Privacy Update: California Signs New CCPA and Privacy Bills | Arent Renard


US News

California signs new CCPA and privacy bills

The Governor of California recently enacted three new bills impacting CCPA and privacy in California, including:

  • AB 335, which exempts CCPA and CRPA from the right to remove vessel information or ownership information held or shared between a vessel licensee and the vessel builder, if the information is shared for the purpose of ” perform a ship repair covered by a ship warranty or recall.
  • AB 694, which amends the CRPA by making non-substantial updates to the Definitions, Exemptions and Functions sections; and clarifies the timetable for the CAPP regulator.
  • AB 825, which changes the definition of “personal information” in the California Civil Code to include genetic data.

FTC updates backup rule

The Federal Trade Commission (FTC) has announced updates to its safeguard rule, including changes to data security requirements for financial institutions. The Updated Safeguard Rule provides more specific criteria for the safeguards that financial institutions must implement and requires these institutions to explain their information sharing practices. The Rule also requires that financial institutions designate a single qualified person to oversee an information security program and report periodically to the institution’s board of directors or the chief information security officer. The FTC invites the public to comment on the rule. Notably, for all businesses, this FTC update provides an overview of security measures that the FTC considers “common sense.”

CFPB orders major tech companies to provide information on payment system

The Consumer Financial Protection Bureau (CFPB) has ordered several large tech companies to provide information regarding their personal payment systems, such as payment products, data collected and retained as a result of the use of those products by a consumer, how companies monetize products, and access restrictions. The order was issued under CFPB’s authority under the Dodd-Frank Act and is intended to help CFPB understand how large tech companies handle personal payments and related consumer data.

Massachusetts Introduces New Privacy Bill

Massachusetts is currently studying the Massachusetts Personal Information Protection Act (MIPA). MIPA is modeled on existing privacy regulations, such as the CCPA in certain respects, in that consumers can request copies of their personal data, request their deletion, and refuse certain third-party disclosures. MIPA also provides for civil penalties (up to $ 15,000 or 0.15% of annual worldwide earnings, whichever is greater), including for multiple offenses involving multiple persons (up to $ 20,000,000 or 4% of annual worldwide income, whichever is greater). In addition, the Act does not provide for a 30-day recourse provision for enforcement actions. MIPA, as proposed, would cover all for-profit companies that (i) collect data on Massachusetts residents and have annual gross income greater than $ 10 million or (ii) process the personal information of 10,000 people. or more in a calendar year, and excludes employee data. If enacted, the bill proposes to take effect in July 2022.

Ministry of Justice announces civil cyber fraud initiative

The Justice Department has announced the launch of the Civil Cyber ​​Fraud Initiative, whereby federal authorities will use the False Claims Act to prosecute federal contractors who fail to timely report data breaches, knowingly misrepresenting the practices of cybersecurity or knowingly provide products with deficient cybersecurity. Notably, according to its announcement, the Initiative appears to provide support to whistleblowers who help the government identify and prosecute fraudulent conduct, and can protect whistleblowers who bring such violations and failures from retaliation. This call indicates that this initiative may lead to more actions at the instigation of whistleblowers.

Democratic lawmakers urge federal lawmakers to tackle crypto ransomware attacks

Senators Markey and Whitehouse, and Representatives Langevin and Lieu sent a letter urging the departments of Justice, Treasury, State and Homeland Security to “address the role of cryptocurrency in facilitating attacks by ransomware ”. Lawmakers argue this is necessary to tackle the recent wave of ransomware attacks ushered in by the use of cryptocurrencies. Lawmakers have asked heads of departments to answer a series of questions, such as, “How has the United States worked with partners in regional and international organizations to attribute ransomware attacks and hold back?” the bad actors responsible? And “Would the Justice Department need specific legal authority to redirect funds from asset confiscation to endpoint security and other cybersecurity defenses, or to provide assistance to victims?” Lawmakers have requested a response by October 29, 2021.

Global News

Netherlands announces collaborative platform on digital regulation

The Netherlands Authority for Consumers and Markets, the Financial Markets Authority, the Netherlands Media Authority and the Data Protection Authority, Autoriteit Persoonsgegevens, have announced the launch of the platform, through which Agencies will share their knowledge and experience in areas such as artificial intelligence, data processing, algorithms and online design. By creating the platform, regulators intend to mutually strengthen their enforcement procedures, including collaborating on enforcement efforts.

China’s Personal Information Protection Law Comes Into Force Nov 1

China’s Comprehensive Privacy Law comes into effect on November 1 and has requirements for personal information, which are defined in the same way as personal information under the General Data Protection Regulation. The law applies to the processing of personal information outside of China if the purpose of the processing is to (i) provide products or services to individuals in China, (ii) “analyze” or “evaluate” the behavior of individuals in China, or (iii) for other purposes specified by laws and regulations.

China issues “Guidance on Strengthening Global Governance of Internet Information Service Algorithms”

Nine Chinese regulatory departments jointly published the Guide, which aims to clarify the overall governance of Internet information service algorithms. The overall goal is to establish sound governance, policies and regulations, including monitoring algorithm security risks, assessments and ethical reviews. The guide also aims to establish an algorithm ranking system and to manage the use and development of algorithm applications.

China’s Tianjin Hedong District People’s Court decides on China’s first mobile app data collection case

The court sentenced three people to three years in prison and fined 100,000 yuan for using mobile application software by individuals to illegally collect personal data from Chinese citizens, including private messages between registered users. . The court found that this was a violation of China’s cybersecurity laws on the protection of citizens’ personal information.

The deadline for registration in the Turkish Data Controller Register is December 31, 2021

Under Turkish Personal Data Protection Act 6698 and Data Controller Register Regulation, the following data controllers are required to register with the Data Controller Register before December 31, 2021:

  • Data controllers located outside of Turkey processing the personal data of any Turkish resident;
  • Turkish data controllers with more than 50 employees or annual turnover exceeding 2.5 million euros;
  • Data controllers whose main field of activity is the processing of sensitive personal data;
  • Public authorities and professional organizations

Leave A Reply

Your email address will not be published.