Privacy Update: Best Practices for the Virginia Consumer Data Protection Act

Headlines that Matter for Privacy and Data Security

US News

Best Practices for the Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDA) Working Group of the Joint Commission on Technology and Science released its final report on best practices and recommendations prior to the VCDA’s January 2023 implementation. The report identifies 17 points of emphasis around the VCDA, including amending the budget to fund staff to lead enforcement, enabling the Office of the Attorney General to pursue damages based on consumer harm, enacting an “ability to cure” option for potential violations, studying specific data privacy protections for children, and posting and promoting sample data protection forms on an educational website to provide guidance to smaller businesses seeking to comply.

FTC to Ramp up Enforcement Against Illegal Dark Patterns that Trick or Trap Consumers into Subscriptions

The Federal Trade Commission issued a new enforcement policy statement warning companies against deploying illegal dark patterns that trick or trap consumers into subscription services. The agency is ramping up its enforcement in response to a rising number of complaints about the financial harms caused by deceptive sign-up tactics, including unauthorized charges or ongoing billing that is impossible to cancel. Under the enforcement policy statement, businesses must follow three key requirements or be subject to law enforcement action, including potential civil penalties. The three key requirements are the following: Disclose clearly and conspicuously all material terms of the product or service; Obtain the consumer’s express informed consent before charging them for a product or services; Provide easy and simple cancellation to the consumer.

CFPB Statement on False Identity Matching

Director Chopra of the Consumer Financial Protection Bureau (CFPB) released an advisory opinion to address false identity matching. The advisory opinion states that companies who assemble and use consumer data to determine the eligibility of applicants for employment, rental housing, credit, and insurance must take reasonable steps to fortify consumer reports against false and inaccurate information. The CFPB has affirmed that matching on name alone is a practice that falls well below the statutory mandate to follow reasonable procedures to assure maximum possible accuracy of consumer information before placing it into a consumer report, as required by the Fair Credit Reporting Act (FCRA). Finally, the CFPB will be supporting the FTC in its work to monitor business models that rely on harvesting and monetizing personal data.

FBI Calls For Firms to Report Hacks Directly to Law Enforcement

Legislators are considering a requirement for companies that operate critical infrastructure to report data breaches within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Bryan Vorndran, assistant director of the FBI’s cyber division, added input that data breach information should also be shared with the parent agency, the Justice Department. Cutting the FBI out of the direct line of reporting, he said, could add precious hours to attempts by U.S. officials to dissect hacking methods, track down attackers and trace funds extorted from businesses after ransomware strikes. The push for a federal data breach reporting law has gained steam in recent months after a series of cyberattacks that affected digital supply chains and critical infrastructure.

Washington 2021 Sets New Record for Number of Data Breaches and Ransomware Attacks

Attorney General Bob Ferguson released his sixth annual Data Breach Report. In the last year, breached businesses and agencies sent 6.3 million notices to Washingtonians — by far the largest number of notifications sent to Washingtonians since the Attorney General’s Office began tracking this number. 2018 set the previous record of 3.5 million breach notices sent to Washingtonians. Additionally, the report identifies a tremendous spike in cyberattacks and ransomware incidents. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — represents a growing and significant threat to consumers and businesses. The Attorney General’s Office recorded 150 ransomware incidents in 2021 — more than the previous five years combined.

Maryland Names First-Ever Data & Privacy Chiefs

Laura Gomez-Martin will be Maryland’s first chief privacy officer, and Patrick McLoughlin is being tapped as the state’s first chief data officer. These roles were created as part of five initiatives to secure Maryland’s data that Gov. Hogan detailed at a cybersecurity summit in Annapolis earlier this summer. Gomez-Martin is moving up from her position as deputy chief information security officer for Maryland. In the role, she served as the lead policy adviser for the development and implementation of the cybersecurity governance structure within the Maryland Department of Information Technology’s Enterprise Initiative. As the first chief privacy officer in the state, she’ll be responsible for the state’s privacy program and data protection initiatives. She will also be responsible for monitoring program compliance, investigation and tracking of incidents and potential breaches, in addition to ensuring citizen’s rights.

