USA

Overview of the Upcoming California Privacy Rights Act (CPRA)

California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA), which, on January 1, 2023, will replace California’s current data protection law, the California Consumer Privacy Act (CCPA). CPRA slightly reshapes CCPA, creating additional rights for consumers and additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other. 

Most of CPRA will become operative on January 1, 2023. The law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect.

(more…)
Read More

Privacy Shield after Schrems 2: What to Do Next?

Since the publication of the EU Court of Justice decision in the Schrems 2 case, many organizations that send or receive personal data of EU/EEA residents have been struggling to find reliable, viable means to ensure the continuity of the data flows emanating from the EU/EEA, and the privacy protections needed for this data. The guidance provided by regulatory authorities on both sides of the Atlantic has been limited. 

The Schrems 2 decision focuses primarily on two elements, the EU-US Privacy Shield and the Standard Contractual Clauses Controller-to-Processor.  Both the EU-US Privacy Shield program and the Standard Contractual Clause framework have come out with a black eye. And both aspects of the Schrems 2 decisions have significant consequences for businesses that operate on a global scale.

(more…)
Read More

United States–Mexico–Canada Agreement: Digital Trade Provisions NAFTA 2.0 meets the Internet

The United States–Mexico–Canada Agreement (USMCA) enters into effect on July 1, 2020. Nicknamed “NAFTA 2.0” because it replaces the North America Free Trade Agreement (NAFTA), the USMCA addresses a number issues that had not been tackled by its predecessor, conceived and negotiated almost 30 years ago, at the down of the commercial Internet. In its Chapter 19 – Digital Trade, the USMCA focuses on the trading of digital products, such as computer programs, image, text, video, sound recording or other products that are digitally encoded and can be transmitted electronically. Several Articles focus on cybersecurity, privacy, data localization, and cross-border data transfers, which should be of interest to cloud providers and cloud users.  Other areas of interest include, protection against unsolicited commercial communication, source code protection, prohibition against the application of customs duties, and internet platform liability for third party content.

(more…)
Read More

Proposed Principles for Artificial Intelligence Published by the White House

A draft memorandum outlining a proposed Guidance on Regulation of Artificial Intelligence Application(“Memorandum“) for agencies to follow when regulating and taking non-regulatory actions affecting artificial intelligence was published by the White House on January 7, 2020. The proposed document addresses the objective identified in an Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence, (“Executive Order 13859”) published by the White House in February 2019.2 

The Memorandum sets out policy considerations that should guide oversight of artificial intelligence (AI) applications developed and deployed outside the Federal government. It is intended to inform the development of regulatory and non-regulatory approaches regarding technologies and industrial sectors that are empowered or enabled by artificial intelligence and consider ways to reduce barriers to the development and adoption of AI technologies.

(more…)
Read More

Yelp to pay $450,000 penalty for COPPA violation

Francoise Gilbert

Yelp to pay $450,000 penalty for COPPA violation

The Federal Trade Commission has announced a proposed settlement with Yelp, Inc. for COPPA violations. The FTC alleged that, for five years, Yelp illegally collected and used the personal information of children under 13 who registered on its mobile app service. According to the FTC complaint, Yelp collected personal information from children through the Yelp app without first notifying parents and obtaining their consent. The Yelp app registration process required individuals to provide their date of birth. Several thousand registrants provided a date of birth showing they were under 13 years old. Even though it had knowledge that these registrants were children, Yelp did not follow the requirements of the COPPA Rule and collected their personal information without proper notice to, and consent from, their parents. Information collected included name, e-mail address, geolocation, and any other any information that these children posted on Yelp. In addition, the complaint alleges that Yelp did not adequately test its app to ensure that users under 13 were prohibited from registering. Under the terms of the proposed settlement agreement, among other things, Yelp must:

  • pay a $450,000 civil penalty;
  • delete information it collected from individuals who stated they were 13 or younger at the time they registered for the service; and
  • submit a compliance report to the FTC in one year outlining its COPPA compliance program.

In a separate action, FTC alleged that TinyCo also improperly collected Children information in violation of COPPA. Under the settlement agreement between TinyCo and the FTC, TinyCo will pay a $300,000 civil penalty.

Read More

New FTC COPPA Rule Will Better Protect 21st Century Children

Francoise Gilbert

The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012),  brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting.

(more…)

Read More

USA PATRIOT Act Effect on Cloud Computing Services

Francoise Gilbert

Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law enforcement and national security agencies unrestricted access to any data, anywhere, any time. In fact, the actual impact of the Patriot Act in this cloud context is negligible.

(more…)

Read More

FTC v. Google 2012 – Misrepresentation of Compliance with NAI Code a Key Element

Francoise Gilbert

Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). This is an interesting evolution in the history of the FTC rulings. At first, the FTC focused on violation of privacy promises made in Privacy Statements, then it went on to pursue violation of the Safe Harbor Principles. In this new iteration, the FTC attacks misrepresentation of compliance with industry standard.

(more…)

Read More