This Week in Data Privacy

This Week in Data Privacy

It has been a whirlwind of learning and opportunity at the IAPP - International Association of Privacy Professionals Global Privacy Summit and I'm so excited to bring some of what I learned and go to experience this week to the newsletter, as well as a litany of other topics, so let's dive in!

This week, we will be covering...

?? ?? The FTC bringing a children's privacy suit against Amazon

?? Iowa becomes the sixth state to enact comprehensive privacy laws

?? IAB Tech Lab and Legal Affairs Council announce a new task force to address industry challenges

???? Italy temporarily blocks ChatGPT over privacy concerns (Thank you, Natalie Farmer, for sharing the specific GDPR violations!)

?? CPRA regulations finalized with OAL approval

As well as an update from IAPP!

I want to take a moment to wish everyone this week a Happy Holiday. We are on the verge of Passover as well as Easter, and I hope you and your family can take a moment to celebrate and enjoy each other's company.


If this is your first time seeing This Week in Data Privacy in your LinkedIn feed, check it out, give it a read, and subscribe if you like what you see!


FTC anticipated to bring children's privacy suit against Amazon

The Federal Trade Commission is planning to move forward soon with a case against Amazon over alleged privacy violations stemming from the use of children’s data with the company’s Alexa voice assistant.

The antitrust and consumer protection agency has been investigating Amazon for several years, including for possible violations of the Children’s Online Privacy Protection Act, which could potentially allow the agency to collect large civil monetary penalties.

The details of the FTC’s COPPA case couldn’t be learned. However, in 2019, a group of consumer and digital rights organizations filed a complaint with the FTC over a version of the company’s Echo Dot smart speaker geared toward kids. Among the allegations, the groups claim Amazon doesn’t properly provide notice to parents on the exact information collected by children using the device, and makes it too difficult to delete data, including transcripts of kids’ interactions with the devices.

Read the full article: https://www-politico-com.cdn.ampproject.org/c/s/www.politico.com/amp/news/2023/03/30/children-privacy-case-ftc-amazon-00089792


Iowa becomes sixth US state to enact comprehensive consumer privacy legislation

On 29 March, Iowa became the sixth state to pass a comprehensive privacy law. The law will go into effect on 1 Jan. 2025, giving organizations 21 months to comply with the new requirements from this state with over 3 million residents. Though the new law includes many familiar elements from other state laws, organizations should note a handful of differences as they expand their U.S. compliance efforts. 

Here’s what you need to know: 


The Scope:

  1. The Iowa privacy law applies to entities that conduct business in Iowa or produce products or services that target consumers in the state.
  2. Iowa defines "consumer" as a natural person who is a resident of the state acting in a noncommercial and non-employment context.
  3. The law divides obligations between controllers and processors, embracing the common definitions of those terms. 
  4. A business falls within the scope of the Iowa law if it controls or processes personal data of at least 100,000 Iowa consumers, about 3% of the state’s population, during a calendar year.
  5. Businesses that derive more than 50% of gross revenue from the sale of personal data fall within scope of the law if they control or process personal data of at least 25,000 Iowa consumers.
  6. “Personal data” is defined as: any information linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified data, aggregate data, and publicly available information.
  7. "Sensitive data" is defined as: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status (except when such data is used to avoid discrimination), as well as genetic or biometric data, personal data of children, and precise geolocation data within a radius of 1,750 feet.


Exemptions include:

  1. Information exempted from the Iowa privacy law includes personal data covered by existing federal laws like the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Driver’s Privacy Protection Act and the Farm Credit Act.
  2. Health records.
  3. Human subjects research data covered by federal law or other standards.
  4. Data processed or maintained for employment purposes.


The Iowa privacy law does not apply to: 

  1. Government entities.
  2. Financial institutions, their affiliates and entities subject to the Gramm-Leach-Bliley Act.
  3. Entities who are subject to and comply with the Health Information Technology for Economic and Clinical Health Act and/or HIPAA.
  4. Nonprofit organizations.
  5. Higher education institutions.


Consumer Rights:

  1. Under the Iowa law, consumers are provided with four main rights: 
  2. The right to access information on file.
  3. The right to delete information on file.
  4. The right to portability of information.
  5. The right to opt out of the sale of their personal data.


Obligations:

Under the Iowa law, covered entities have certain obligations but notably does not require entities to perform data protection or privacy risk assessments. 


Current obligations include:

  1. Purpose Limitation
  2. Data Security 
  3. Consent Requirement
  4. Nondiscrimination 
  5. Transparency 
  6. Data Processing Contracts 


For more information on the newly passed Iowa Privacy law read the full article here: https://iapp.org/news/a/iowa-becomes-sixth-us-state-to-enact-comprehensive-consumer-privacy-legislation/


IAB Tech Lab and IAB Legal Affairs Council Announce New Privacy Implementation & Accountability Task Force to Address Industry Challenges

IAB Tech Lab and IAB’s Legal Affairs Council announced on Monday April 3, 2023 the launch of the Privacy Implementation & Accountability Task Force (PIAT). 

PIAT aims to address privacy implementation and accountability challenges faced by the digital advertising industry by bringing together leading privacy technology vendors, media companies, advertisers, and the supporting ad tech ecosystem.