New York Law on Notice for Employee Monitoring

New York Governor Hochul has formally signed Senate Bill S2628 for an Act which requires employers who engage in employee electronic monitoring to provide notice to employees. The Act provides that any employer who monitors or otherwise intercepts employee communications, internet access, or use of any electronic device or system, must give prior written notice to all employees who are subject to electronic monitoring. Moreover, this notice must be in writing, provided upon hiring, in an electronic record, or in another electronic form and acknowledged by the employee. Employers must post notice of electronic monitoring in a conspicuous place which is readily available for viewing by those employees who are subject to the electronic monitoring. The Attorney General will have power to enforce the provisions of this Act. Employers in violation of the Act will be subject to a maximum civil penalty of $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense.

Robinhood Data Security Incident

Robinhood experienced a data security incident in early November and posted the following on its blog: “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.”

Global News

What Is a Data Transfer?

The European Data Protection Board (EDPB), the body in charge of the application of the General Data Protection Regulation (GDPR), has just released guidelines to clarify the often asked question, “What is a data transfer?”  This question comes up frequently for businesses around the word as the GDPR has strict requirements where data is transferred out of the European Economic Area to third countries. Businesses outside the European Economic Area must use approved transfer mechanisms if data is transferred to a third country without an adequacy decision.  In light of the new guidelines, businesses should review potential transfer activities and ensure that the proper transfer mechanisms are in place.  

EDPB Adopts Letters to UN & ENISA

The EDPB adopted a letter in reply to the UN concerning transfers to international organizations. In the letter, the EDPB welcomes the UN’s continuous participation in the Task Force on transfers to international organizations but states that the work carried out by the Task Force will not in any way replace any formal procedure set out in the GDPR. The EDPB also renews its commitment to engage further with the UN on the shared mission of protecting human rights, including the right to privacy. The EDPB also adopted a letter to ENISA concerning the European Cybersecurity Certification Scheme for Cloud Services’ compatibility with Schrems II. In the letter, the EDPB reiterates its stance that the final certification scheme should be consistent with the obligations in the GDPR and should facilitate the compliance of cloud service providers and their clients with the GDPR, including the Schrems II judgment which is a “key” issue.  

CNIL Guide for DPOs

The CNIL published a guide for data protection officers (DPOs) bringing together the main useful knowledge and best practices to help organizations support DPOs. It includes obligations of organizations and a reference guide for questions about the data protection officer role. Furthermore, CNIL stressed that particular attention is given in the guide toward providing clear information on how to ensure that the DPO can carry out his or her missions in complete independence, without any conflict of interests.

Registration Requirement in Uganda

Registration Requirement in Uganda. The Personal Data Protection Office (PDPO) issued a press release highlighting that it had been operationalized following the passage of the Data Protection and Privacy Regulations and is now requiring data collectors, processors, and controllers to register on its website. In particular, the PDPO highlighted that it is providing a grace period up to the end of December 2021 to allow for the registration process by all relevant organizations and persons, adding that it will begin enforcement measures against organizations and persons who have not registered in January 2022.

UAE Enacts New Federal Law on Protection of Personal Data

The Personal Data Protection Law constitutes an integrated framework to ensure the confidentiality of information and to protect the privacy of community members by providing proper governance for optimal data management and protection, in addition to defining the rights and duties of all concerned parties. The provisions of the law apply to the processing of personal data, whether all or part of it through electronic systems, inside or outside the country. The law prohibits the processing of personal data without the consent of its owner, with the exception of some cases in which the processing is necessary to protect the public interest, or that the processing is related to the personal data that has become available and known to all by an act of the data owner, or that the processing is necessary to carry out any of the legal procedures and rights.

UNESCO Member Countries Endorse Plan for ‘Ethical AI’

There is growing worldwide pressure to introduce binding rules for artificial intelligence (AI) practices, particularly for high-risk activities such as social scoring and facial recognition in public places. These practices are increasingly seen to endanger human rights and civil liberties. UNESCO's 193 member countries have approved a recommendation for AI ethics. The recommendations warn governments to safeguard against dangerous use cases for AI because they threaten civil rights. 


Continue Reading