Privacy

Brooke Penrose


Brooke Penrose

Nearly two years since many professionals gathered in-person and on-site, the prospect of return-to-office en mass is picking up pace.

The U.S. Bureau of Labor Statistics reports that the percentage of people telecommuting due to the pandemic dropped from 23.2% in January of 2021 to 13.4% in August of 2021. While this trend is met with mixed emotions by some, there is broad consensus that in-person gatherings, including return-to-office initiatives, are planned with the safety of all individuals in mind.

Given the rapidly evolving landscape surrounding COVID, a popular safeguard employers consider is requiring employees to provide proof of vaccination status before physically returning to the office. Any request for employee health records rightfully raises concerns about privacy and the legality – to request.

In most cases, businesses requesting an employee provide proof of vaccination will not violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but requiring the employer-provided insurance policy to confirm status may-. In general, HIPAA only applies to a patient’s healthcare providers, healthcare clearinghouse, and insurance companies (called “covered entities”) and the businesses that process patient health information on behalf of covered entities (called “business associate”). If an employee directly provides their health … Keep reading

My Friends Call Me Murphy … You Call Me RoboCall


Pesky telemarketing calls that plagued consumers in the 1990s were severely reined in through a combination of technology, such as caller ID, and legislation, such as the Telephone Consumer Protection Act of 1991 (“TCPA”). The TCPA regulates unsolicited marketing activities directed at residential telephones, including land lines and mobile phones by voice call or text. Among other things, the TCPA, as amended over the years:

  1. Established the national Do Not Call registry whereby consumers may register their numbers and organizations may be fined for directing unsolicited marketing activities to those registrants’ phones;
  2. Restricts the time periods during which unsolicited marketing calls and texts may be sent;
  3. Prohibits the use of pre-recorded phone contacts, such as robocalls and robotexts; and
  4. Prohibits the use of automated dialing technologies, such as autodialers.

Importantly, there are several phone and text activities that are exempt from TCPA regulation. Unsolicited marketing contact by phone from charities, political groups, debt collectors, surveys, and companies the recipient has either recently done business with or has given written permission may be exempted from certain TCPA regulations. In addition, if the nature of the unsolicited contact is not to market goods and services to consumers, it would not run … Keep reading

State of US State Comprehensive Privacy Laws


Following the lead of California and then Virginia, Colorado recently became the third U.S. state to pass a comprehensive law providing its residents with personal data privacy rights. While there is significant overlap between how each of these state laws defines who it applies to and what consumer rights are granted, there are several key differences, including the scope of consumers’ opt-out rights:

These states make up a combined 16% of the U.S. population, making it increasingly difficult for even strictly U.S.-focused organizations to fall out of scope of comprehensive data security and privacy laws requiring, for example, the use of data protection assessments.

The U.S. regulatory landscape continues to evolve on a nearly weekly basis. Indeed, similar comprehensive bills have already been introduced in Massachusetts, New York, and Illinois. As more states pass legislation related to collecting personal information, it remains imperative for businesses to stay updated on how each state regulates this activity.… Keep reading

EU’s New Standard Contractual Clauses Go into Effect This Week


A year ago, the Court of Justice of the European Union invalidated the U.S. Privacy Shield framework as an adequate safeguard under the General Data Protection Regulation (GDPR), which had previously been a popular safeguard mechanism to cover the export of personal data from the EU to the U.S. While the same decision also held that another GDPR-sanctioned cross-border transfer safeguard mechanism – Standard Contractual Clauses (SCCs) – remained valid, the Court took the opportunity to note in its decision that the then-current SCCs may not go far enough to safeguard the rights of European data subjects.

SCCs are pre-approved contractual terms between an EU controller or processor to a non-EU processor or sub-processor. By adopting them into a contractual arrangement where an EU party is transferring personal information to another country, the international transfer is said to have adopted “adequate safeguards” under Article 46 and should avoid running afoul of the GDPR’s restriction on such transfers. The SCCs the Court opined on pre-dated the GDPR, and there has been a push to update them since the GDPR went into effect on May 25, 2018. On June 4, 2021, the European Commission announced it had finally approved new versions … Keep reading

Florida Gone Wild: Back-to-Back “Breaking News” on Privacy Law Leads to No News


Breaking news out of Florida: On April 21, 2021, the Florida House, in a near unanimous vote, passed the Florida Privacy Protection Act (FPPA). Largely modeled after the California Consumer Privacy Act (CCPA), the FPPA would have made Florida the third state to pass a comprehensive privacy and data security law, following Virginia’s passage of its Consumer Data Protection Act (CDPA).

Just as quickly as it passed the Florida House, though, it was killed by the Senate on April 30, 2021, after disagreement between the House and Senate as to whether the bill should give individuals a private right of action to sue companies that violate their privacy rights under the FPPA. The pro-private-right-of-action camp believes a privacy act without a private right of action is an impotent law, while the anti-private-right-of-action camp believes the right unduly burdens businesses with costly compliance obligations.

Washington’s version of the CCPA, the Washington Privacy Act, suffered a similar fate a month ago after a similar fallout over the same private right of action question.

