On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information. Continue Reading California Ballot Initiative to Establish Disclosure and Opt-Out Requirements for Consumers’ Personal Information

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information, (2) notify affected Chicago residents and the City of Chicago in the event of a data breach, (3) register with the City of Chicago if they qualify as “data brokers,” (4) provide specific notification to mobile device users for location services and (5) obtain prior express consent to use geolocation data from mobile applications.  Continue Reading Chicago Introduces Data Protection Ordinance

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

  • Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
  • Definition of “Brokered Personal Information.” “Brokered personal information” is defined broadly to mean one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties: (1) name, (2) address, (3) date of birth, (4) place of birth, (5) mother’s maiden name, (6) unique biometric data, including fingerprints, retina or iris images, or other unique physical or digital representations of biometric data, (7) name or address of a member of the consumer’s immediate family or household, (8) Social Security number or other government-issued identification number, or (9) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable security.
  • Registration Requirement. The law requires data brokers to register annually with the Vermont Attorney General and pay a $100 annual registration fee.
  • Disclosures to State Attorney General. Data brokers must disclose annually to the State Attorney General information regarding their practices related to the collection, storage or sale of consumers’ personal information. Data brokers also must disclose annually their practices, if any, for allowing consumers to opt out of the collection, storage or sale of their personal information. Further, the law requires data brokers to report annually the number of data breaches experienced during the prior year and, if known the total number of consumers affected by the breaches. There are additional disclosure requirements if the data broker knowingly possesses brokered personal information of minors, including a separate statement detailing the data broker’s practices for the collection, storage and sale of that information and applicable opt-out policies. Importantly, the law does not require data brokers to offer consumers the ability to opt out.
  • Information Security Program. The law requires data brokers to develop, implement and maintain a written, comprehensive information security program that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
  • Elimination of Fees for Security Freezes. The law eliminates fees associated with a consumer placing or lifting a security freeze. Previously, Vermont law allowed for fees of up to $10 to place, and up to $5 to lift temporarily or remove, a security freeze.
  • Enforcement. A violation of the law is considered an unfair and deceptive act in commerce in violation of Vermont’s consumer protection law.
  • Effective Date. The registration and data security obligations take effect January 1, 2019, while the other provisions of the law take effect immediately.

In a statement, Vermont Attorney General T.J. Donovan said, “This bill not only saves [Vermonters] money, but it gives them information and tools to help them keep their personal information secure.”

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face substantial penalties for failure to disclose information upon governmental request. In addition, the law bans internet users in Vietnam from organizing people for anti-state purposes and imposes broad restrictions on using speech to distort the country’s history or achievements. As reported in BNA Privacy Law Watch, the law will take effect on January 1, 2019.

On May 14, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a study on how the ePrivacy Regulation will affect the design and user experiences of digital services (the “Study”). The Study was prepared by Normally, a data product and service design studio, whom CIPL had asked for an independent expert opinion on user experience design. Continue Reading CIPL Publishes Study on How the ePrivacy Regulation will Affect the Design of Digital Services

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”   Continue Reading FTC Issues Warning Letters for Potential COPPA Violations

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible. Continue Reading National Standard on Personal Information Security Goes into Effect in China

On February 6, 2018, the Federal Trade Commission (“FTC”) released its agenda for PrivacyCon 2018, which will take place on February 28. Following recent FTC trends, PrivacyCon 2018 will focus on privacy and data security considerations associated with emerging technologies, including the Internet of Things, artificial intelligence and virtual reality. The event will feature four panel presentations by over 20 researchers, including (1) collection, exfiltration and leakage of private information; (2) consumer preferences, expectations and behaviors; (3) economics, markets and experiments and (4) tools and ratings for privacy management. The FTC’s press release emphasizes the event’s focus on the economics of privacy, including “how to quantify the harms that result when companies fail to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.” Continue Reading FTC Releases PrivacyCon 2018 Agenda

On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date. Continue Reading FTC Brings Its Thirtieth COPPA Case, Against Online Talent Agency