Us And World Privacy News September 19Th – The National Law Review

US and World Privacy News September 19th – The National Law Review

With August 31 marking the last day of the legislative session, the California legislature’s failure to extend business-to-business and employee data exemptions may result in new requirements for companies within the California Privacy Rights Act’s (CPRA) scope that previously benefitted from these carveouts. Specifically, the exemptions apply to personal information reflecting communications where a covered individual is acting in a business-to-business commercial transaction and to the personal information of job applicants, employees, and independent contractors. Currently, in these situations, businesses are not required to comply with certain sections of the California Consumer Privacy Act (CCPA) that govern retention, data subject rights, use, and selling. However, without action, this will come to an end on January 1, 2023. Instead, companies within the CPRA’s scope that handle business-to-business and employee information will now be subject to all requirements of the CPRA. As this is a major change, businesses should start preparing to comply with the CPRA not only for consumer data, but also for business and employee data as soon as possible.
California Attorney General Rob Bonta sent requests to 30 hospital CEOs to gather information about how algorithms are used in the healthcare context, with a particular focus on racial and ethnic disparities and discrimination. As algorithms are a growing focus for regulators in California and across the nation, hospitals and all businesses using them should be careful to conduct a privacy impact assessment and review the input and outputs of such decision-making tools. For the AG press release, please see here
According to the Ninth Circuit’s recent ruling in Javier v. Assurance IQ LLC and Active Prospect Inc., obtaining consent prior to using recording technologies is required for purposes of the California Invasion of Privacy Act (CIPA). This ruling is notable for website operators as it signals that obtaining targeted consent before using commonly deployed website features – such as chat bots and lead verification recording programs – can nip burgeoning CIPA “wiretapping” lawsuits in the bud. Additionally, businesses should: 
Fully inform consumers of their privacy practices
Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices
Fully understand at which point in user engagement consumers are notified that their interactivity is monitored and stored
For more information, please see our alert here.
The California Legislature recently passed Assembly Bill 2273, The Age Appropriate Design Code Act. The Bill is California’s latest privacy protection for minors age 17 and under and applies to businesses that provide an online service, product, or feature likely to be accessed by children. It requires businesses to incorporate heightened privacy settings for children and feature clear and concise privacy language suited to the age of children likely to access that online service or product. Additionally, the Bill would require a business to complete a Data Protection Impact Assessment for any new online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as it is likely to be accessed by children. If enacted, the Bill will effectuate on January 1, 2024. 
As the CPRA effectuation date-January 1, 2023-nears, business representatives push for more time to consider how they’ll meet new requirements. Calling the proposed regulations (Regulations) confusing and citing delays in the rulemaking process, representatives were adamant in their stance at the California Privacy Protection Agency’s August 24 and 25 public hearings. Some commenters told regulators they’re underestimating how much it will cost businesses to comply. Others stated that the time needed to design complex policies should be taken into account. One commenter asked the agency to clarify the Regulations’ opt out sections. Another stated that the Regulations are overbroad. Find more information on the Regulations here
California AG Rob Bonta recently settled with a large retailer based on CCPA violations involving consumers’ right to opt out of the sale of their data. Specifically, the complaint alleged that the retailer failed to honor the CCPA requirement to provide consumers the ability to opt out of the sale of their personal data in two main ways, despite the use of analytics cookies on the site, which the AG determined to constitute a “sale” under the CCPA definition. The violations included: (1) language in their online privacy statement indicated that they “do not sell” personal information, (2) failure to provide a “Do Not Sell My Personal Information” link on the website, and (3) failure to honor user-enabled controls such as the Global Privacy Control (GPC). For reference, the AG has indicated that when it comes to cookie data, the GPC should be treated the same as users who have clicked the “Do Not Sell My Personal Information” link. Additionally, these issues were not cured within the 30-day period currently allowed by the CCPA. 
In addition to this action, the AG’s press release indicates there are continued enforcement actions against a “wide array” of businesses. New examples of notices to cure are available on the AG website and include:
1. An enforcement sweep of businesses operating loyalty programs that offered financial incentives such as discounts, free items, or other rewards, in exchange for personal information without providing consumers with a notice of financial incentive;
2. An online advertising business that’s privacy disclosures were not understandable to the average consumer and did not include the required information; and
3. A data broker whose “Do Not Sell My Personal Information” link worked only on certain browsers and directed consumers to a confusing webpage that required several additional steps to submit CCPA requests.
BBB National Programs’ Children’s Advertising Review Unit (CARU) recently issued a compliance warning to advertisers, brands, influencers, endorsers, and developers, putting them on notice that CARU’s Advertising Guidelines (Guidelines) apply to advertising in the metaverse and that it plans to “strictly enforce” the Guidelines against metaverse advertising. The warning instructs that advertising should be neither deceptive nor unfair to the children to whom it is directed and that the Guidelines apply to all advertising, in any medium, directed to children under 13. Advertisers should be particularly cautious to avoid advertising that blurs the distinction between advertising and non-advertising content; uses manipulative tactics, including but not limited to social pressure or validation, deceptive door openers, or misleading design techniques; or fails to make clear and conspicuous disclosures to children where needed. Further, advertisers must be sure to disclose influencer and endorser advertising.
In considering online contracts such as Terms of Use agreements, companies should pay close attention to recent state and federal trends regarding the likelihood of enforceability of browsewrap, scrollwrap, clickwrap, and sign-in wrap agreements. Relying on an examination of whether the user has engaged in conduct that manifests acceptance of applicable terms and whether the terms are presented conspicuously, trends in recent cases indicate courts are finding browsewrap agreements unenforceable in comparison to other agreements. Because applicable terms are disclosed only through a hyperlink and users can assent simply by browsing the website or using the app, these agreements are less than ideal. On the contrary, courts have upheld scrollwrap agreements because they require users to scroll through the terms and take manifest their assent through taking action. Further, courts embrace clickwrap agreements because they require users to play an active role in assenting to the applicable terms, putting the user on notice that they are entering a contract. Finally, sign-in wrap agreements illicit different responses from courts. Companies using sign-in wrap agreements should ensure that their websites and/or apps provide reasonably conspicuous notice of terms and that users are required to take action that manifests their assent to those terms. Find the recent cases here: Berman v. Freedom Financial Network, LLC, 30 F.4th 849 (9th Cir. 2022)Sellers v. JustAnswer LLC, 73 Cal. App. 5th 444, 289 Cal. Rptr. 3d 1 (2021).
The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organizations unlock the potential of data by putting a data protection by design approach into practice. Though data protection law does not define PETs, the guidance defines PETs as technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and/or empowering individuals. The different types of PETs include PETs that: (1) derive or generate data which reduces or removes the identifiability of individuals; (2) focus on hiding or shielding data; and (3) split datasets or control access to certain parts of the data. The draft PETs guidance explains the benefits of PETs, as well as how they can help organizations comply with data protection law. It is part of the ICO’s draft guidance on anonymization and pseudonymization, and the ICO is seeking feedback to improve the final guidance.  
The US Department of Treasury (DOT) and Ministry of Finance of the State of Israel recently announced the finalization of a bilateral Memorandum of Understanding (MoU) on Cybersecurity Cooperation. This follows a November 2021 bilateral partnership geared toward protecting critical infrastructure in the financial sector and a commitment to deepening cooperation on cybersecurity. The MoU formalizes and strengthens the close partnership between both agencies. It enhances cooperation in the following areas: 
Information sharing relating to the financial sector including cybersecurity information on incidents and threats; 
Staff training and study visits to promote cooperation in the area of cybersecurity; and
Competency-building activities such as the conduct of cross-border cybersecurity exercises.
Find the press release here
Rwanda’s National Cyber Security Authority (NCSA) published guidance to further explain how data subjects can exercise their right to object, as outlined in Rwanda’s law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. Data subjects can exercise their right to object at any time in writing or electronically by contacting the data controller or data processor to request the ceasing of processing of personal data. Notably, the NCSA described that data subjects can object when processing of personal data is likely to cause loss, sadness, or anxiety to the data subject and/or when personal data is processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. However, the right to object can be rejected if the data processor or controller which processes the personal data can demonstrate compelling legitimate grounds for the personnel data processing. If a data subject is not happy with the response to their right to object, he/she may appeal to the NCSA within thirty days from the date of receipt of the response. Find the law here in Bantu only. 
About this Author
Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 
In the privacy space, Eva counsels clients around data collection, use, and transfer, as…
Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.
While in law…
As A Woman Owned Company, The National Law Review Is A Certified Member Of The Women'S Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.


Leave a Comment

Leave a Reply

Your email address will not be published.

IOTW: FBI to investigate Montenegro cyber-attacks | Cyber Security Hub – Cyber Security Hub

(ISC)² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative – DARKReading

15-year old Python bug, LinkedIn Smart Link phishing, US using Augury – CISO Series

Webinar – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Draft Guidance – 06/14/2022 –