Introduction to the Virginia Consumer Data Protection Act – Part II

This is the second installment of our summary of the Virginia Consumer Data Protection Act (“VCDPA”).  In our first post, we covered the goals of the law as well as its applicability and thresholds, what qualifies as personal data, the consumer rights created by the VCDPA, and introduced the concepts of controllers and processors.  In this post, we address some of the specific requirements for controllers and processors, as well as de-identification and pseudonymization of personal data, and enforcement of the VCDPA.

Read more ›
Tagged with: , , , , , , ,
Posted in Data Security, Legislation, Privacy, Regulations, VCDPA

Getting Tough with Zero Trust – Biden Bolsters Cybersecurity via Executive Order

On May 12, 2021, President Biden issued Executive Order No. 14028, entitled “Improving the Nation’s Cybersecurity”, setting out new and enhanced cybersecurity standards for federal government agencies and the commercial software products utilized by them.  The Biden administration’s order comes in the wake of increasingly damaging and sophisticated cyber-attacks on American companies and infrastructure, most notably the recent Colonial Pipeline ransomware attack, which temporarily shuttered the nation’s largest fuel pipeline, creating gasoline shortages and inducing panic-buying at gas stations throughout the southeastern United States.  Recognizing the gravity of the cybersecurity threat, President Biden’s order calls for “bold changes and significant investments in [cybersecurity in] order to defend the vital institutions that underpin the American way of life[,]” and identifies “the prevention, detection, assessment, and remediation of cyber incidents [a]s a top priority and essential to national and economic security[.]”  The executive order has two main areas of focus: bolstering and harmonizing cybersecurity standards across the federal government, and calling for the creation of new, stricter cybersecurity requirements for commercial software products utilized by federal government agencies. 

Read more ›
Tagged with: , , , , , , , , ,
Posted in Data Security, Regulations, Standards, Uncategorized

Introduction to the Virginia Consumer Data Protection Act – Part I

Virginia recently joined California in enacting a comprehensive data protection law intended to protect the privacy of its residents. The Virginia Consumer Data Protection Act (the “VCDPA”) is scheduled to take effect on January 1, 2023, so impacted businesses have significant lead time to prepare.  This is the first of two posts covering the VCDPA.

The VCDPA has two main goals: (1) providing Virginia residents with expanded rights in connection with their personal data, and (2) imposing obligations on businesses, such as securing personal data, limiting use of personal data to disclosed purposes, and flowing down requirements to processors receiving personal data.  While many of the details differ, the overall approach of the VCDPA is very reminiscent of the European Union’s General Data Protection Regulation (“GDPR”) but without some of the more prescriptive elements. Businesses with existing GDPR or California Consumer Privacy Act (“CCPA”) compliance programs will be well positioned for VCDPA compliance.

Read more ›
Tagged with: , , , , , , , ,
Posted in Data Security, Legislation, Privacy, Regulations, VCDPA

European Data Protection Board Releases Guidance on Cross-Border Data Flows in the Wake of Schrems II

On November 10, the European Data Protection Board (EDPB), the European Union’s top data privacy regulator, issued long-awaited guidance setting out a framework for navigating transfers of data out of the European Economic Area (EEA) in light of this July’s landmark ruling from the Court of Justice of the European Union (CJEU) inData Protection Commissioner v. Facebook Ireland and Maximilian Schrems (otherwise known as Schrems II). The EDPB also issued a document describing the “essential guarantees” that must be respected in order to ensure that interference with data subjects’ privacy and data protection rights through surveillance of transferred data does not “go beyond what is necessary and proportionate in a democratic society.”  These two documents outline the risk assessment that companies must make on a case-by-case basis (as required by Schrems II) in order to allow transfers of data out of the EEA, while the first also discusses examples of the supplementary measures that companies can employ, together with standard contractual clauses, binding corporate rules or other legal transfer tools recognized by the EU General Data Protection Regulation (GDPR), to ensure that European data subjects receive an essentially equivalent level of privacy and data protection when their data is transferred out of the EEA. 

Read more ›
Tagged with: , , , , , , , , ,
Posted in GDPR, Regulations, Standards

California Privacy Rights Act Will Revamp CCPA to Include GDPR-Type Requirements

On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the November 2020 ballot after it gained the requisite number of signatures. Mactaggart’s organization Californians for Consumer Privacy, along with other prominent consumer privacy advocates, had repeatedly expressed frustration with the California legislature’s efforts to amend the CCPA in 2019 at the behest of the business community, and they responded with an even more robust comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). Pre-pandemic polling has shown the CPRA to be overwhelmingly popular (with support ranging as high as 90 percent), and it is heavily favored to be approved by the voters this fall.

