Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).Continue Reading Heads Up! Increasing Litigation Related to Website Technology & Data Sharing
Nothing Neutral about the New Swiss Federal Act on Data Protection
Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.Continue Reading Nothing Neutral about the New Swiss Federal Act on Data Protection
Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies
The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies
A Primer on Artificial Intelligence and the Law in 2023
Artificial Intelligence (AI) is a broad term that generally refers to computer systems that can receive and process information to make decisions without human input. AI is widely considered an era-defining technology in the way electrical and computer technology came to define the 1800s and 1900s respectively. Just as regulation of computer security lagged behind the increasingly pervasive use of computers in the late 1980s, we are seeing today that regulation of AI has likewise lagged behind the expansion of the technology.
U.S. federal, state, and international authorities are increasingly monitoring and regulating AI. Regulating AI is no simple task, with the technology finding growing applications in a myriad of areas such as autonomous vehicles, the military, law enforcement, art, music, creative writing, social media, and even corporate recruitment.Continue Reading A Primer on Artificial Intelligence and the Law in 2023
Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision
On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision
2023 Privacy and Data Security Resolutions
As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.
1. Get strong! Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and special character).
2. Multiply! In addition to a strong password, you should make sure to add that second layer of authentication and make sure all your sensitive accounts have multifactor authentication turned on. This will further deter password thieves from gaining access to your accounts and systems.
3. Plan! Have a plan for how you will comply with the numerous privacy laws coming into effect in 2023 in California, Virginia, Colorado, Utah, and Connecticut. (Yes, they may still apply to your business even if it is not located in those states). And don’t forget to update your Standard Contractual Clauses should your business process personal data from Europe. Planning also means implementing or updating policies, procedures, and contracts to account for privacy and security requirements (both as a matter of law and best practice).
4. Lose Weight! Delete unneeded data from your systems and your hard copy storage in accordance with a record retention policy or best practice. The best defense against your data being stolen is not keeping it around unnecessarily.
5. Stay Informed! Keep up to date on both legal issues and best practices in the privacy and security space. Download our PDS mobile app and sign up for Taft’s Privacy and Data Security Insights! Happy New Year to all and best wishes for 2023!
Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance
Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.
The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses. Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance
Cookie Banners under the CCPA/CPRA
We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.
The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:
- Language that is easy to understand;
- Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
- Avoids language that is confusing to the consumer;
- Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
- Designed in a way that it is easy to execute.
Rush to the Finish Line: The California Privacy Protection Agency Releases CPRA Modified Regulations
With less than three months until the California Privacy Rights Act goes into effect on January 1, 2023, the California Privacy Protection Agency (the “Agency”) released updated proposed regulations on October 17, 2022 (the “Regulations”). The Regulations govern compliance with the California Consumer Privacy Act of 2018, which will be amended by the California Privacy Rights Act (collectively, the “CCPA”). The Regulations modify the initial proposed regulations that were released on July 8, 2022. We discuss the key changes from both versions below.
Important: The written comment period will not end until November 21. Accordingly, it is possible these Regulations may change again. Continue Reading Rush to the Finish Line: The California Privacy Protection Agency Releases CPRA Modified Regulations
FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach
On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach. Continue Reading FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach