:

1. Illinois
2. Kentucky
3. Minnesota
4. Montana
5. New York
6. West Virginia

We also continued to see action with children’s privacy bills. Lawmakers introduced new children’s privacy / social media bills in -

1. California: The Let Parents Choose Protection Act of 2023 requires large social media platform providers to create, maintain, and make available to third-party safety software providers a set of real-time APIs, through which a child or a parent or legal guardian of a child may delegate permission to a third-party safety software provider to manage the child’s online interactions, content, and account settings.
2. Illinois: The Children’s Privacy Protection and Parental Empowerment Act was introduced and is based on the California Age-Appropriate Design Code Act.
3. Texas: Representative Slawson introduced HB 18 a bill that would create a duty for digital service providers to prevent harm to children.

For more on this weeks Proposed State Privacy Law Update read David Stauss' full update here: https://www.bytebacklaw.com/2023/02/proposed-state-privacy-law-update-february-20-2023/

The Economist Michigan information privacy $9.5M class action settlement

The Economist has agreed to pay $9.5 million to resolve claims it shared Michigan subscriber information with third parties without consent.

According to the privacy class action lawsuit, The Economist

1. shared subscription information with third parties without first getting the consent of Michigan subscribers.
2. violated Michigan’s Preservation of Personal Privacy Act.

The Economist hasn’t admitted any wrongdoing but agreed to a $9.5 million class action settlement to resolve these allegations.

For more on this Class Action Lawsuit: https://topclassactions.com/lawsuit-settlements/privacy/the-economist-michigan-information-privacy-9-5m-class-action-settlement/

Annual Data Privacy Goals to Aim for in 2023

Keep your organization moving forward by setting some annual organizational data privacy goals that focus on maintaining brand value and customer trust, along with protecting consumer and employee data.

Here are some of the goals that may help your organization gain or maintain compliance:

Fully understand your requirements

Before you can take any meaningful action toward privacy, you need a firm understanding of the requirements you face.

Any legal requirements based on the jurisdiction(s) your organization operates must be taken into consideration. Some companies are well-accustomed to handling privacy requirements around long-standing regulations but that just isn't enough these days. Businesses also need to consider current and upcoming state-level privacy laws.

Build or align your program to a privacy framework

Whether you’re currently building a program or you have an existing privacy program in place, aligning it to a privacy framework can add value.

To do this you need to

1. Gain buy-in: No matter what your privacy goals are, you will need support from your leadership. A supportive culture is a key to success, no matter your strategy. The first step toward obtaining that buy-in from leadership is making sure they understand your goals and strategy—and the need for privacy.
2. Assign ownership of privacy: If you are newly affected by a privacy regulation or your organization is still maturing its privacy program, an important goal is to appoint a privacy lead, such as a Data Privacy Officer or Data Protection Officer. Having a person in charge of your data privacy program will help ensure that the program is being appropriately executed in turn, helping you earn or maintain customer trust.

Improve visibility with a data inventory

You can’t protect what you don’t know about. A data inventory should include every piece of sensitive information stored or processed by your company, both electronically and/or via hard copies. The idea is to understand what kind of data is collected so you can then build a data map. Not only is data mapping important to any privacy program, but it is also necessary for compliance with GDPR, CCPA, VCDPA, and CPRA.

A robust privacy program is a great goal, but there are many baby steps along the way. For more goals to work towards to build your privacy program in 2023 read the full article here: https://redcloveradvisors.com/2023/02/07/annual-data-privacy-goals-to-aim-for-in-2023/

Privacy Statement Readability: Regulators v Big Tech by: Phil Lee

Managing Director at Digiphile , Phil Lee, recently analyzed the readability of privacy notices by various European regulators against those of big tech companies. From his research, he found that tech companies aren't the only nor the worst offenders of complex privacy notices.

"Coming in last place is the EDPB, with a reading ease score of 29.4 - putting the readability of their privacy policy (according to Wikipedia 's explanation of the score here) at "College graduate" level, meaning "Very difficult to read. Best understood by university graduates." Remember that, under the GDPR, privacy notices are meant to be set out "in a concise, transparent, intelligible and easily accessible form, using clear and plain language". Oh dear.

In fact, *all* of the Big Tech companies tested scored better than the EDPB and Irish DPC. 微软 lags slightly behind the Swiss FDPIC (not a GDPR regulator, obviously, but included here as a comparator), and the EDPS fairs better than both Microsoft and 亚马逊 - but still with a score of 40.3 ("College" level, meaning "Difficult to read.")."

https://www.dhirubhai.net/posts/phillee77_tech-companies-are-often-criticised-for-the-activity-7032265813566836736-I3Dv?utm_source=share&utm_medium=member_desktop