Webinar Recap – US Quarterly Privacy Update: Consumer Privacy Law

As part of the TrustArc Privacy Insight Series, TrustArc Associate General Counsel – Privacy Intelligence K Royal, and TrustArc Privacy Legal Specialist Christina Fratschko presented the webinar “US Quarterly Privacy Update: Consumer Privacy Law” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

In this quarterly session, the panelists provided:

An overview on updates to Consumer Privacy Law for each of the states, and mentioned which legislatures have killed their bills due to substantive issues or slating them for further study. Also discussed were commonalities between bills among states with regards to rights to access, correct and delete personal information, and right to opt-out of sale of personal information.

A review of three federal bills proposing consumer rights: 1) United States House of Representative Draft Law Discussion Bill – new safeguards around how companies can collect and use identifiable consumer data, 2) Consumer Online Privacy Rights Act (“COPRA”) – entities subject to the U.S. Federal Trade Commission jurisdiction must comply with individual rights, and 3) Consumer Data and Security Act – establishing a clear federal standard for data privacy protection, giving businesses a uniform standard rather than a patchwork of confusing state laws.

What employers and educational institutions need to know during this growing pandemic of the novel coronavirus around the world. The panelists recapped several guidances issued by regulatory authorities. The Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act (“HIPAA”)  published an advisory regarding Telehealth in which healthcare providers can communicate to patients and provide Telehealth services through communication technologies. The U.S. Department of Education issued guidance on how and when educational institutions may share student personal information if a student has COVID-19. In addition, the U.S. Equal Employment Opportunity Commission published some guidance on how employers can handle information of a COVID-19 case among their employees and protect their employees from COVID-19.

Watch this on-demand webinar to stay up-to-date on consumer privacy laws in the US. TrustArc also has a robust library of on-demand webinars available here

Join us for the next webinar in the Privacy Insight Series: “COVID-19 – What are the Potential Impacts on Data Privacy?” with TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall on 4/8 at 9am PT. Register for the webinar here.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers, presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

TrustArc Recognized as a Leader: Privacy Management Software, Q1 2020

We are excited to announce that TrustArc has been recognized as a Leader by Forrester Research in the Forrester Wave™: Privacy Management Software, Q1 2020! 

According to Forrester, TrustArc’s “Market-leading privacy expertise permeates the product offering and in turn, creates a strong business vision and direction.” Forrester also noted that “leading-edge technology powers the TrustArc Privacy Platform,” which, “offers a customer onboarding experience that delivers highly relevant, customized, and actionable content.” 

Forrester evaluated TrustArc’s Privacy Management Platform along with the offerings of 14 other vendors on over 25 different criteria in three groups: current offering, strategy, and market presence. TrustArc received the highest possible score in 12 criteria including the breadth of software, product strategy, vision, content, planned enhancements, market approach, innovation roadmap, and more. 

The TrustArc Privacy Platform helps enterprises design and build privacy programs, assess and remediate risks, and manage ongoing privacy compliance. Recent platform extensions include automated solutions and partner integrations to further help companies manage privacy, including a first-of-its-kind automated Risk Profile and Privacy Profile

We believe our placement highlights our success developing holistic solutions infused with privacy intelligence for creating ongoing scalable compliance and data protection programs. We thank our customers who provide innovative feedback and utilize our products to drive success in their businesses daily 

Download a free copy of the Forrester Wave™: Privacy Management Software, Q1 2020 ($2,995 value), here.  

Serious Privacy Podcast – “Sharenting”

Sharenting – parents sharing kids’ information – should we care? Should they care? On this week’s episode of Serious Privacy, K Royal and Paul Breitbarth talk with Prof. Dr. Mariea Hoy, DeForrest Jackson Professor at University of Tennessee, and Dr. Alexa K Fox, Assistant Professor of Marketing at The University of Akron, on their recent publication, “Smart Devices, Smart Decisions? Implications of Parents’ Sharenting for Children’s Online Privacy,” in Journal of Public Policy & Marketing. This research explored how parents, specifically mothers, post about their children on social media and how they share their children’s personally identifiable information (PII) in a marketing context. 

In the past, sharing photos of your children was familiar but controlled: you pull out the hard copy photo of your child from your wallet, hand it to your coworker who gushes over how adorable your child looks in their school picture. “I can’t believe how much they’ve grown!” the coworker says, as they naturally hand the hard copy photo back to you, and you safely tuck it back into your wallet. The internet changed the ways in which we share information about our children. But are we putting children at risk by oversharing?

This episode of Serious Privacy explores the ramifications of “sharenting” as privacy concerns continue to grow and the brand to consumer relationship blurs. Stream the new episode here. Serious Privacy can be found on all major podcast players (Apple Podcasts, Spotify, Stitcher, etc.). Subscribe and review today! 

If you cannot access the article via the link provided, please contact the researchers directly. They indicated they would be happy to provide you with a copy.

Managing Employee Privacy in the Face of COVID-19

Suddenly, the world came to an almost complete standstill. What few expected to happen in these modern times of continuous global travel and interconnectedness, did happen after all. COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events. Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise. 

At TrustArc, we receive a lot of questions about the privacy implications of the COVID-19 pandemic. What are employers allowed to do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees? How do employers ensure good data protection and governance practices for employees working from home? In this blog, we address the most common challenges organizations currently face.

Health Data on the Work Floor 

Even in times of crisis (perhaps particularly in times of crisis), the law still applies. This is the case for labour laws, for medical legislation, and also for privacy and data protection laws. Safeguards cannot just be thrown out of the window. That said, in many jurisdictions, the law permits organizations to process additional data to assist public health efforts by keeping employees safe and healthy, provided that certain safeguards and requirements are met. 

