October 2022 AFS Privacy Report: California Privacy Protection Agency Releases Updated Draft Regulations Ahead of October 28-29 Board Meeting
Headlines that Matter for Privacy and Data Security.
US News
California Privacy Protection Agency Releases Revised Regulations
With the effective date less than three months away, and ahead of a Board Meeting on October 28 and 29, the California Privacy Protection Agency released updated draft California Privacy Rights Act Regulations, along with a summary of the modifications, on October 17, 2022.
The updated draft Regulations now include service providers, contractors, and third parties in the definition of “disproportionate effort.” Specifically, under the updated draft Regulations, it would be a “disproportionate effort” when the time and resources expended by a business, service provider, contractor, or third party significantly outweigh the reasonably foreseeable impact to the consumer by not responding to a consumer’s data subject rights request.
Accordingly, the business, service provider, contractor, or third party would not be required to honor the request. Businesses, service providers, contractors, and third parties would, however, on the same facts, be required to honor such a request if they had not put in place adequate processes and procedures to receive and process consumer requests. “Disproportionate effort” would not be an available exception to honoring consumers’ data subject rights requests in those cases.
Additionally, under the updated draft Regulations, businesses would no longer be required to:
- Identify third party data collectors in their collection notices;
- Provide a “Notice of Right to Limit” or “Limit the Use of My Sensitive Personal Information” link if the business collects sensitive personal information without the purpose of inferring characteristics about a consumer, and provided the privacy policy states as such; and
- Display whether they have processed opt-out preference signals as a valid request to opt-out of sale and sharing on their websites.
Colorado Privacy Act Draft Regulations Now Available
The Colorado Attorney General’s Office released its version of draft Regulations under the Colorado Privacy Act on September 30, 2022. Among other things, the draft Regulations would:
- Require covered entities to describe each processing purpose in their privacy policies;
- Require at least 15 days’ notice for “substantive or material changes” to a privacy policy, particularly those involving: (1) categories of personal information processed; (2) processing purposes; and (3) methods by which consumers can exercise their data subject requests; and require consent for changes introducing a “secondary purpose” for processing; and
- Provide more insight on what should be included in data protection assessments, which are required before engaging in processing activities that “present heightened risks of harm,” such as profiling, selling personal information, or using personal information for targeted advertising.
Individuals, businesses, and other interested parties may comment on the Regulations from October 10, 2022, to February 1, 2023. Comments must be submitted here.
President Biden Signs Executive Order to Implement New US/EU Data Transfer Pact
On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which focuses on the steps the United States will take to appropriately handle European Union (EU) residents’ personal information and field government surveillance complaints. This is a joint effort between President Biden and European Commission President Ursula von der Leyen to establish a new EU-US Data Privacy Framework and replace the Privacy Shield. It addresses issues flagged by Schrems II that led to the downfall of the Privacy Shield. Of note, the Executive Order introduces an independent and binding mechanism that would enable individuals in qualifying states and regional economic integration organizations to seek redress if they believe their personal information is collected in a manner that violates applicable US law. Moreover, the Executive Order introduces more safeguards for US signals intelligence activities and would require US intelligence community organizations to update their policies and procedures accordingly. The European Commission now will pick up the baton as it begins a ratification process that could take up to six months. In the meantime, the European Commission published a Q & A document outlining the EO. The White House factsheet is here.
New York Considers the New York Child Data Privacy and Protection Act
State Senator Andrew Gounardes has introduced Senate Bill 9563, the New York Child Data Privacy and Protection Act. The bill is similar to the recently passed California Age-Appropriate Design Code Act. It aims to “ensure safer digital spaces” for individuals under 17 by ceasing the “predatory collection and sale of their personal data.” If enacted, the bill would require each entity offering an online product that is targeted toward child users to complete a data protection impact assessment, which would be required to include:
- The ways child users primarily interact with or consume the online product;
- The average amount of time that a child user spends using the online product and whether the product includes any features that are designed to extend or increase an amount of time;
- The amount of any type of data of child users collected, retained, processed, and/or sold;
- The purpose of the collection, retention, processing, or sale of such data; and
- The data sharing relationships the entity has with data processors or other third parties with whom it shares the personal data of child users.
The bill would also require privacy by default settings, which require online services to be predesigned so that the strictest online privacy settings apply without any manual input required from the user.
