Privacy Update: California Signs New CCPA and Privacy Related Bills into Law
California Signs New CCPA and Privacy Related Bills into Law
California’s Governor recently signed into law three new bills impacting CCPA and privacy in California, including:
- AB 335, which exempts from the CCPA and CRPA the right to opt out vessel information or ownership information retained or shared between a vessel dealer and the vessel’s manufacturer, if the information is shared for the purpose of effectuating a vessel repair covered by a vessel warranty or a recall.
- AB 694, which amends the CRPA by making non-substantive updates to the definitions, exemptions, and functions sections; and clarifies the timing for the CPPA rulemaking authority.
- AB 825, which amends the definition of “personal information” in the California Civil Code to include genetic data.
FTC Updates Safeguards Rule
The Federal Trade Commission (FTC) announced updates to its Safeguards Rule, including changes to data security requirements for financial institutions. The updated Safeguards Rule provides more specific criteria for what safeguards financial institutions must implement, and requires these institutions to explain their information-sharing practices. The Rule also requires financial institutions to designate a single qualified individual to oversee an information security program and report periodically to the institution’s Board or senior information security officer. The FTC is inviting public comment on the Rule. Notably, for all companies, this update from the FTC provides insight into security safeguards that the FTC considers “common-sense.”
CFPB Orders Large Technology Companies to Provide Payment System Information
The Consumer Financial Protection Bureau (CFPB) has ordered several large tech companies to provide information regarding their personal payment systems, such as payment products, the data collected and retained as a result of a consumer’s use of those products, how the companies monetize the products, and access restrictions. The order was issued pursuant of CFPB’s authority under the Dodd-Frank Act, and is intended to assist CFPB in gaining an understanding of how big tech companies are handling personal payments and related consumer data.
Massachusetts Introduces New Privacy Bill
Massachusetts is currently considering the proposed Massachusetts Information Privacy Act (MIPA). MIPA is modeled after existing privacy regulations, like CCPA in some regard, in that consumers can request copies of their personal data, request the deletion thereof, and opt-out of some third-party disclosures. The MIPA also provides for civil penalties (up to $15,000 or .15% of annual global revenue, whichever is greater), including for multiple violations to multiple individuals (up to $20,000,000 or 4% of annual global revenue, whichever is greater). In addition, the Act provides no 30-day cure provision for enforcement actions. The MIPA, as proposed, would cover all for-profit businesses that (i) collect Massachusetts residents’ data and have an annual gross revenue exceeding $10M or (ii) processes the personal information of 10,000 or more individuals during a calendar year, and excludes employee data. If enacted, the bill proposes to take effect in July 2022.
Dep’t of Justice Announces Civil Cyber Fraud Initiative
The Department of Justice announced the launch of the Civil Cyber Fraud Initiative, whereby federal authorities will use the False Claims Act to pursue federal contractors that fail to timely report data breaches, knowingly misrepresent cybersecurity practices, or knowingly provide products with deficient cybersecurity. Notably, according to its announcement, the Initiative appears to provide support for whistleblowers who assist the government in identifying and pursuing fraudulent conduct, and may protect whistleblowers who bring these violations and failures from retaliation. This callout indicates that this Initiative may result in more action instigated by whistleblowers.
Democratic Legislators Urge Federal Legislators to Address Crypto Ransomware Attacks
Sens. Markey and Whitehouse, and Reps. Langevin and Lieu sent a letter urging the Departments of Justice, the Treasury, State, and Homeland Security to “address the role of cryptocurrency in facilitating ransomware attacks.” The legislators argue that this is necessary to combat the recent swell in ransomware attacks, ushered in by the use of cryptocurrencies. The legislators requested the Departments’ leaders answer a series of questions, such as: “In what ways has the United States worked with partners within regional organizations and international organizations to attribute ransomware attacks and hold bad actors accountable?” and “Would DOJ need specific statutory authority to direct asset forfeiture funds back into endpoint security and other cybersecurity defenses, or to provide assistance to victims?” The legislators have requested a response by October 29, 2021.
The Netherlands Announces Digital Regulation Collaboration Platform
The Netherlands’ Authority for Consumers and Markets, Authority for the Financial Markets, Dutch Media Authority, and Data Protection Authority, Autoriteit Persoonsgegevens, announced the launch of the Platform, through which the agencies will share knowledge and experience in areas such as artificial intelligence, data processing, algorithms, and online design. In creating the Platform, the regulators intend to strengthen one another’s enforcement procedures, including through collaborating on enforcement efforts.
China’s Personal Information Protection Law Effective November 1
China’s comprehensive privacy law goes into effect November 1, and presents requirements for personal information, which is defined similarly to personal information under the General Data Protection Regulation. The law applies to processing of personal information outside of China if the purpose of the processing is to (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations.
China Issues “Guidance on Strengthening Comprehensive Governance of Internet Information Services Algorithms”
Nine Chinese regulatory departments jointly released the Guidance, which is intended to clarify comprehensive governance of internet information service algorithms. The overall aim is to establish sound governance, policies, and regulations, including algorithm security risk monitoring, assessments, and ethics reviews. The Guidance also sets out to establish an algorithm filing system and manage the use and development of algorithm applications.
China’s Tianjin Hedong District People’s Court Decides China’s First Mobile App Data Collection Case
The Court sentenced three individuals to three years in prison, and fines of 100,000 Yuan over the individuals’ use of mobile application software to illegally collect Chinese citizens’ personal data, including private messages between registered users. The Court found that this was a violation of China’s cybersecurity laws on the protection of citizens’ personal information.
Deadline for Registration to Turkish Data Controllers’ Registry is December 31, 2021
Under Turkey’s Personal Data Protection Law No. 6698 and the Regulation on Data Controllers’ Registry, the following data controllers are required to register with the Data Controllers’ Registry by December 31, 2021:
- Data controllers located outside of Turkey processing personal data of any Turkish resident;
- Turkish data controllers with more than 50 employees or an annual revenue exceeding 2.5M EUR;
- Data controllers whose main field of activity is processing sensitive personal data;
- Public authorities and professional organizations
- Related Practices