WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Featured Video Play Icon

California Privacy Rights Act Highlights With Lily Li and DPO Advisor

Permalink to video here: https://vimeo.com/484360790

Mike: Hi everyone, if you’ve been following data privacy at all, you’ve probably already heard of California’s new landmark privacy law, the California Consumer Privacy Act, or CCPA as it is widely known.

The CCPA was the biggest data privacy shakeup in United States history. However, on November 3rd, California passed the California Privacy Rights Act or the CPRA, which adds teeth to the CCPA and further strengthens the rights for California consumers.

Here to talk about the upcoming CPRA is Lily Li, who is a Data Privacy Attorney and the founder of Metaverse Law.

Lily, thanks so much for joining us today.

Lily: Hey, thanks for having me.

Mike: Well, let’s jump right in. Can you please explain to everyone what the CPRA is?

Lily: Well, the CPRA is a law that amends the existing law on the books. As you mentioned there is this law called the California Consumer Privacy Act. It was passed by the California Legislature in 2018 and went into affect January 1st of this year.

Now we have CPRA, which is a ballot initiative that passed in the latest election, and it amends CCPA even further to make it more protective of privacy rights. Both of how customers use sensitive data and also about how companies use children’s data. We can definitely go more into the different changes that CPRA made to CCPA but this is a little bit of background on how it started.

Mike: That’s great. What do you feel are some of the key changes that the CPRA brings?

Lily: Well, the CPRA brings in this idea of sensitive personal information or sensitive personal data. And this aligns with a lot of other global privacy laws like GDPR and the new Brazilian Data Protection law.

Previously CCPA treated all types of personal information the same with respect to data subject requests. So people could get copies of their data. People could delete their data and a lot of people still have those rights with respect to companies.

Now, in CPRA there’s a new category of data sensitive personal data, sensitive personal information and these categories of data include things like health care information, now precise geo location, information about people’s genetics or biometric data.

And what’s important about these categories of data is that not only does the law prevent you from sharing this data without providing certain notices. The law also allows consumers to limit how a company uses sensitive data for their own purposes.

So even if you’re collecting Geo location information, not giving it out to third parties, if you’re using it for purposes at the company that aren’t related to why you’re collecting it from the consumer, the consumer can have the right to ask you to limit your use of sensitive data.

A good example of this is precise Geo location data. Uber got in trouble a little awhile ago because it would collect Geo location data from people using its rideshare app—even after people had stopped using the app. And so Uber could track people’s location in their homes or while they were still waiting for the right transit service.

This is a big No-No—especially if you are not disclosing it. But now, customers and consumers have the right to say hey, only use these sensitive pieces of information to provide me the services that I’ve requested. Don’t use it for anything else.

Another big change that the CPRA makes. Some people call it “CIPRA” now like to use the term CIPRA is that it increases the penalties for children’s data.

So previously, you could suffer fines if you were using children’s data in violation of how you disclosed the uses of data and privacy policy or if you refuse to respond to consumer requests regarding children’s data and the finding regime was the same. It was $2500 to $7500 per violation.

The difference between CPRA and CCPA is that under CCPA you could be fined $2500 per violation or $7500 per intentional violation. So you had to intentionally violate the law, and not just accidentally violate it because you didn’t know about the rules.

What “CIPRA” does or CPRA does is that it removes the intentionality requirement when you’re dealing with children’s data. So if you are using children’s data in ways that you haven’t disclosed in your privacy policy or are you are not fulfilling consumer requests regarding children’s data, then you are subject to that higher fine of $7500 per violation without any showing that you did it on purpose.

And there are a lot of other changes in CPRA that affects businesses. One of them is concerning behavioral advertising.

Under CCPA there was a lot of debate about whether or not re marketing, re targeting other types of cookies that track users across websites counted as sales of consumer data. And if something counted as a sale of consumer data under California law, you need to put a lot of disclosures on your website, like I do not sell my personal information.

Some companies were arguing that targeting ads behavioral advertising wasn’t a sale. There was no real exchange of money for personal information.

But CPRA removes that ambiguity. Under CPRA it is very clear that cross contextual behavioral advertising, that is to say, cookies that you set on a device that tracks users across different platforms in order to create a profile for a user to target them, counts as sales of data under CCPA, and so triggers a lot of the same disclosure requirements as if you were selling data in more traditional formats. So that’s another big change due to CPRA.

Mike: What do you think are the most important steps for businesses to take to comply with the CPRA?

Continue Reading California Privacy Rights Act Highlights With Lily Li and DPO Advisor
European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
person entering emoticons in smartphone.

Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data

[©2016. Published in GPSOLO, Vol. 37, No. 5, September/October 2020, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder]

* Updated November 25 to include references to CPRA/ Prop24.

The episode “Nosedive” of the television series Black Mirror envisions a society built on social credit scores. In this dystopia, all social media networks have converged into one platform—think Facebook, TikTok, Yelp, and Equifax combined.

This umbrella social platform allows users to rate each other on a five-point scale after each social interaction. Those with a high score gain access to job opportunities, favorable zip codes, and even high-status relationships. Those with a low score have the social ladder kicked out from under them, leading to a downward cycle of estrangement—and in the case of Black Mirror’s protagonist, jail time.

While the society in “Nosedive” seems far-fetched, is the technology behind it plausible?

Facebook Patents That Impact Privacy

According to Facebook’s patents, the answer is a resounding “yes.”