CISA Requests Feedback on New Cyber Incident Reporting Requirements
The Cybersecurity and Infrastructure Security Agency (CISA), the agency responsible for leading the national effort to understand, manage, and reduce cyber-related risk, released a Request for Information (RFI) to solicit public input on approaches to implementing the cyber incident reporting requirements, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). As background, CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking for public comment and review, containing proposed regulations for cyber incident and ransom payment reporting. Recognizing the growing number of cyber incidents as one of the “most serious economic and national security threats our nation faces,” CISA states that it is particularly interested in input on:
- Definitions for and interpretations of the terminology to be used in the proposed regulations;
- The form, manner, content, and procedures for submission of reports required under CIRCIA;
- Other incident reporting requirements, including the requirement to report a description of the vulnerabilities exploited; and
- Other policies and procedures, such as enforcement procedures and information protection policies that will be required for implementation of the regulations.
Written comments are requested on or before November 14, 2022. Comments may be submitted through the Federal eRulemaking Portal here.
NIST Publishes Profile of the IoT Core Baseline for Consumer Products
On September 20, 2022, the National Institute of Standards and Technology (NIST) published a Profile of the Internet of Things Core Baseline for Consumer Internet of Things (IoT) Products. Described as a starting point for businesses to consider in the purchase of Internet of Things products, the publication identifies cybersecurity capabilities commonly needed for the consumer IoT sector. The Profile provides guidance on how businesses should approach asset identification, product configuration, data protection, interface access control, and software updates. The profile is a reflection of a year-long collaborative effort between NIST and stakeholders.
IAB Releases Multi-State Privacy Agreement and Privacy Signals Specifications for Public Comment
On October 14, 2022, the Interactive Advertising Bureau (IAB) released for comment its draft Multistate Privacy Agreement (MSPA), which is an updated contractual framework designed to assist publishers, advertisers, and ad tech intermediaries to comply with the state omnibus privacy laws that take effect in 2023. The MSPA covers sales of personal information, measurement and frequency capping, contextual advertising, and limitations on the use of sensitive personal information and information relating to children. It accompanies the IAB Tech Lab’s US State Signals Specifications, released for comment on the same day. The US State Signals document will supersede the IAB’s US Privacy Framework, which is currently used to manage consent signals from California only. Though the new specifications can be used independently in the IAB’s Global Privacy Platform, they can also work in combination with the MSPA to help companies manage consent signals for multiple states.
The MSPA and US State Signals Specifications are available for public comment until October 27 at infor@iabprivacy.com and support@iabtechlab.com, respectively.
First BIPA Trial Results in $228M Judgement for Plaintiffs
On October 19, 2022, an Illinois federal jury in a class action under the state’s Biometric Information Privacy Act (BIPA) found that the defendant violated BIPA, resulting in a $228 million award to a class of more than 45,000 members. In Rogers v. BNSF Railway Company, the plaintiff alleged on behalf of the class of truck drivers that BNSF Railway Company violated BIPA by failing to:
- Inform class members that their biometric identifiers or information were being collected or stored prior to collection;
- Inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected; and
- Obtain informed written consent from class members prior to collection.
The court rejected BNSF’s legal defenses that the class claims were preempted by federal statutes and found that BNSF employees were sufficiently involved in the management and use of the company’s biometric information collection systems that a jury could find that BNSF, and not just the third-party contractor Remprex LLC, had violated BIPA. Following a five-day trial, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA. This case is an important reminder of the scope of potential exposure BIPA violations can pose to employers.
Global News
EDPB Publishes Guidelines on Personal Data Breach Notification and Welcomes Comments
The European Data Protection Board (EDPB) has published for comment an updated set of Guidelines on personal data breach notification under the General Data Protection Regulation. Originally, the EDPB endorsed the Working Party 29’s Guidelines on personal data breach notification under Regulation 2016/679. The Guidelines affirm that where a controller not established in the EU is subject to Article 3(2) or Article 3(3) GDPR and experiences a breach, it would still be bound by the notification obligations under Article 33 and 34 GDPR. However, now, the mere presence of a representative in a Member State would not trigger the breach requirement. For this reason, the breach would need to be notified to every single authority for which affected data subjects reside in their Member State. The notification would have to be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller.
The EDPB is accepting comments on the Guidelines until November 29, 2022. Comments can be made here.
