Virginia Finalizes CDPA Text With the Addition of Three Amendment Bills
Headlines that Matter for Privacy and Data Security
US News
Connecticut Passes the Fifth US State Consumer Privacy Law
The Connecticut governor has formally signed and passed An Act Concerning Personal Data Privacy and Online Monitoring (CPDA), making this law the fifth US state consumer privacy law. The CPDA goes into effect on July 1, 2023, and exempts nonprofits, qualifying covered entities, and business associates subject to the Health Insurance Portability and Accountability Act, and data in an employment or commercial B2B context. The CPDA shares similarities with other US state privacy laws, and broadly defines “sale” to include exchanges of personal data for monetary or “other valuable consideration.” In terms of enforcement, the CT law provides a temporary right to cure violations, with the right to cure grace ending December 31, 2024. Under this cure provision, the Attorney General shall issue a notice of violation to the controller if the Attorney General determines that a cure is possible. The controller then has sixty days to cure such violation. There is no private right of action.
DOJ (Finally) Releases Website ADA Accessibility Guidance- But Still No Clear Rules
The Department of Justice recently issued guidance on compliance with the Americans with Disabilities Act (ADA) for website accessibility. While the DOJ still has not issued an enforceable regulation with explicit standards for website accessibility, the DOJ’s new guidance reaffirms the role of compliance with “WCAG” standards and signals an increased focus on the importance of making the internet more accessible. See our full alert with a breakdown of the guidance here.
Virginia Finalizes CDPA Text With the Addition of Three Amendment Bills: HB 381, SB 534, and HB 714
Though not effective until January 1, 2023, Virginia recently finalized the Virginia Consumer Data Protection Act (CDPA) with the addition of three amendment bills. HB 381 adds a new exemption to the CDPA’s right to delete. Under this addition, controllers that have obtained personal data from a source other than the consumer remain in compliance with said consumer’s request to delete when (1) the controller retains a record of the deletion request and only the minimum data necessary to ensure the personal data remains deleted from the business’s records; or (2) the controller opts the consumer out of the processing of such personal data for any purpose except exempted purposes. HB 714 and SB 534 are identical bills. They authorize the Attorney General to pursue damages from violators of the CDPA and instruct that all funds collected should be “deposited into the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund,” as opposed to the Consumer Privacy Fund, which is now abolished. Additionally, HB 714 and SB 534 characterize political organizations and certain 501(c)(4) tax exempt organizations as nonprofits.
Ninth Circuit Permits Public Data Scraping If Information is Publicly Accessible
According to a recent Ninth Circuit decision, which was remanded from the US Supreme Court, public data scraping is legal as long as the information is publicly accessible. Public data scraping describes the “process of extracting data out of a third-party website and into a spreadsheet.” In the case, HiQ collected and used “information that LinkedIn users shared on their public profiles.” The information in question was available for viewing by anyone with a web browser. The Ninth Circuit was tasked with determining if this public data scraping violated the Computer Fraud and Abuse Act (CFAA). The Court ultimately decided in favor of HiQ, ruling that their practice of copying data from LinkedIn’s server did not violate the CFAA. The Court reasoned that copying information from public websites does not infringe on the CFAA’s “without authorization” clause. Thus, according to the Ninth Circuit, if information is publicly accessible on the internet, this information can be scraped without violating the CFAA.
NIST Releases Blockchain Report Focused on Traceability Issues
The National Institute of Standards and Technology (NIST) recently published its Interagency Report 8419. Entitled ‘Blockchain and Related Technologies to Support Manufacturing Supply Chain Traceability: Needs and Industry Perspectives,’ the report addresses the growing complexity of supply chains. As a solution, the report explores the issues surrounding traceability; the role that blockchain plays in improving traceability, with a particular focus on blockchain featured supply chain traceability initiatives; and even features case studies. Find the full report here and the press release here.
Kentucky Passes The Genetic Information Privacy Act
Effective July 7, 2022, Kentucky passed HB 502, the Genetic Information Privacy Act (the Act), was recently signed into law. The Act sets specific requirements for direct-to-consumer genetic testing companies. Direct-to-consumer genetic companies are “entit[ies] that offer genetic testing products or services” or “collect, use, or analyze genetic testing data from a direct-to-consumer testing product or service.” These companies are required to obtain consent before collecting, using, or disclosing the consumer’s genetic data. The Act also requires these companies to provide an accessible privacy notice and upkeep a comprehensive security program. The Act also grants consumers the ability to recover damages.
Failure to Meet Risk Mitigation Standards Costs Colonial Pipeline $1 Million
The US Department of Transportation fined Colonial Pipeline close to $1 million after the Pipeline and Hazardous Materials Safety Administration (PHMSA) found several federal pipeline safety regulation violations during its inspections. The inspections exposed subpar control room operations, such as repeated failure to prepare and plan for shutdowns and restarts. According to PHMSA, these practices likely contributed to the large impact of Colonial Pipeline’s cyberattack last year, one that impacted several states and resulted in the company paying a $4.4 million ransom.
West Virginia Passes Cyber Incident Reporting Legislation
HB 2763 mandates government agencies, constitutional officers, government entities, boards of education, and the judiciary to report cybersecurity incidents to the Cybersecurity Office. The incidents must be reported within ten days and before any citizen notification. Reports must include the incident date, date of discovery, nature of data illegally obtained, and entities impacted.
Global News
The European Union Parliament Adopts Recommendation for the AI Act
The European Parliament recently adopted the final report of the Special Committee on Artificial Intelligence in a Digital Age. The report aims to establish an artificial intelligence roadmap, with more than 150 policy recommendations addressing governance, data sharing, digital infrastructure, investment, e-health, e-governance, industry, and security. There is particular attention to address risks to fundamental rights, particularly privacy rights.
ICO Publishes Self-Assessment for Online Services That Target Children
The Information Commissioner’s Office (ICO) published a self-assessment that assists online services that target children design and develop their platforms with children’s best interest in mind. Using the Children’s Code as a base, the self-assessment features tools, templates, and guidance. It encourages operators of these platforms to:
- fully understand the rights of the child and particularly understand how the rights come up in data processing scenarios. In this section, the ICO split children’s rights in data processing scenarios into three overarching categories, stating data processing should respect children’s rights to their physical and emotional wellbeing; should respect children’s rights to have access to resources that support them, and should respect the rights of groups of children.
- interrogate their operations to identify the potential impacts on children’s rights. This section features data privacy mapping tools that assist operators in describing their data processing systems. It also features a Data Protection Impact Assessment template with questions and activities for online service operators to consider.
- consider the scale of potential impacts on the rights of children. This section offers a matrix that invites operators to separate their practices into low, medium, and high-risk behaviors.
- create an action plan for high-risk areas. This section offers an action plan worksheet, which can be found here.
ICO Supports Google’s ‘Reject All’ Cookies Button
The Information Commissioner’s Office (ICO) showed its support for Google’s new European ‘reject all’ cookies button in a recent statement, claiming the new option will allow consumers more choices and offer them more control. Prior to the reject all button, users were forced to click through multiple menus to reject all cookies. The new feature grants users the ease of being able to either reject or accept all cookies, and provides a “more options” tab. According to the ICO’s Executive Director of Regulatory Futures, this is a change the ICO has been seeking for a while. Find the statement here.
Grecian Data Protection Authority Issues Major Fine
The Hellenic Data Protection Authority (HDPA) recently fined Cosmote and OTE 9.25 million Euros after investigating a major data breach. Affecting more than 10 million people, the breach was caused by an information system cyberattack. HDPA investigations revealed illegal data processing methods related to data minimization and storage limitation. The HDPA also found Cosmote’s data protection impact assessment unsatisfactory as not all risks were appropriately examined. Moreover, the investigation revealed pseudonymized data rather than anonymized data, improper security measures, the absence of a data processing agreement between the parties, violations of the principle of transparency, and failure to allocate the roles of the two companies as joint controllers. The article is available here in Greek only.
France’s CNIL Publishes Non-binding Standard for Social and Medico-Social Support Organizations
The French Data Protection Authority, the Commission Nationale de I’Informatique et des Libertes (CNIL), recently published a standard on processing children’s personal data under the GDPR. The standard applies to organizations that provide social, medical, educational, and legal support to minors and people under 25 who require special protection. It emphasizes GDPR cornerstones such as “data minimization, security, risk assessments, transparency, and legitimacy.” It requires these companies to conduct data protection impact assessments, use consent banners for cookies, and fully secure personal data. Further, the standard provides considerations/best practices on handling access requests, cross-border transfer mechanisms, outsourcing, and data retention, amongst other things. The standard is located here in French only.
Brazil’s ANPD Releases the First Annual Management Report of the Ombudsman
Brazil’s Data Protection Authority (ANPD) released the first annual management report of the Ombudsman, which covers data leaks and common questions from controllers. The report also covers data subject complaints and notes that there were 756 requests for inspections of certain controllers related to these complaints. This reinforces the importance of compliance with the General Personal Data Protection Law and sends a signal to Brazilian controllers that enforcement measures are active. The report is available here in Portuguese.
Danish Data Protection Authority Requires Consent for Facial Recognition Systems.
In a recent matter involving a Health Company, the Danish Data Protection Authority (DPA) ruled that facial recognition systems require consent under the GDPR. Because the Health Company obtained free, voluntary consent from the data subjects and allowed them to refuse to use the system if they chose, the DPA found that the facial recognition operations were consistent with the GDPR. The DPA emphasized that if the company processed this biometric data without consent, it would be out of compliance with Article 9 of the GDPR.
Please find the press release here. It is available in Danish only.