The California Privacy Protection Agency (CPPA), which is responsible for issuing regulations implementing the California Privacy Rights Act (CPRA), has posted its approved discussion draft for seeking public comments in preparation for its CPRA rulemaking activities.  The CPPA indicated that it is particularly interested in receiving comments on the following eight topics:
Continue Reading California Privacy Protection Agency Seeks Comments on Preliminary CPRA Issues

With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).


Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).
Continue Reading H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

By Alyson Sandler

On April 10, Senators Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced new privacy legislation titled the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act.  In a statement published on his website, Senator Markey referred to the legislation as a “privacy bill of rights” and explained that “[t]he avalanche of privacy violations by Facebook and other online companies has reached a critical threshold, and we need legislation that makes consent the law of the land.”

The CONSENT Act directs the Federal Trade Commission (FTC) to “establish privacy protections for customers of online edge providers.”  These protections include requiring edge providers to notify customers about the collection and use of “sensitive customer proprietary information,” which the Act defines to include, among other things, financial and health information, the content of communications, and web browsing and application usage history.  Customers must also be notified about the types of sensitive customer proprietary information that the edge provider collects, how the information will be used and shared, and the types of entities the edge provider will share the information with.

The centerpiece of the CONSENT Act is its “opt-in” requirement for edge providers to obtain consent from customers for the use of “sensitive information.”  This differs from the model currently employed by most online companies, under which customers may opt out of data collection.  The Act also prohibits an edge provider from refusing to serve customers who do not consent to the use and sharing of their sensitive proprietary information for commercial purposes.
Continue Reading Senate Democrats Propose CONSENT Act

As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week.  The past couple of weeks have been a challenging time for the Internet, though, and our thoughts have turned to the darker side of anonymity and privacy.  The scourge of the so-called #GamerGate movement has resulted in stunning threats of violence against women in the gaming community, causing Brianna Wu and Zoe Quinn to leave their homes after a barrage of threats, and media critic Anita Sarkeesian being forced to cancel a public presentation because of a death threat.  Civility online is under siege, and cyberthreats against women seem to be escalating.  Can anything be done?

Fortunately, Maryland law professor Danielle Citron’s new book, Hate Crimes in Cyberspace, has arrived at just the right moment.  Danielle’s work provides a thorough exposition of the problem and clear-minded thinking about potential solutions.  It’s the perfect weekend reading for those, like this writer, who feel a need to find solutions and restore hope in the potential of online discourse.  If you haven’t picked up Danielle’s book yet, there are excellent reviews of it here and here.  It is insightful and thoughtful, and a wonderful contribution to our thinking on these essential issues.
Continue Reading Privacy Weekend: Provocative Articles We’re Reading Now

The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise.

Ponemon Institute conducts independent research on privacy, data protection, and information security policy.  For the September 2014 study, Is Your Company Ready for a Big Data Breach?, Ponemon Institute surveyed 567 U.S. executives from organizations ranging in size from less than 500 to more than 75,000 employees about how prepared they think their companies are to respond to a data breach.

It appears that for an overwhelming number of the study’s participants, the answer to “Is your company ready for a big data breach?” is, unfortunately, “No.”


Continue Reading Ponemon Institute Releases Second Annual Study on Data Breach Preparedness

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately

By Dan Cooper and Helena Marttila

On 24th of August 2011, the Government of India’s Ministry of Communications & Information Technology finally issued clarification on the application of the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). As we blogged here, much ambiguity has surrounded