During this week, research a recent law concerning privacy. Summarize this recent law for us:
- What information does it protect,
- What controls or limitations does the law specify,
- What organizations need to comply with the law, and
- In which regions would we need to be concerned with this law?
How does this law represent new risk(s) to the organization?
Duy Nguyen says
The California a Consumer Privacy Act is a new privacy law that will go into effect Jan 2020, which puts more restriction on the collection and distribution of user data. One critical aspect of this Act is requiring companies to have a clear and conspicuous place on their website where users can clearly select for their data not to be sold (a ‘Do Not Sell My Personal Information’ button).
In addition to forcing companies to reveal what data is collected, it also covers a broad definition of selling data. The law groups disclosing, disseminating, making available, and transferring of personal data under the selling of data umbrella making it harder for companies to misuse personal collected information. Companies are also required to explain their practices in PII data handling, use, collection, and transfer.
The law targets large businesses that have annual gross revenues in excess of $25 million or receiving PII of 50,000+ consumers.
Sheena L. Thomas says
Privacy and GDPR has been the topic of conversation since May of 2018. Since, GDPR law has been passed in the UK. It’s know surprise that California has developed a Privacy law. California, Delaware, Massachusetts and New York are all copy-cat states. Most of the states are mirroring their Privacy act to GDPR. In the years to follow, expect more states to develop new privacy laws.
Brock Donnelly says
I like the sound of this and I don’t care if it is recycled from the GDPR. The best stipulation here is the PII of 50,000+ customer metric. Keeping that number low should deter data collectors. If only we could now stop weak systems from data theft.
Dima Dabbas says
This privacy act sounds really good in providing more protection to users’ data. The idea of permitting individuals to have the option to select that they don’t want their personal information to be sold is great. I like the fact that this act provides details to users on the type of information that may be sold to outside sources in the event that the user doesn’t care about selling their personal information. It is also good that this privacy act is targeting businesses who store PII of more than 50,000 consumers.
Elizabeth V Calise says
Recently, legislators in Texas introduced two bills relating to consumer privacy and data protection (The Texas Consumer Privacy Act and the Texas Privacy Protection Act). These two bills bear a strong resemblance to the California Privacy Act.
The Texas Consumer Privacy Act, if adopted, would take effect September 1st, 2020. This would apply to companies that do business and collect consumer data and:
• Derive at least 50% of their annual revenue selling consumers’ personal information; or
• Exceed $25 million in gross annual revenue (with that amount subject to adjustment by the Texas Attorney General every two years); or
• Buy, sell, or receive the personal information of at least 50,000 consumers, households, or devices for commercial purposes
• The Texas CPA would also apply to entities owned by companies that would be subject to the law. Similar to the California CPA, the Texas CPA contains express provisions governing rulemaking, implementation, and enforcement of the law. Notably, the legislation highlights various consumer rights, including (but not limited to):
• A consumer’s right to disclosure, from the business, of the personal information the business collected.
• A consumer’s right to deletion of the personal information that the business collected (with some limited, specific exceptions).
• A consumer’s right to opt out of the sale of his or her personal information.
The Texas Privacy Protection Act, if passed, would go into effect September 1st, 2019. This act proposes regulations on how a business processes and retains (or destroys) personal identifying information. It covers nearly identical businesses as the Texas Consumer Privacy Act, provides the Texas Attorney General with similar rule making and enforcement powers, and it requires a similar disclosure of the type of personal information a business collects/processes, as well as how that information is used. Also:
• The Texas CPA would punish violations of the law with civil penalties of $2,500 per violation ($7,500 for intentional violations).
• The bill applies only to information collected electronically (including over the internet or another network) or through a computing device associated with or routinely used by a customer/user and linked (or reasonably linked) to a specific customer/user.
• The business must obtain the customer’s explicit consent for processing that customer’s personal identifying information.
• The bill requires a business to develop and implement a data security program and accountability program to ensure compliance with the TPPA.
• The bill also only allows a business to process a customer’s personal identifying information if it is required to do so by law.
Like the Texas Consumer Privacy Act, the Texas Privacy Protection Act would provide for civil penalties for violations. However, violations of the Texas Privacy Protection Act would be punishable by a fine of $10,000 per violation, up to a maximum amount of $1 million.
Potential risks that data privacy laws bring are operational impact, technology impact and an organization impact. From a operational impact, organizations have to think how they are going to do business differently to comply with the privacy laws. Then they must think about technology. What technology changes are required to enable to the compliance and minimize risk. From an organizational perspective, they need to identify what new roles and resources are needed to enable data privacy.
https://www.natlawreview.com/article/texas-legislature-weighing-proposed-new-privacy-laws
Scott Radaszkiewicz says
Very interesting. I’m curious to see how laws like this and the California Consumer Protection Act play out in the future. Obviously, these laws are in response to companies like Facebook or Google. Two very large technology sites that have become pervasive in our lives. It seems the more we rely on technology to help make our lives easier, the more of our personal liberties and freedoms we must give up. I know what the laws say, but I’m curious to see what/if/how fines will actually be handed out to deter companies from violating this law. And more importantly, the impact on companies like Facebook. If Facebook is generating revenue from using your data to target market to you, and that revenue stream dips, it will have to be replaced. Facebook at a cost? who knows.
Brock Donnelly says
I guess we need to add Texas to the copy cat state list because your right this is similar to CA act with is similar to the GPDR. I am sure with legislature that is this logical the remaining states will develop something extremely similar. I really like seeing the numbers within these laws. I feel like they are on point for success. The fines seem steep and the defining parameters for business compliance if just.
Dima Dabbas says
2019 Privacy Legislation Related to Internet Service Providers
http://www.ncsl.org/research/telecommunications-and-information-technology/2019-privacy-legislation-related-to-internet-service-providers.aspx
Currently, there are 14 states including D.C. that are considering measures in 2019 to restrict and control how internet service providers are sharing their consumer data. These states introduced these privacy legislations in response to the revoke of federal laws that would have put into place specific internet privacy protections. The two states Nevada and Minnesota currently require their internet service providers to keep their customers’ information private unless their customers’ give their consent to disclose their information to other parties. Both states prohibit the sharing of PII information but Minnesota also requires ISPs to get permission from their subscribers before sharing information regarding their internet surfing and sites visited information.
Out of the states, it seems like New Jersey has the most privacy legislations regarding ISPs in Pending status.
A.B. 1527
Status: Pending
Requires Internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.
A.B. 1927
Status: Pending
Requires Internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing or email to disclose information, prohibits subscriber penalty.
A.B. 3711
Status: Pending
Requires Internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.
S.B. 1754
Status: Pending
Requires Internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.
S.B. 2641
Status: Pending
Requires Internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.
These privacy legislations introduce changes to ISPs and how they currently handle data. ISPs would need to shift their efforts and focus more towards protecting their customers’ and subscribers’ data. These legislations bring change which can introduce risk that ISPs would need to be aware of to take the necessary measures to guarantee their operation.
Frederic D Rohrer says
Dima, thanks for sharing. I was not aware that ISPs have a lack of privacy legislation and that they are generally sharing customer data left and right. I think it is important as an ISP to protect the information of your customers, especially since they are already trusted with their internet traffic. I can see why the VPN market is booming as there have been many cases of VPN companies not giving out data, even when ordered by a judge. The argument is that since they are not collecting any data, they do not have any to give. I wish ISPs worked similarly.
Sheena L. Thomas says
I am very pleased that most states are developing privacy laws. But my question is how do these laws affect companies in the US? How are companies preparing to align their business with privacy laws.
Brock Donnelly says
I thoroughly enjoy seeing multiple states secure legislature to prevent the disclosing of personal information. It is no secret to me that ISPs sell your personal information. I think you would be surprised to find out how quick as well. A few yeas ago my household switched providers multiple times in a short period. me experience with these constant changes was that brand new email addresses were inundated with spam with far to personal acknowledgements. Prior to my discovery I never used the emails provided by any ISP and they were also riddles with spam. I feel like we might be through the eye of the store of net neutrality and the people can take their internet back.
Steve Pote says
OK, everyone gets one giggle or grumble at the start but I was looking at the UK porn block or “porn ban” that is scheduled to be in place July 15, 2019.
http://www.legislation.gov.uk/ukdsi/2018/9780111173183
I have coded the mechanism that pops up a message for the user to confirm their age. You may have seen my work. [18]…[Not 18].
The UK law attempts to address the time-old flaws in this arrangement by enforcing multi-factor authentication for age verification. The logons I worked on initially used Credit Card and password where the credit card was validated but not billed (assumes minors do not have Credit Cards they will use for porn). Ultimately SMS & password was better validation for established customers. Sites adhering to the requirements of the law would show an icon similar in nature to the TLS lock and filtering and firewall rules build around compliance.
The law would effect traffic from international sources with UK destinations and the messaging and credit card handles used for authentication. If successful (and demonstrably effective) the UK could serve as template.
I see some SciFi foreshadowing in where the future of authentication and access control will go in a broad sense but really the horror movie shiver is the new risk the law creates. By establishing a porn identity (or any online equivalent) we give up our privacy. The details of the transaction are shadowed in its tracking.
Brock Donnelly says
You have to applaud the effort of trying to find a more habitable solution for morons accessing porn. However Steve, I completely agree with you that creating a type of porn profile through multi factor authentication is next level Big Brother. Perhaps form new politicians from the bible belt Testing their pornish woes against the UK? How could someone authenticate age without forfeiting ones privacy? It sounds like the internet needs a third party for age identification similar to the way a Certificate Authority works. With it a user could assign an age association to an internet identity of their choice verified by a trusted third party.
Oby Okereke says
The Hong Kong privacy law is currently under review and subsequent amendment due to the recent data security breaches that significantly affected personal data of individuals. The four areas in scope are as follows;
Data breach notifications
Non-Compliance Penalties
Data Processors
International Data Transfers
At the completion of the review, the law is expected to be more in line with the requirements of the GDPR.
• What information does it protect,
The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but, in 2012/2013 was significantly amended (notably with regard to direct marketing).
• What controls or limitations does the law specify
Some of the relevant controls cited in the law is the fact that as defined within the law, data users and not data processors are held liable of any misuse of personal data leading to a data breach. Another interesting find is with the imposed sanctions with regard to failure of a data user to implement adequate security measures to protect the personal data. The sanctions applies gradients to the penalties accorded to offenders. For example, if a data user has breached more than one enforcement notice, then the maximum fine goes up to HK$ 500,000 and 3 years imprisonment. The situation is slightly different in relation to the direct marketing restrictions, the breach of which constitutes a direct offence and can incur a maximum fine of up to HK$ 1,000,000 and 5 years imprisonment.
• What organizations need to comply with the law, and
• The public sector
• Banking, insurance and telecommunications industries, and
• Organizations with a large database of members (e.g, customer loyalty schemes)
• In which regions would we need to be concerned with this law?
Hong Kong, Asia.
How does this law represent new risk(s) to the organization?
One of the cited risk this law could represent is failure by a data user to obtain consent from a user prior to using a user’s private data for direct marketing. The direct marketing provisions generally require data users who wish to share personal data with a group company or a third party for their direct marketing purposes (e.g, for joint marketing, or in connection with a sale of a marketing list) to obtain their prior written consent and to notify the data subject. The risk thereof lies with the fact that a data subject can deny having being provided any written consent thereby putting a data user at risk of having neglected the requirements of the personal data privacy ordinance.
Frederic D Rohrer says
It is interesting that HK is trying to bring their privacy laws more up to par with GDPR, as GDPR is seen as extremely strict in the individual European countries. I can imagine that HK has traditionally acted as the Switzerland of Asia (in terms of customer protection) but that in recent years this has moved over to Singapore. Perhaps HK is trying to re-establish itself as a heaven for electronic companies and thus set to regulate more, in favor of the consumer.
Dima Dabbas says
Oby,
This is an interesting law and one that seems to protect the users’ personal information. I think especially after HK had the recent security breaches that led to the disclosure of users’ personal information, it is important to set up privacy laws that prevent that from happening in the future or reduce the impact that it may have. The risk you cited though might be problematic as many users’ do not want their information shared or used by third parties for marketing purposes.
Folake Stella Alabede says
New Zealand Privacy Act
A Privacy Amendment Bill was introduced to New Zealand’s parliament in 2018. The Bill will replace the Privacy Act 1993. If enacted it will include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offenses and increased fines.
The bill is expected to become law during 2019. The Privacy Commissioner has requested further amendments to the bill. Its key purpose is to promote people’s confidence that their personal information is secure and will be treated properly.
• What information does it protect,
• What controls or limitations does the law specify,
The Privacy Act 1993 (Act) governs how agencies collect, use, disclose, store, retain and give access to personal information.
As the Bill currently stands, the main incentive imposed for compliance is the reputation harm and public embarrassment faced by individuals and organizations that contravene the Bill. The Commissioner has advocated for civil penalties of up to NZD 100,000 for individuals and up to NZD1 million for organizations in matters of serious breaches. However, even after the Select Committee’s recommendations, the most significant fines introduced by the Bill do not exceed NZD10, 000.
The Commissioner has historically advocated for a consumer right to data portability – being the ability to demand the transfer of personal information from one online provider to another—such as is in Article 20 of the EU General Data Protection Regulation. However, in its current form, the Bill does not create this right
• What organizations need to comply with the law, and
• In which regions would we need to be concerned with this law?
The bill would apply to any actions by a NewZealand agency, whether inside or outside New Zealand. It would apply to all personal information collected or held by New Zealand agencies, regardless of where the information was collected or held and where the person to whom the information relates is located. A New Zealand agency is defined as a public sector agency, a private sector agency established under New Zealand law or having its central management and control in New Zealand, an individual who is ordinarily resident in New Zealand, or a court or tribunal (except in relation to its judicial functions).
The bill would apply to any actions taken by an overseas agency in the course of carrying on business in New Zealand. It would apply to all personal information collected or held by an overseas agency in the course of carrying on business in New Zealand. It would apply regardless of where the information was collected or held and where the person to whom the information relates is located. An agency would be treated as carrying on business in New Zealand whether or not it has a physical place of business here, charges any monetary payment for goods or services, or makes a profit from its business there. The bill would also apply to an individual who does not ordinarily reside in New Zealand, but who is present. It would apply in relation to any action taken by the individual and all personal information collected by them while they were in New Zealand, regardless of where the information was held and where the person to whom the information relates is located.
https://www.lexology.com/library/detail.aspx?g=441de325-bbe0-4812-8653-4663e8c5c843
Elizabeth V Calise says
Stella,
I found the information you provided quite interesting and I am in support of New Zealand’s Privacy Amendment Bill. The part that caught my eye was the “mandatory reporting of privacy breaches.” I am not sure how I feel about organizations having civil penalties up to NZD 100,000 but at the same time it should 100% encourage companies who may need to clean up their act when it comes to securing customer data. As I mentioned, the mandatory reporting is beneficial for customers. There have been too many times where companies do not report a breach if they can get away of it. Some companies don’t announce the breach till a few years later or don’t announce the breach until its like the third time. I always found that unfair to customers because they deserve to no and should be to known in order to take any necessary actions they see fit.
Scott Radaszkiewicz says
In June of 2018, California passed the California Consumer Privacy Act(CCPA). The law will take effect in January of 2020 and will have some pretty broad reaching effects. The law is essentially drafted to help protect consumers online. In essence, any company doing business in the state of California will have to comply with this law. A clear disclosure must be available on the company’s website if they are collecting any type of personal information.
What information does it protect? The law protects the personal information of consumers and businesses. The law defines personal information as biometric data, household purchasing data, family information, geolocation, financial information and sleeping habits, just to name a few.