Canada’s Standing Committee on Access to Information, Privacy and Ethics Publishes a Report on Facial Recognition Technology and Artificial Intelligence
Canada’s Standing Committee on Access to Information, Privacy and Ethics published “Facial Recognition Technology and the Growing Power of Artificial Intelligence,” which analyzes current regulations on facial recognition technology and artificial intelligence, and makes recommendations on how the law should progress in these areas. The report begins with an explanation that “Facial Recognition Technologies need to be regulated with a scalpel, not an axe.” It continues by urging the Canadian government to:
- Define the acceptable uses of facial recognition technology;
- Implement an opt-in only requirement for the collection of biometric information by private sector entities;
- Prohibit private sector entities from making the availability of goods and services contingent on providing biometric information;
- Amend the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) to prohibit the practice of capturing images of Canadians to develop AI algorithms; and
- Ensure privacy protections focused on accuracy, retention, and transparency are implemented to mitigate risks to individuals.
European Commission Releases Proposal for a New Cyber Resilience Act
The European Commission plans to introduce cybersecurity requirements for connected devices via the Cyber Resilience Act. The Act would cover digitally connected products and their accompanying data processing solutions, with a carve-out for products covered by sector-specific regulations. The Act focuses on confidentiality, encryption, and purpose limitation, with the goal of addressing vulnerabilities in the IoT sector. It would also provide a framework of cybersecurity requirements governing the planning, design, development, and maintenance of such products, with obligations to be met at every stage of the value chain, and it would impose an obligation to provide a duty of care for the entire lifecycle of such products.
Danish Data Protection Authority Concludes Google Analytics Must Be Supplemented With Other Measures To Be Lawful
Datatilsynet, the Danish Data Protection Authority, recently reviewed Google Analytics’ settings and terms and joined the Austrian Data Protection Authority, French Data Protection Authority, and Italian Data Protection Authority in its conclusion that the tool’s general use, without supplementary measures, violates the GDPR. Although the decisions were decided individually by the respective supervisory authorities, they represent a common position. The press release states that the guidance is based on information provided by the European supervisory authorities’ decisions and Datatilsynet’s own research. According to the decision, businesses that use Google Analytics are expected to put a privacy-protective plan in place when using Google Analytics, including pseudonymization; simply changing the tool’s settings is not enough.
Pseudonymization guidance is available here. The press release is here. The questions and answers document is here.
ICO Issues Guidance on Direct Marketing Using Live Calls
The UK Information Commissioner’s Office (ICO) published guidance for companies that engage in direct marketing, advertising, selling, promoting, fundraising, or campaigning via live (non-automated) telephone calls. The guidelines cover suggested best practices for how marketers can engage in these activities without violating the Privacy and Electronic Communications Regulations of 2003. Specifically, the guidance explains that marketers must refrain from calling individuals who have specifically objected to calls in the past and from calling numbers that are not listed on the Telephone Preference Service. Marketers must also display the phone number they are using to make the call, disclose the identity of the caller (e.g., the name of the organization), and disclose contact details for the calling organization if asked. The guidance further explains that consent is generally not needed to make most types of live marketing calls. The guidance provides that certain kinds of calls, like those concerning pension schemes or claims management services (defined in part as providing advice with respect to claims for compensation, repayment, or any other remedy for loss) require consent. When required, consent must be specific and informed. The guidance is here.
Ontario Law Creates Requirements for Electronic Monitoring Policies
On April 11, 2022, legislators in Ontario, Canada, added new requirements for workplace electronic monitoring policies to Ontario’s Employment Standards Act (the ESA). These Requirements provide that provincially-regulated employers in Ontario with 25 or more employees must have a written policy about electronic monitoring in the workplace. The Requirements do not prohibit electronic monitoring, but rather require employers to be transparent about their electronic monitoring practices.
A compliant electronic monitoring policy must include:
- A description of how and in what circumstances the employer may electronically monitor employees;
- The purposes for which the information obtained through electronic monitoring may be used by the employer;
- The date the policy was prepared; and
- The date any changes were made to the policy.
An employer must, within the specified timeframes, provide a copy of the written policy to all of its employees and to all assignment employees who are assigned to perform work for that employer. There is a special rule that applies in the first year of the requirement. Employers that employ 25 or more employees on January 1, 2022, had until October 11, 2022, to have a written policy on the electronic monitoring of employees in place. The Requirements state that beginning in 2023, and in the years that follow, employers that employ 25 or more employees on January 1 of any year must have a written policy on the electronic monitoring of employees in place before March 1 of that year.