Guidance from the Regulators

One frequently asked question by both governments and employers relates to the collection and use of medical data, like body temperature. Earlier this week, the Executive Committee of the Global Privacy Assembly (GPA), a worldwide consortium of privacy and data protection regulators, released a statement on this issue:

“We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”

The GPA also published a special webpage where guidance from national regulators and other authorities on how to deal with COVID-19 related data issues is posted. This guidance is not limited to specific regions or regulators but rather covers GPA members worldwide. 

What Employers Should Know

Even though we recommend you review the specific guidance available for the country where your organization operates, there are a few general rules that can be deduced from the regulator guidance on COVID-19. 

  • A distinction needs to be made between data that governments can collect and use and data that private entities can collect and use and the permitted legal basis for each. Governments in general will have more room to maneuver when processing personal data in the public interest (e.g. to safeguard public health) or even to process personal data in the vital interest of an individual. Under the GDPR and various other laws, these are identified explicitly as grounds to process personal data. For private entities, collection and use of personal data in the public interest can also be possible, but there needs to be a clear, direct and demonstrable link with the public interest. 
  • When processing medical and other health data data, which includes noting if employees have been diagnosed as infected by or show symptoms of COVID-19, organizations should show restraint in only processing the minimum personal data necessary to carry out their obligations related to safety of the workforce, customers, and the public. In general, data protection and labour laws restrict the amount of detail on employee illnesses that can be registered by employers. When it is necessary and proportional (i.e. if there is no other option but to collect data on (suspicion of) COVID-19 infections in the workplace), as a best practice, data minimization and confidentiality must be respected. This means that as little information as possible should be collected and that this information should only be accessible to specific persons (not departments of groups) with a legitimate need to know it. For example, identifying victims of COVID-19 by name generally should not be allowed. Companies should also show restraint when processing data from visitors to its premises. There might be a good reason to measure the temperature of a visitor before allowing access, but that doesn’t mean the temperature reading or data related to whose temperature was read should be retained following the decision to provide access or not. In many jurisdictions, the processing of medical or other health data may require an organization to complete a privacy or data protection impact assessment and implement additional procedural safeguards and security controls.    
  • Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process for which reasons. Under almost all data protection regulations around the world, the transparency requirement is a key principle. Information should be accessible, easy to understand and include the reasons why (additional) data needs to be processed.

Working from Home 

For many organizations, the Coronavirus crisis is the first time they will allow large groups of employees to work from home. In addition to impacting IT resources, it also requires organizations to consider a renewed approach to their data use and data protection practices. Even for organizations where employees are used to working from home, it is advisable to review and, where relevant, revise policies and procedures to ensure that personal data will remain secure at all times. This review should also include an assessment of the organizational, physical and technical risks involved in working from home and accessing systems and data remotely and the security measures that may be advisable, such as using secure Wifi networks and company-authorized VPNs. Though there may not be an alternative to working from home, conducting a privacy or data protection impact assessment of the working from home processing may help identify the risks to the rights and freedoms of your employees, customers and business partners. It also allows you to identify mitigation steps that your workers at home can implement, like the implementation of certain technical and organizational measures.

We have created two top-10 lists with recommendations for both employers and employees on what to take into consideration when employees are working from home. Download the following tips:

CCPA Update: March Regulation Proposed Revisions

The Department of Justice of California published yet another round of draft CCPA (California Consumer Privacy Act) regulations on March 7, 2020 with comments due March 27, 2020.

As stated in the notice, there were “around 100 comments received in response” to the previous draft regulations.

In the most recent version, the “redlined” version is color-coded to easily identify the original draft regulations, the first set of modifications, and this second set of modification. The redlined and clean versions are published online.

According to the rule-making process, if changes are made to the proposed regulations, the changes will be published for the public to submit comments. These comments would be reviewed and based on the comments, either revise or accept the published draft. Comments will also be responded to at the publication of the final regulations.   The Office of the Attorney General previously provided guidance that if changes are “substantial and sufficiently related,” the changes will be published with an abbreviated comments period of 15 days (this modification and the last one met these requirements). If changes are not made or are “nonsubstantial and sufficiently related,” no publication for comments will occur. Only “major changes” would require a full 45-day comment period.

Some of the key changes include:

  • Removal of § 999.302 which was added in the last version addressing that an IP address that is otherwise not associated with identifying information is not personal data. No sections were added or modified in the newest version to address IP addresses.
  • Addition of § 999.305(d) clarifying that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
  • An addition was made that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306. (§ 999.313(d)(7)).
  • Clarification that the notice provided at the collection of employment-relation information does not need to contain a link to the business’s privacy policy.
  • Additional clarifications were added around information provided in response to consumers’ requests to know (§ 999.305(f)(2)), what to publish about selling minors’ data (§ 999.308(c)(9)), a description of biometric data that is to be provided where the biometric data itself cannot be provided in response to a request to know (§ 999.314(c)(4)), and descriptions of categories of sources and business purposes in the privacy policy (§ 999.308(c)(1)(e) and (f).

Where are we now?

The comment period ends on March 27, 2020. Per guidance and history, any changes made to this version will result in publication of a new round of proposed regulations.

Once we reach a version wherein there are no changes made, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State. 

Will enforcement start July 1, 2020?

At this time, enforcement remains slated to start on July 1, 2020. TrustArc will keep you posted on updates. To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today.