During this week, research a recent law concerning privacy. Summarize this recent law for us:
- What information does it protect,
- What controls or limitations does the law specify,
- What organizations need to comply with the law, and
- In which regions would we need to be concerned with this law?
How does this law represent new risk(s) to the organization?
The CONSENT Act
Introduced in the Senate – 04/10/2018
Status: Not passed yet
The Customer Online Notification for Stopping Edge-Provider Network Transgressions (CONSENT) Act is a proposed federal law (S. 2639) that grants stronger privacy rights to users.
The term “edge provider” evolved to define large organizations (ISPs, Facebook, Google, Twitter, etc.) that offer services over the Internet, or provide devices (phones, tablets) for accessing the Internet. In 2014, the Federal Communications Commission expanded the definition of “edge provider” to include ANYONE that sends data packets across the Internet. If your company provides ANY online content (storefront, video, images, business blog) you are considered an “edge provider” by the FCC.
The CONSENT Act would require the Federal Trade Commission (FTC) to establish opt-in requirements for consent to the use of sensitive information by those “edge providers”. This bill affects anyone with a business website in the United States along with heavy hitters like Google and Amazon. If you collect and store any customer data, CONSENT also applies to your interactions with site visitors and customers.
If passed, comprehensive documentation regarding policies, procedures, standards and guidelines need to be planned and implemented to remain compliant and mitigate legal issues.
If the CONSENT Act is passed this year organizations must:
• Obtain explicit consent from entities before data can used, shared, or sold
• Stop using data to tailor advertising to user
• Implement a clear “opt-in” process
• Don’t bury what information you collect in fine print
• Notify customers in the event of a security breach
https://www.congress.gov/bill/115th-congress/senate-bill/2639
Hi Vinny,
This act seems to be taking many ideas from Europe’s GDPR, much like California’s Privacy Rights Act. I’m glad efforts are being taken worldwide to make sure customer’s data is safe and as private as possible. Too often we sign up for websites not know what data or how much data is being mined from us. Having the option to opt out of a site would be very beneficial.
So true!
I hope someday soon we have our own GDPR. We are definitely not doing enough to keep information safe. An astronomical amount of money, that could be used for feeding impoverished people for example, is wasted on how this country operates.
My favorite part of GDPR is the fines. The consequences are REAL as opposed to the consequences of any US legislation. One breach can bring your whole company down. Traditionally, business people listen to dollars and the bottom line.
Another flaw in the US is that we are historically REACTIVE. It isn’t only until after a serious breach takes place that the government coughs up money to make change happen. I mean this is what JUST happened this week. Phishing attack by the Russian government. Although caught quickly and neutralized, it exposes the embarrassingly simple vulnerabilities that our governments fails to protect.
Read about it below:
https://www.nytimes.com/2021/05/28/us/politics/russia-hack-usaid.html
This Act is important and hopefully it should pass, a lot of companies are using client data for business gain without consent. However, my only concern here that these laws seem to target large companies who they know can pay the fines like facebook and then tend to ignore the small ones.
State: California
Law: California Privacy Right’s Act (2020), Proposition 24
Effective date: Jan.1, 2023
Over time we have all been familiar with the CCPA (California Consumer Protection Act of 2018). It is by far the strongest law in the United States and famous for its resemblance to Europe’s General Data Protection Regulation (GDPR). In November 2020, the CCPA was amended and expanded by the adding of Proposition 24.
Current Status: Proposition 24 imports more of the GDPR’s provisions, providing additional consumer privacy rights over sensitive information. It also expands penalties established through the CCPA and creates a new agency in California to oversee and enforce consumer data privacy laws. Most of the provisions of CPRA go into effect on January 1, 2023, although the creation of the new state agency and requirements for developing new regulations will immediately go into effect. Businesses must comply with the regulatory provisions of the CCPA until those new regulations are in place.
Most notable Propositions: Proposition 24 changes which businesses will be subject to California’s consumer data privacy requirements. To be subjected to the CPRA, a business must either:
• Derive at least 50% of its annual revenue from selling or sharing (as opposed to just selling under CCPA) the personal information of California consumers;
• Have gross revenue over $25 million (unchanged); or
• Buy, sell or share the personal information of more than 100,000 (increased from 50,000 under CCPA) California consumers/households. (Helpfully, the standard now counts only California consumers or households; the CCPA also counted “devices.”)