“PIAT is a joint effort of IAB Tech Lab and IAB Legal Affairs Council, bringing together cross-functional expertise to solve privacy challenges that are increasingly intertwined,” said Michael Hahn, EVP, General Counsel, IAB and IAB Tech Lab. “We believe that through PIAT, we can foster a new generation of privacy technology that can be leveraged to meet the new diligence and accountability requirements under state privacy laws.”

PIAT will provide a forum for the digital advertising industry to come together, create shared understandings and define best practices in privacy implementation, as well as encourage innovation in privacy tech development.


For more information on the newly formed PIAT read the full article here: https://www.iab.com/news/iab-tech-lab-and-iab-legal-affairs-council-announce-new-privacy-implementation-accountability-task-force/


Italy temporarily blocks ChatGPT over privacy concerns

Italy is temporarily blocking the artificial intelligence software ChatGPT in the wake of a data breach as it investigates a possible violation of stringent European Union data protection rules. 

The Italian Data Protection Authority said it was taking provisional action “until ChatGPT respects privacy,” including temporarily limiting the company from processing Italian users’ data.

U.S.-based OpenAI, which developed the chatbot, said late Friday night it has disabled ChatGPT for Italian users at the government’s request. The company said it believes its practices comply with European privacy laws and hopes to make ChatGPT available again soon.

Natalie Farmer, Director at Fieldfisher, shared the following notable GDPR violations that have led to this occurrence:

--> no legal basis for the mass collection and storage of personal data required for machine learning

--> lack of transparent information provided to users about data processing

--> failure to employ appropriate age verification features

--> AND "inaccurate processing of personal data" (because the information provided by ChatGPT does not always correspond to "real data"...)

OpenAI must report within 20 days what measures it has taken to ensure the privacy of users’ data or face a fine of up to either 20 million euros (nearly $22 million) or 4% of annual global revenue.


Read the full article here: https://apnews.com/article/chatgpt-ai-data-privacy-italy-66634e4d9ade3c0eb63edab62915066f



CPRA regulations finalized with OAL approval

The California Privacy Protection Agency announced its first California Privacy Rights Act rule-making package was approved by the California Office of Administrative Law following a review.

The finalized rules contain no substantive changes to the final draft submitted by the CPPA to the OAL in February.

The first rule making package addresses regulations concerning...

  • data processing agreements
  • consumer opt-out mechanisms
  • mandatory recognition of opt-out preference signals
  • dark patterns, and
  • consumer request handling.

Industry stakeholders criticized the agency's drawn-out rule making procedure despite the short-staffing acknowledgments. Concerns stemmed from the lack of time for companies to sufficiently implement final regulations ahead of CPRA enforcement becoming effective on 1 July.

Read the full IAPP article here: https://iapp.org/news/a/cpra-regulations-finalized-with-oal-approval/


Does My E-commerce Store Need a Privacy Policy? 

Of the top 10,000 e-commerce sites, approximately 87% use Google Analytics—and for good reason. Google Analytics offers access to robust analytics and usage data, plus advertising features. One of those advertising tools is re-marketing, which lets you use data and metrics to create lists of site visitors for any targeted ad campaigns you may want to run. 

However, deploying re-marketing features in Google Analytics does more than support your marketing efforts. It also triggers a legal requirement to inform your users about website performance via a privacy policy. 

A privacy policy covers more than just what information you collect—there are a number of other important privacy issues it should cover. Below are a few (though not all) critical pieces to include:


How Personal Data is Used

Your privacy policy should clearly spell out the intended purpose for gathering this data, such as marketing purposes, product development, or improving your site’s functionality.


Whether you share or disclose personal information

Does consumer data travel outside the ecosystem of your e-commerce business? (Hint: if you use plug-ins, widgets, or any other third-party software solution to run your business, it probably does.) 

In your privacy policy, you’ll need to cover whether you: 

  • Share personal information with third-party service providers
  • Sell or rent information about consumers (hint hint, ad-tech and digital analytics is likely considered a sale of data under the California Consumer Privacy Act) 
  • Share with affiliates, subsidiaries, or acquirers 


Individual Rights

Use your privacy policy to spell out what rights your users have to their data, including how they can access, amend, or delete their data.


Security Measures

While privacy regulations don’t detail specific security measures, they do require that you take "appropriate" ones. Your privacy policy should affirm that you implement necessary measures to ensure data security


Cookies

In short: cookies can get complicated, quickly. If your website deploys cookies to extend functionality or gather data, stay on the safe side and make sure you're creating thorough disclosures. 


Read the full article here: https://redcloveradvisors.com/2023/04/04/does-my-online-store-need-a-privacy-policy/


Ongoing: IAPP Global Privacy Summit 2023

The IAPP Global Privacy Summit is happening right now! On Monday, April 3, Red Clover Advisors' very own Jodi Daniels hosted an active learning session on The State of US Privacy.

Here are the main takeaways from the session:

  • Not all cookies are created equal. It’s important to know your customer jurisdictions and obligations.
  • Create a cookie maintenance plan
  • Ensure your privacy notice matched what the organization is doing with the data
  • Have a process in place that works for the types and volume of privacy right requests.
  • Performing a data inventory is a foundational step for any privacy program.


Farhan Abdi Hassan

Dominate Your Market With Our Gen-AI Powered Playbooks

1 年

This is great Jodi Daniels Hope we all benefit from your program. Cheers

Debbie Reynolds

The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath

1 年

Jodi Daniels great newsletter and it was a treat to meet you in person.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了