Read more ›
Posted in Uncategorized

Bipartisan Bill Would Regulate Automated COVID-19 Contact Tracing Technology

A new federal COVID-19 data privacy bill with bipartisan support, the Exposure Notification Privacy Act, would have a substantially narrower scope of application than two previous partisan draft COVID-19 privacy laws.  The bipartisan bill specifically regulates “automated exposure notification services,” defined as any website or other online or mobile system “specifically to be used for . . . the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease[.]”  This definition of an “automated exposure notification service” is clearly meant to encompass the rapidly proliferating universe of COVID-19 contact tracing and notification systems which are increasingly being used to send alerts to individuals who have come into close physical proximity with someone later confirmed as COVID-19 positive (although it bears noting that the bill would regulate any contact tracing system for any infectious disease, not just COVID-19).  Accordingly, this new bipartisan bill markedly diverges from the approaches of two previous “dueling” partisan COVID-19 data privacy bills, both of which would have protected individuals’ COVID-19-related health information in a variety of circumstances, not only in the context of automated contact tracing.  For our comparison of the previously introduced Democrat- and Republican-sponsored bills, please click here

Read more ›
Tagged with: , , , ,
Posted in Legislation, Privacy, Regulations

Democrats and Republicans Introduce Competing COVID-19 Data Privacy Bills

Responding to widespread calls for uniform rules and restrictions regarding the collection and use of individuals’ COVID-19-related health information, Congressional Republicans and Democrats have each recently introduced their own versions of federal COVID-19 data privacy bills.  Although both parties’ bills share the same big-picture goal of protecting individuals’ COVID-19 information, the Democrats and Republicans have each taken slightly different approaches, resulting in some crucial distinctions between the dueling bills.

Read more ›
Tagged with: , , , ,
Posted in Legislation, Privacy, Regulations

The European Data Protection Board Issues Updated Guidelines on Consent

On May 4, 2020, the European Data Protection Board adopted updated guidelines on what does and does not constitute consent under the General Data Protection Regulation (GDPR) in certain situations.  Consent is one of the lawful bases to process personal information under GDPR.  To be valid, consent must be freely given, specific, informed, and unambiguous.  Consent is freely given only where a data subject has a genuine choice.

First, the Board made is clear that consent cannot be freely given where the choice for the data subject is between using the services of one controller and using the services of a different controller.  Therefore, if a controller gives data subjects the choice of “consent or don’t use my services,” it cannot point to choice in the marketplace generally as a means to prove that data subjects using its service have provided valid consent.  Such an argument, according to the Board, would require that controllers monitor developments in the market to ensure such choice still existed among its competitors.  It would also constantly raise the question of whether the competitors’ services were genuinely equivalent to controller’s services. 

Read more ›
Posted in Privacy

The Children’s Online Privacy Protection Act and Online Learning

With schools across the nation closing their physical locations and moving to an online learning environment, it is important for school officials to understand their obligations under the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates the collection of personal information from children, who are defined as individuals under the age of 13.  Generally speaking, the law prohibits operators of commercial websites or online services from collecting personal information from children without first obtaining verifiable parental consent.  A more detailed description of the law’s requirement is located here.       

When it comes to online learning, there are a few things to keep in mind.  First, COPPA applies to operators of commercial websites and online services.  It does not apply to non-profit organizations or educational institutions directly.  It, however, does apply to third-party technology companies through which many schools deliver on-line learning.  Importantly, when an operator provides a website or online service solely for the educational purpose of the school, and not for a commercial purpose, the school can provide the verifiable consent that is normally required from parents.  In this scenario, the school essentially stands in the shoes of parents for purposes of consent.

Read more ›
Tagged with: ,
Posted in Privacy, Uncategorized

Does the CCPA Apply to Financial Institutions?

Despite the global pandemic, the California Attorney General will begin enforcing the California Consumer Privacy Act on July 1 as planned, so even in this new work-from-home environment, businesses must continue to work towards compliance and resolve any open issues. One question we’ve been asked is whether the CCPA provides a complete exemption for financial institutions. We address that question below.

The CCPA imposes new requirements on businesses that collect and maintain the personal information of California consumers. It is meant to apply broadly to nearly every type of business that meets certain thresholds, even those, such as financial institutions, that are already regulated by federal privacy law. The Gramm-Leach-Bliley Act regulates the collection and disclosure of much of the same type of personal information that is regulated by the CCPA, and imposes strict requirements on financial institutions to protect customer data and provide notice to customers about the information they collect and maintain. Under the GLBA, financial institutions are required to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including employee training and management, information systems, and preventing and responding to attacks and system failures.

Read more ›
Tagged with: , , , , , ,
Posted in CCPA, Legislation, Privacy, Regulations
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs