Senators Introduce Bipartisan Bill to Update Children’s Online Privacy Rules
Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) introduced the Children and Teens’ Online Privacy Protection Act legislation to update online data privacy rules to ensure both children and teenagers are protected online. The legislation updates the Children’s Online Privacy Protection Act (COPPA) by prohibiting internet companies from collecting personal information from anyone 13- to 15-years old without the user’s consent; creating an online “Eraser Button” by requiring companies to permit users to eliminate personal information from a child or teen; and implementing a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information from teens. The bill also establishes a first-of-its-kind Youth Privacy and Marketing Division at the Federal Trade Commission (FTC), which will be responsible for addressing the privacy of children and minors and marketing directed at children and minors.
Executive Order on Improving the Nation’s Cybersecurity
President Biden has signed an executive order (EO) to improve U.S. cybersecurity. The EO removes barriers to sharing threat information between the public and private sector, implements stronger cybersecurity standards in the Federal Government, improves software supply chain security, establishes a cybersecurity safety review board, and more. Notably, the EO states that cybersecurity requires more than government action and requires the Federal Government to partner with the private sector. Additionally, the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.
New York City Establishes Biometric Privacy Law for Commercial Establishments
This bill addresses the increased collection and use of biometric identifier information, such as the use of facial recognition technology, by commercial establishments to track consumer activity. Specifically, the bill amends the administrative code of the city of New York to require businesses to notify customers of the use of biometric identifier technology and prohibit the sale of biometric identifier information. It requires certain commercial establishments, such as retailers, restaurants, and entertainment venues, to post signs that notify consumers if they collect biometric identifier information. The bill provides for a private right of action that allows for $500 for failing to post signage or negligently selling/sharing biometric information and $5,000 for the intentional or reckless sale of biometric information.
SEC Charges Broker-Dealer for Failures Related to Filing Suspicious Activity Reports
The Securities and Exchange Commission announced settled charges against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer and affiliate of Great-West Life & Annuity Insurance Company, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs). According to the SEC’s order, from September 2015 through October 2018, GWFS was aware of increasing attempts by external bad actors to gain access to the retirement accounts of individual plan participants. The order further finds that GWFS was aware that the bad actors attempted or gained access by, among other things, using improperly obtained personal identifying information of the plan participants, and that the bad actors frequently were in possession of electronic login information such as user names, email addresses, and passwords. “Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt L. Gottschall, Director of the SEC’s Denver Regional Office. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”
CISA Releases Statement on Spearphishing Campaign
The Cybersecurity and Infrastructure Security Agency (CISA) has released the following statement regarding a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs): “CISA and the FBI are engaged in addressing malicious activity by a cyber-threat actor that leveraged an account hosted by a third-party email service to send malicious emails to approximately 350 organizations, including federal agencies and NGOs. At this point, CISA has not identified a significant impact on federal government agencies resulting from these activities. CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities. While many organizations have controls in place to block malicious emails and prevent associated impacts, we encourage all organizations to review our Activity Alert and take steps to reduce their exposure to these types of threats.”
Non-profit Group Issues 500 Complaints For Unlawful Cookie Banners, With Plans to Issue 10,000 Complaints
The consumer activist group, noyb, sent over 500 draft complaints to companies who use unlawful cookie banners - making it the largest wave of complaints since the GDPR came into force. By law, users must be given a clear yes/no option for consent. As most banners do not comply with the requirements of the General Data Protection Regulation (GDPR), noyb developed a software that recognizes various types of unlawful cookie banners and automatically generates complaints. Nevertheless, noyb will give companies a one-month grace period to comply with EU laws before filing the formal complaint. Over the course of a year, noyb will use this system to ensure compliance of up to 10,000 of the most visited websites in Europe.
Fine for Not Having an EU Representative
Of the requirements in the GDPR, many companies overlook the requirement to have a representative in the EU. Research has found that more than 90% of the companies that participated in the EU-U.S. Privacy Shield which didn't have an EU location failed to make an appointment for a representative in the EU. For several years, there were no fines issued for a failure to appoint a representative, which may have eased concerns. However, the regulator inaction ended on May 12 when the Netherland's data protection authority, the Autoriteit Persoonsgegevens (DPA), issued the first fine for failure to appoint a representative. The DPA fined a Canadian website a fine of 525,000 euros plus 20,000 euros every two weeks the appointment is not made, up to a maximum of 120,000 euros. In its decision, the DPA stated that the fine was in line with the Dutch Fining Policy Rules and well within the maximum 10 million euros fine permitted for this noncompliance.
New Standard Contractual Clauses
The European Commission adopted two new sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries. They reflect new requirements under the GDPR and take into account the Schrems II judgment of the Court of Justice, ensuring a high level of data protection for citizens. These new tools will offer more legal predictability to businesses and help, in particular, small and medium enterprises to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers. The new standard contractual clauses take into account the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during a broad public consultation and the opinion of Member States' representatives. For controllers and processors that are currently using previous sets of standard contractual clauses, a transition period of 18 months is provided.
Ecuador Approves Data Protection Law
On May 10, 2021, legislators approved the Organic Law on Personal Data (Data Protection Law). The Data Protection Law is based on the GDPR and requires data controllers to implement safeguards to protect personal data, appoint a data protection officer and provide notice to individuals before processing certain personal data. The Data Protection Law also (1) establishes a national data protection authority; (2) regulates cross-border data transfers; and (3) provides Ecuadorians with rights, such as the right to request access to, amendment of and deletion of personal data. The law also provides penalties for violations that range from 0.1% to 1% of a company’s annual revenue.
Draft Personal Information Protection Law of China
The Personal Information Protection Law is expected to become the first piece of legislation in China dedicated to the protection of personal information. The second version of the draft requires that the processing of personal information shall follow the principles of “minimum necessary” and “minimum impact on individuals’ rights and interests”. Other provisions address issues such as consent. Personal information processors are generally required to obtain individuals’ consent before processing and cannot refuse to provide products or services on the ground that the individuals concerned refuse to give consent. The draft also includes provisions on extraterritorial application, cross-border transfer of personal information, and financial penalties for infringement.
Reported Breaches in New Zealand Nearly Double After New Privacy Act
The New Zealand Office of the Privacy Commissioner (OPC) received a 97% increase in privacy breach notifications in the first four months of the new Privacy Act, compared to the previous six months prior to the Privacy Act. Under the new Privacy Act, organizations or businesses which experience a privacy breach that has caused, or has the potential to cause serious harm, must now report it to the OPC. They can do this by using OPC’s online NotifyUs reporting tool, which is available here. More than half of the privacy breaches reported to OPC involved emotional harm, and about one-third resulted in a risk of identity theft or financial harm.