In a series of filings spanning almost a decade, Facebook has obtained several patents that allow social media platforms to track, identify, and classify individuals in new and innovative ways. Below are just few.

Tracking individuals via dust. U.S. Patent No. 9485423B2, “associating cameras with users and objects in a social networking system” (filed September 16, 2010, patented June 25, 2013), allows social media networks to identify an individual’s friends and relationships by correlating users across the same camera. To do so, an algorithm analyzes the metadata of a photo to find a camera’s “signature.”

Continue Reading Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data
PCI Expert Summer Virtual Event on November 5, 2020. Hosted by RSI.

Metaverse Law to Speak at PCI Expert Summit

Metaverse Law will be speaking at the PCI Expert Summit hosted by RSI Security.

This year, the annual PCI Expert Summit event is an online/virtual all-day conference on Thursday, November 5, 2020, from 9:00am to 5:00pm PST. The agenda includes panels with PCI experts in addition to breakout sessions on specialized topics, such as incident and data breach response. Continuing Professional Education (CPE) credits are available.

Register at https://www.rsisecurity.com/pciexpertsummit/.

Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Currently, the CCPA is ambiguous as to whether cross-context behavioral advertising—that is, the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising—constitutes a sale of personal information. Some affiliates, such as Google, have categorized themselves as a service provider providing marketing and advertising services to the business in order to fall out of the definition of sale. Some other affiliates have put forth the position that they never “sold” personal information, because they only allow advertisers to target broad categories of demographics without identifying a specific individual to the advertiser.

The CPRA is quite clear that such activity requires an opt-out regardless whether it is a sale of information or not. Should CPRA come into effect, businesses should expect to present consumers with three opt-out choices in total (subject to further clarification from the Attorney General):

  1. A global opt-out from sale and sharing of personal information
  2. A choice to “Limit the Use of My Sensitive Personal Information”
  3. A choice for “Do Not Sell/Do Not Share/Do Not Share my Personal Information for Cross-Context Behavioral Advertising”

3. Employee and Business-to-Business (B2B) Data

Both employee and B2B data are currently exempted from general CCPA coverage, although these exemptions are set to expire January 1, 2021. Under the CPRA, these exemptions would be extended until January 1, 2023.

However, this does not mean that businesses do not have any obligations with respect to employee data under CCPA (and under CPRA). For data belonging to job applicants, employees, and independent contractors, businesses must disclose the categories of personal information that were collected and what purposes the information was collected for, typically within a separate employee privacy notice. CPRA also extends anti-discrimination rights to employees who exercise their rights and then face retaliatory action from their employer.

4. Children’s Data

Children’s privacy and data collection is a particularly sensitive area of regulation. Tik Tok is commonly scrutinized due to its predominantly younger userbase, and settled with the FTC for $5.7 million in 2019 over allegations that it collected children’s data without parental consent.

Under CPRA, fines may be tripled for violations involving children’s information. Currently, businesses are fined $2,500 for each violation and $7,500 for intentional violations under CCPA. Per the amended Section 1798.155 in CPRA, businesses would be fined $2,500 for each violation and $7,500 for intentional and children’s data violations. Given that violations can potentially involve hundreds of thousands of records for medium sized enterprises and in the millions for large companies, the fines can be staggering when multiplied.

5. Removal of Notice-and-Cure

Previously, under CCPA, businesses were allowed a thirty (30) day period to cure violations following notice by the California Attorney General’s office. CPRA has quietly removed this notice-and-cure provision through its changes to Section 1798.155. The notice-and-cure is often criticized as a “get-out-of-jail-free” card that prevents any real enforcement of CCPA outside of a consumer’s private right of action. If CPRA passes, the removal of this provision means that businesses will need to be more vigilant about getting privacy compliance and privacy implementation correct on the first try.

6. CPPA: New State Enforcement Agency

CPRA will allocate $10 million per year to a new state agency, the CPPA, to investigate and enforce against violations of consumer privacy laws, similar to European data protection authorities. Some portion of this cost will be offset by the proceeds of enforcement actions.

Currently, the California Office of the Attorney General (OAG) enforces the CCPA as part of the office’s functions for protecting consumer rights and prosecuting consumer crimes, amid a host of other duties.

The CPPA being an agency dedicated solely to privacy regulation would relieve much of the strain of enforcement previously on the OAG. If CPRA passes, expect to see more enforcement actions.

Likelihood of Prop 24 Passing

Prop 24 is divided in its support among reputable consumer and civil rights organizations, which can make it harder to gauge how likely Prop 24 will pass. Democratic Presidential candidate Andrew Yang as well as the NAACP has come out in support of Prop 24. However, the ACLU has opposed Prop 24 in official election materials. Other organizations remain neutral, such as the Electronic Frontier Foundation, which has come out as neither endorsing nor opposing Prop 24.

According to recent polling conducted by Redfield & Wilton Strategies, 60% of respondents indicated that they would vote ‘Yes’ on Prop 24, with 17% opposing and 23% undecided. Even if Prop 24 fails to pass, businesses should not breathe a sigh of relief and assume that the trendlines are moving toward deregulation. In fact, the greatest opposition to CPRA is centered on the fact that the law is not protective enough of consumer privacy and has too many loopholes that cater to big tech companies collecting large amounts of data. The pattern is moving toward greater privacy regulation, and CPRA is an experiment in seeing how far the boundary can be pushed.

1 2 3 8