What controls or limitations does the law specify? The law states that if anyone is collecting any type of personal information, then there must be a clear disclosure available on the companies website. Furthermore, if asked, the company must disclose exactly what type of information is being collected. Also, a person has the right to request their data be deleted.
What organizations need to comply with the law? Any organization doing business in the state of california must comply with the law. This law is going to have far reaching effects for many online companies, such as Google and Facebook.
In which regions would we need to be concerned with this law? While this is a California law, any company doing business on the Internet will be affected by this law.
Ahmed A. Alkaysi says
Although not a new law, the European GDPR law has impacted organizations across the globe. It had created stricter requirements in protecting consumer data, notifying authorities of any data breaches, and giving consumers more control over their data. If organizations are found non-compliant, they face millions in fines.
Now in the US, lawmakers, lobbyists, and some CEOs are looking to bring some aspects of the law to the states. Per Denise Zheng, VP of Technology and Innovation Policy at Business Roundtable, requirements like displaying the “opt-in” banner for users when visiting websites would be useful, but the hefty penalties companies face in the EU might be too harsh for a small business in the US. According to Zheng, many companies support the ideals behind GDPR such as transparency, deletion, and correction of data.
California recently passed a data privacy law similar to GDPR, which will go into effect in 2020. Although there is a push to get something similar done at a federal level, California lawmakers are wary of a federal bill that looks to “weaken” California standards. Currently European officials are working to “decode the complexity of GDPR” especially for the smaller companies, since they end up being impacted more than a larger organization, from a cost perspective.
With CEO and lawmaker support, I believe we will see something similar to GDPR in the states at a federal level sometime in the future. Although it will be interesting on what will or will not be kept from compliance perspective, and how fines will scale between the larger and smaller companies.
https://www.cnbc.com/2019/05/23/gdpr-one-year-on-ceos-politicians-push-for-us-federal-privacy-law.html
Frederic D Rohrer says
Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018”)
Link: http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
The California Consumer Privacy Act of 2018 is a law that allows consumers to request data that a company or business has collected about them.
What information does it protect,
No information is directly protected.
What controls or limitations does the law specify,
The law specifies that requests need to be made by an impacted party directly. Consumers (the directly impacted party) may request to view and delete all data that is stored.
What organizations need to comply with the law, and
In which regions would we need to be concerned with this law?
The law applies to all residents of California but it is unsure how the law will be enforced in other states or countries.
How does this law represent new risk(s) to the organization?
One new risk is that in order to hand out all data which was collected about one individual, this data needs to be collected and “packaged” first. This could mean that sensitive data is stored and transmitted in an insecure fashion. Also, the requester’s identity needs to be confirmed first, this means more PII needs to be handled.
Brock Donnelly says
Apple is back in the rifle sights. A recent law and a few old ones led to a new class action lawsuit against Apple Inc. Three plaintiffs, one from Rhode Island and two from Michigan have fortified behind laws from their state. The defendants claim Apple allowed disclosing their customers listening habits to advertisers. “One of the allegations is that Apple directly sold data about consumers who purchased music from the company to data brokers, who in turn have been connecting this type of data to other publicly available information and then reselling it to marketers.” Apple’s Media Player documentation states that developers need to get permission from users before accessing music libraries, and they’re “not permitted to use this framework to gather information about the user’s audio content, or to use such information for any purpose other than audio playback within your app.” Another claim is that Apple makes it too easy for developers to gather data through iTunes.