Other notable changes include:
• Delays the applicability of the CCPA to personal information of a business’s own employees and other business-to-business communications until 2023.
• Requires rulemaking for the protection of trade secrets from disclosure as a result of a consumer request.
• Expands consumer “right to know” requests beyond the prior 12-months, beginning with data collected after January 1, 2022.
References
N.A.(n.d.) TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. Retrieved from https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
N.A. (11/25/2020). HOW THE PASSING OFR PROPOSITION 24 WILL CHANGE THE CCPA. Retrieved from https://www.dpf-law.com/blogs/lex-vini/how-the-passing-of-proposition-24-will-change-the-ccpa/#:~:text=Proposition%2024%20changes%20which%20type,CPRA%2C%20a%20business%20must%20either%3A&text=Buy%2C%20sell%2C%20or%20share%20the,CCPA)%20California%20consumers%2Fhouseholds.
What information does it protect,
What controls or limitations does the law specify,
What organizations need to comply with the law, and
In which regions would we need to be concerned with this law?
How does this law represent new risk(s) to the organization?
The New Federal Data Privacy Legislation proposed, Information Transparency and Personal Data Control Act, ensures that an individual’s personably identifiable information and all information pertaining to children under the age of 13 must be protected. The law also requires companies to produce their privacy policies within 90 days of passing the bill, users must opt in to disclose PII to companies, and companies must be transparent about how it shares user’s information.
All organizations that are collecting this information must also undergo a “neutral” privacy audit to ensure companies with information from 250,000+ people are handling PII in accordance with the act. Failure to adhere to the act may result in legal escalation from the attorney general and Federal Trade Commission. The bill lacks references to artificial intelligence and facial recognition. Although in the past, this wasn’t considered PII we had to protect, with technology becoming more integrated into our lives, information collected through technology like facial recognition cannot be ignored.
The law represents limitations and a tremendous increase of resources for organizations. Organizations may choose to limit the information they collect, resulting in loss of business from predictive marketing. Organizations would also need to increase spending on their security infrastructure to remain compliant with the law.
General Data Protection Regulation – Implemented on May 25th, 2018
GDPR protects EU citizen’s data on the Internet by allowing full control over what data an organization is allowed and not allowed to keep beyond the essential data required by the website.
Article 6 details how, lawfully, customer’s data is allowed to be used:
(a) If the data subject has given consent to the processing of his or her personal data;
(b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
(c) To comply with a data controller’s legal obligations;
(d) To protect the vital interests of a data subject or another individual;
(e) To perform a task in the public interest or in official authority;
(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)
Any organization that has a presence in Europe, or any European citizen who accesses a site regardless of where they are located, are both covered under this regulation.
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679
Hi Krish, good job in summarizing GDPR. United States is definitely not as advanced in privacy regulations as the EU. I’m interested to see what corresponding laws the U.S. will pass to address the growing privacy concerns. As a “world power”, we have a lot of catching up to do.
Krish\Mei,
I agree! This country has so much catching up to do in so many areas. The amount of money wasted on placing Band-Aids on problems is offensive and unnecessary. Using the GDPR as a template would be a good start!
Information Transparency and Personal Data Control Act***
Proposed: March 2021
The New Federal Data Privacy Legislation proposed, Information Transparency and Personal Data Control Act, ensures that an individual’s personably identifiable information and all information pertaining to children under the age of 13 must be protected. The law also requires companies to produce their privacy policies within 90 days of passing the bill, users must opt in to disclose PII to companies, and companies must be transparent about how it shares user’s information.
All organizations that are collecting this information must also undergo a “neutral” privacy audit to ensure companies with information from 250,000+ people are handling PII in accordance with the act. Failure to adhere to the act may result in legal escalation from the attorney general and Federal Trade Commission. The bill lacks references to artificial intelligence and facial recognition. Although in the past, this wasn’t considered PII we had to protect, with technology becoming more integrated into our lives, information collected through technology like facial recognition cannot be ignored.
The law represents limitations and a tremendous increase of resources for organizations. Organizations may choose to limit the information they collect, resulting in loss of business from predictive marketing. Organizations would also need to increase spending on their security infrastructure to remain compliant with the law.
https://securityboulevard.com/2021/04/new-federal-data-privacy-legislation-proposed/#:~:text=In%20late%20March%202021%2C%20Representative,data%20in%20their%20own%20hands.
Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act was recently passed in the state of Virginia. This law protects information collected on residents of the State of Virginia, by any business entity that handles records of at least 100,000 Virginia consumers, or 25,00 Virginia consumers and can attribute half of its gross revenue from the sale of consumer data.
The law states that consumers have full rights to any information collected on them, including access, correction, deletion and can opt out of targeted advertising and sale of their personal information as well. However, the law is not stringent and leaves some wiggle room as some business organizations can still use the consumer data for operational purposes due to the broadly defined exceptions for use of consumer data.
This law applies to all business entities that operate within the state of Virginia or handle any consumer data belonging to residents of Virginia. The VCDPA has similarities to both the California Privacy Rights Act of 2020 and the California Consumer Privacy Act of 2018.
https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392
https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/
During this week, research a recent law concerning privacy. Summarize this recent law for us:
Keeping things local to myself here in Jersey, I will be discussing the 3 related bills that are in the process of being passed for New Jersey
• What information does it protect,
A5448- Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.
A3283 – “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.
A3255 – Requires certain businesses to notify customers of certain information concerning the collection and sale of personally identifiable information and to allow customers to opt-in to collection and sale.
• What controls or limitations does the law specify,
Basically, these laws in place for New Jersey will make the Business entities in place reliable to notify the customers of the data they are collecting, and if any of it is personally identifiable information.
• What organizations need to comply with the law, and
Businesses that are operating in the state of New Jersey.
• In which regions would we need to be concerned with this law?
in the region of New Jersey or if there are end users doing business / Have users visiting their websites.
How does this law represent new risk(s) to the organization?
If the organization is not collecting any personally identifiable information, this does not change many things for the organization. But if they are and even selling the information, they now have to alert the customer / end user of this data they are collecting / selling. This could lead to a potential loss of a sale if the end users feel this information is not needed so they opt out of doing business with the company.
NJ AB 3255
Status: Pending
Requires certain businesses to notify customers of certain information concerning the collection and sale of personally identifiable information and to allow customers to opt-in to collection and sale.
NJ AB 3283
Status: Pending
Relates to state Disclosure and Accountability Transparency Act (DATA), establishes certain requirements for disclosure and processing of personally identifiable information, establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.
NJ AB 3525
Status: Pending
Requires consumer reporting agencies to increase protection of consumers’ personal information.
https://www.ncsl.org/research/telecommunications-and-information-technology/2020-consumer-data-privacy-legislation637290470.aspx#:~:text=New%20Jersey&text=Requires%20commercial%20Internet%20website%20and,conspicuously%20post%20their%20privacy%20policy.&text=Requires%20commercial%20Internet%20websites%20and,allow%20customers%20to%20opt%20out.
https://legiscan.com/NJ/bill/A5448/2020
https://legiscan.com/NJ/bill/A3283/2020
https://legiscan.com/NJ/bill/A3255/2020
Law: The Privacy Act – Canada
Date: Updated in August 2019
Protected Information
This Canadian law covers Canadian citizen personal information defined as:
– race, national or ethnic origin, colour, religion, age or marital status
– education, medical, criminal or employment history of an individual or information about financial transactions
– any assigned identifying number or symbol
– address, fingerprints or blood type
– personal opinions or views except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution
– private or confidential correspondence sent to an government institution
– the views or opinions of another individual about the individual
– the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution
– the name of the individual where it appears with other related personal information and where the disclosure of the name itself would reveal information about the individual
The law does not consider the following protected information:
– certain professional information about an individual who is or was an officer or employee of the federal government
– certain professional information about an individual who is or was performing services under contract for a government institution that relates to the services performed
– certain information relating to any discretionary financial benefit, including the granting of licences or permits to an individual
– information about an individual who has been dead for more than 20 years
What controls or limitations does the law specify?
The Privacy Act specifies who can collect this type of information and from whom it may be collected from and why it is being collected. It also defines how it can be used, the accuracy that must be maintained by the collecting party, the retention time and makes reference to the oficial retention policy. Disclosure of the collected data is also clearly defined. Limitations to original purpose, authorization in federal legislation, compliance with authorized entities to compel information, public interest, etc. Right to access and denial of access circumstances are also defined. Processes are defined as to how to request access and the allowed time frames associated as well as the conditions in which access would be denied. Finally, the law provides the steps to file complaints as needed.