The failure of both Washington and Florida to pass comprehensive privacy laws – along with California’s and Virginia’s passage of comprehensive privacy laws that include a private right … Keep reading

Top Tips for Drafting Privacy Notices


If your website collects information about its visitors, whether by name or anonymously, you are almost certainly required to make specific public disclosures about your treatment of this data and offer visitors information on what rights may be available to them. This information is typically reflected in a privacy policy or privacy notice – for simplicity, we will use the term “privacy notice” – posted to your company’s website. The granularity and type of disclosures required, along with the scope of rights you must provide to visitors under applicable law, largely depends on the geographic areas where your visitors reside. It also depends on whether you are collecting “garden variety” information, like names and contact information, or highly regulated data, like children’s, health or financial data.

The United States remains one of the few developed countries without a central, comprehensive federal privacy and data security law. Accordingly, websites that only collect information from U.S. residents have some of the loosest requirements with respect to disclosures and rights. However, most U.S. states have some sort of data security and privacy law requiring websites to post a privacy notice. The Federal Trademark Commission (FTC) has broad authority to regulate activities deemed … Keep reading

GDPR Operational Compliance: Don’t Stop at Updating Your Website Privacy Notice


Europe’s General Data Protection Regulation (“GDPR”) is much more than a reminder to update your organization’s website privacy notice. While an updated privacy notice is one of the more public-facing steps an organization can take to comply with the GDPR, the majority of fines lodged by regulators under the GDPR relate to organizations’ operations unrelated to their privacy policy. Below are just a few steps you should be taking to become compliant.

  1. Adopt Appropriate Security Measures: The GDPR requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to individuals by the organization’s processing of their personal data. This is a flexible standard, and while no specific measure is strictly prescribed by the GDPR, hundreds of organizations have already been fined for failing to implement appropriate security measures. For instance, sanctions have been imposed for failing to encrypt personal data, failing to train employees on data security, failing to conduct risk assessments, and even inadvertent disclosures due to human error.
  2. Ensure There Is a ‘Lawful Basis’ for Processing Personal Data: there are six, and only six, justifications (each called a “lawful basis”) for processing personal data
Keep reading
Privacy Shield Struck Down by EU Court as Acceptable Mechanism to Transfer EU Personal Data to U.S.


One of the more operationally challenging components of the General Data Protection Regulation (GDPR), was the restriction on transferring European personal data to recipients outside of the European Economic Area (EEA).  Essentially, unless an exception or some additional GDPR-approved mechanism applies, European personal data cannot be transferred to non-EEA countries unless the data is being transferred:

  • within a related multinational group of companies who have adopted an internal code of conduct (called “binding corporate rules”) that applies to restricted transfers of personal data from the group’s EEA entities to non-EEA group that has been approved by an EEA supervisory authority;
  • between an EEA-based data exporter and a non-EEA-based data importer who have entered into a contractual agreement that adopts a set of “standard contractual clauses” adopted by the European Commission; or
  • to a jurisdiction that the European Commission has issued an “adequacy decision,” finding that such jurisdiction has adopted “adequate” data protection safeguards. As of the writing of this article, this list of jurisdictions was limited to Andorra, Argentina, commercial organizations in Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. Importantly, up until last week, U.S.
Keep reading
How Many Website Privacy Policies to Maintain in Preparation for GDPR?


Under the GDPR, data controllers are tasked with communicating to data subjects how their data is processed in a way that is both concise and transparent. From a consumer-protection perspective, this is undoubtedly one of the regulation’s more commendable requirements; as many who have drafted website privacy policies understand, there is often tension between the twin goals of concision and transparency. Providing fully transparent disclosure about data-processing activities, while keeping such disclosures brief and easily readable, can be a tricky balance to strike.

One question the GDPR may prompt is whether it makes sense for an organization to maintain separate residency-dependent privacy policies, or a single, all-encompassing policy. There are pros and cons to each, and what works best for a particular organization will often depend on the operational impact of each, as well as the usability of each by the relevant data subjects.

The Multiple Privacy Policies Approach

Organizations that treat data-subject information differently depending on its origination point, or that opt not to extend the enhanced protections offered under the GDPR to non-European data subjects, may prefer to maintain separate residency-dependent privacy policies.

In this instance, the benefit is that each policy can be tailored, … Keep reading

Data Mining and GDPR Compliance: Dealing with Obtaining EU Personal Information from Third Parties Under the GDPR (Including a Notification Checklist!)


As the effective date of the General Data Protection Regulation (GDPR) draws near, companies that collect, process, and use data relating to EU citizens need to be thinking proactively about issues they will face under the new directive. This post summarizes the discrete issue of how companies should start to manage data mining and data usage activities. Stay tuned as we continue to keep you updated in this space.

As most are probably by now aware, the GDPR seeks to regulate the use and disclosure of the personal data of all individuals within the 28 EU member states. Though passed into law in May 2016, it does not become enforceable until May 25, 2018. Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).” This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.

To legally handle EU personal information harvested from third-party sources after May 25, … Keep reading