Apple lawsuits are just another day at the office yet this lawsuit seems to hold water. The defendants have proof of spam related to the listening habits from Apple’s marketplace. Michigan has held a strong privacy stance since 1988 with their Preservation of Personal Privacy Act of 1988 and their MIPPPA act of 1989. Both acts to preserve personal privacy with respect to the purchase, rental, or borrowing of certain
materials; and to provide penalties and remedies for violation of this act. Road Island’s new privacy law of 2017 the Rhode Island’s Video, Audio and Publication Rentals Privacy Act or RIVRPA states,
“It shall be unlawful for any person to reveal, transmit, publish, or disseminate in any manner, any records which would identify the names and addresses of individuals, with the titles or nature of video films, records, cassettes, or the like, which they purchased, leased, rented, or borrowed, from libraries, book stores, video stores, or record and cassette shops or any retailer or distributor of those products, whether or not the identities and listings are kept in a remote computing service or electronic storage or the disclosure is made through or by a remote computing service…”
Apple as a company has also held a strong stance on personal privacy. Their recent ad campaign or image representation platform is that they can be the only tech company you can trust. It is with this message that Tim Cook took the stage at Apple’s most recent Keynote. In 2019 Apple launched ads that state, “What Happens on your iPhone, stays on your iPhone.” With these new and even old laws, it seems Apple Inc. will have problems with this class action lawsuit. This could result in damages of $250 per incident from Rhode Island and $5000 per incident from Michigan. Good to luck the plaintiffs, all prior relatable lawsuits were unable to prove harm.
Jonathan Duani says
I found this pretty interesting article talking about how a federal law protecting data privacy could be a thing in 2019. As of right now we have things like GDPR and other laws the effect people in Europe but as of right now there is no definite law in place for America. This however could all change come 2019. Even though no law is currently on the docket to talk about there is a good possibility with all the changes moving forward it could only be a matter of time. A federal law could affect all of the US and effect a lot of the tech companies around the country. As we see with GDPR a new law in the US could affect the way a lot of people do business and handle data accordingly. As of the publish date of the article multiple different people in the federal government have been meeting to discuss this notion for a new bill. This includes Senator Marco Rubio (R-FL) announced a new privacy bill, the American Data Dissemination Act (ADDA0). In addition, the Senate Commerce Committee held a hearing, titled “Policy Principles for a Federal Data Privacy Framework. So this is definitely on a lot of people radar now. It could only be a matter of time before it comes to fruition.
Source: https://www.natlawreview.com/article/could-federal-data-privacy-law-be-reality-2019
Source: https://www.law.com/corpcounsel/2019/05/20/microsoft-deputy-general-counsel-calls-for-us-privacy-law-as-gdpr-turns-1/
Elizabeth V Calise says
This is a good share. Many lawmakers are seeking to result to the Equifax breach and others be reviewing data breach notification rules. Members of Congress are re-introducing data-breach protection proposals. There is a very high possible chance that there will be a single national data-breach notification standard. I think this well-intentioned, but may not result in meaningful improvement for data-security practices. Breach notification laws definitely shame companies that do not disclose, however, the burden on the individuals whose information was disclosed still remains.
Organizations need clearer rules. It would be beneficial if the US does implement what you described above.
Sheena L. Thomas says
The topic of conversation has been GDPR. and the copy cat states that is following suit.
According to Andrew Rossow of forbes.com “GDPR is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies. With the enactment of GDPR today, two major protective rights should be highlighted. First, the right of erasure, or the right to be forgotten. If you don’t want your data out there, then you have the right to request for its removal or erasure. Second, the right of portability. When it comes to “opt-in/opt-out” clauses, the notices to users must be very clear and precise as to its terms.
GDPR requires clear consent and justification. Pursuant to the GDPR, the following types of data is addressed and covered:
(1) Personally identifiable information, including names, addresses, date of births, social security numbers
(2) Web-based data, including user location, IP address, cookies, and RFID tags
(3) Health (HIPAA) and genetic data
(4) Biometric data
(5) Racial and/or ethnic data
(6) Political opinions
(7) Sexual orientation”
What was once consider company data has now changed. If a customer/client or employee provide data they have the right to have you remove their data.
According to Thomson Reuters “The lingering uncertainty around the GDPR is one of the biggest impediments to compliance, with parts of it deliberately left vague. Undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop. Similarly, the regulation offers no definition of what constitutes a “reasonable” level of protection for personal data, offering regulators significant flexibility in assessing fines for data breaches and non-compliance.”
.
https://legal.thomsonreuters.com/en/insights/articles/top-five-concerns-gdpr-compliance
https://www.forbes.com/sites/andrewrossow/2018/05/25/the-birth-of-gdpr-what-is-it-and-what-you-need-to-know/#22103ad755e5