More specific controls are provided in the Policy on Privacy Protection (6/18/2020) which provides direction to government institutions to ensure compliance with the Privacy Act. These controls include:
– Defining delegates/representatives to be responsible and accountable to compliance with the Privacy Act
– Privacy awareness training
– Implementation of policies and procedures
– Implementation of processes and systems to respond to requests for access/correction of personal information, documents, etc.
– consultation with legal counsel in compliance with established procedures
– provide assurances at the request of the Privacy Commissioner
-notification to the Privacy Commissioner in the event of any planned initiatives that may impact the privacy of Canadians
– PIA – Privacy Impact Assessments are implemented, maintained and published.
– Establish privacy controls for non-administrative use of data.
– protocols for monitoring and reporting – annual to the House of Parliament, Treasury Board reporting annually,
What organizations need to comply with the law?
Canadian government institutions
In which regions would we need to be concerned with this law?
All Canadian Provinces
How does this law represent new risk(s) to the organization?
Organizations must comply or face litigation and fines from the Canadian government. Given that this is a law and not a “standard or guideline” compliance is mandatory. Organizations must be prepared to evaluate their data and apply the required controls (technical and/or physical in order to comply. It is possible that new policies or protocols might have to be developed, new technologies may have to be applied/purchase, new methodology may have to be implements. A deep analysis would have to be conducted on the entire infrastructure, if it has not been done so already.
The Privacy Act: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-privacy-act/
Policy on Privacy Protection: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12510
The SHIELD Act, signed into law on July 25, 2019 by Governor Andrew Cuomo, amends New York’s 2005 Information Security Breach and Notification Act.
What information does it protect? The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information
What controls or limitations does the law specify? The SHIELD Act requires any person or business that maintains private information to adopt administrative, technical and physical safeguards. Certain safeguards are listed but it is not meant to be an exhaustive list.
What organizations need to comply with the law, and
In which regions would we need to be concerned with this law?
The Shield Act significantly strengthens New York’s data security laws by expanding the types of private information that companies must provide consumer notice in the event of a breach, and requiring that companies develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
continued What controls or limitations does the law specify?
Reasonable administrative safeguards:
->designates one or more employees to coordinate the security program;
->identifies reasonably foreseeable internal and external risks;
->assesses the sufficiency of safeguards in place to control the identified risks;
->trains and manages employees in the security program practices and procedures;
->selects service providers capable of maintaining appropriate safeguards, and
requires those safeguards by contract;
->adjusts the security program in light of business changes or new circumstances.
Costa Rica’s reform to Act 8968 – Law for the Protection of People Against the Processing of their Personal Data
What information does it protect?
The law protects personal, sensitive data including “racial or ethnic origin, political opinions, religious, spiritual, or philosophic convictions, as well as any data related to health, life and sexual orientation among others”.
What controls or limitations does the law specify,
It disallows most companies from “Collecting, keeping, transferring or in any other way using sensitive data, as defined by Article 3 of the law, by any individual or private corporate entity”.
What organizations need to comply with the law, and in which regions would we need to be concerned with this law?
The law applies to data stored, collected, transferred, or used within the territory of Costa Rica. Therefore, any organization doing business in Costa Rica should make sure they have a good understanding of this law.
How does this law represent new risk(s) to the organization?
This law slowed organizations in their persuit of using personal data, Administrative controls needed to be taken to train employees on what information could and could not be collected. However, many organizations found loopholes and were able to use this data without facing any consequences. In January 2021, a proposal for revision was made and Costa Rica is moving toward
stricter regulation, similar to that specified in the GDPR. This would build international confidence in Costa Rica’s handling of private information, allowing for more business opportunities for Costa Rican companies.
https://www.dataguidance.com/notes/costa-rica-data-protection-overview
https://www.langcr.com/content/collecting-keeping-and-using-sensitive-personal-data-in-costa-rica/
https://www.giromartinez.com/news/costa-rica-comprehensive-reform-on-data-privacy/
Hi Amelia,
Your article is a good read. It’s great to know that several countries across the world are adapting privacy laws to protect their citizens from companies that may mishandle their data or profit from it without their consent.
It’s so important for governments to take a strong stance on data privacy for its people. Unfortunately, people are often too trusting or simply are not in a position to stand up against large corporations that want to profit off of their data while saving costs on protecting the data.