Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.Continue Reading Privacy Legislation Proposed in New York and Minnesota

Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.

The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.Continue Reading Proposed Washington Privacy Act Seeks to Protect Consumer Data Privacy from Current and Future Technology Advancements

You can add Nevada to the growing list of the states that are considering privacy-related legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). Nevada is one of three states that already require certain entities to provide online privacy notices to disclose the types of personal information that they collect from consumers. Senate Bill 220 would supplement that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). An entity that receives such a notice would be forbidden from selling the consumer’s personal information.
Continue Reading Proposed Nevada Privacy Legislation Would Create Private Right of Action

Generally, one hears the term “big data” and, in the next breath, about the host of privacy issues implicated by that big data. Indeed, a quick google search confirms that in many of the top links appearing in a google search of “big data” include the word “privacy.”

There is a reason for this, of course: big data often contains a lot of information aggregated from different sources about individuals. Many times, consumer do not know in the first place that different pieces of information about them have been collected (or, if they know it has been collected, they do not know the information has been retained); they do not know that such information has been aggregated; and they do not know the aggregated information has been (and is being) further disseminated. Single pieces of information on their own pose a privacy risk. The aggregation of the information, which is then disseminated, poses a greater and different privacy risk.Continue Reading Alternate (Data) Universe

In the digital era, EU data protection law may apply to U.S.-based companies with significant consequences. The EU law generally prohibits the transfer of personal data from the EU to the U.S., unless the transfer is made in accordance with one of a very few of authorized data transfer mechanisms or otherwise falls within one of the its even fewer exceptions. This transfer restriction significantly impacts U.S. multinational companies’ everyday business activities, such as processing employees’ payroll data, as well as their ability to implement enterprise-wide initiatives, such as compiling internet marketing information.
Continue Reading Five key steps to Privacy Shield certification

The European Union and United States differ greatly on law regulating the collection and transfer of personal data. For many years companies could rely upon the U.S.–EU Safe Harbor to lawfully make transatlantic data transfers and bridge the gap between the differing privacy frameworks. But in October 2015, the EU Court of Justice invalidated the U.S.–EU Safe Harbor on the grounds that it did not adequately protect personal data. This ruling jeopardized the continued flow of data from the EU to the United States and left many companies wondering how they could continue collecting and using data from the EU without violating the law.
Continue Reading Should my company self-certify under the EU–US privacy shield?