On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”
Author: Reed Abrahamson
As a member of the firm’s Privacy and Cybersecurity Team, Reed Abrahamson assists clients with identifying and addressing data privacy and security risks in business operations. A Certified Information Privacy Professional - United States (CIPP-US), he helps companies design and implement privacy and data security policies and programs, and advises clients on compliance issues related to the GDPR, CCPA, HIPAA, CAN-SPAM Act, TCPA, and other privacy laws. View Reed's full bio on the Faegre Drinker website.
Zombie PHR Breach Rule Rises From the Dead
If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.
Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.
Continue reading “Zombie PHR Breach Rule Rises From the Dead”
Faegre Drinker on Law and Technology Podcast: Privacy Issues and COVID-19
Privacy issues and COVID-19: what do they mean to you and your business? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss talks with Faegre Drinker’s Reed Abrahamson about the pandemic’s impact on privacy and data security. They examine how organizations are working to balance obligations to simultaneously protect data and their employees’ well-being — along with the risks employers should consider when collecting COVID-related employee information.
Continue reading “Faegre Drinker on Law and Technology Podcast: Privacy Issues and COVID-19”
New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses
The European Commission recently adopted a new set of Standard Contractual Clauses (SCCs) for organizations to use in compliance with the EU General Data Protection Regulation requirements for transfers of personal data from the European Economic Area. The previous SCCs were outdated and did not cover many common data processing scenarios. Organizations will have an 18-month transition period to adopt the new SCCs, but many parties will need this time to re-examine their dataflows and review their internal compliance procedures to meet the exacting new standards.
Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?
Following on from last week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation. The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.
For the full alert, visit the Faegre Drinker website.
European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries
A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.
For the full alert, visit the Faegre Drinker website.