These rights are statute-specific. Every state has adopted data breach notification legislation that applies to certain types of personal information about its residents. The National Labor Relations Act prohibits employers from monitoring their employees while they are engaged in protected union activities. Practice Areas > 5.1 What are the key rights that individuals have in relation to the processing of their personal data? The form of the contract typically is not specified. These settlements are indicative of the changes that the FTC has made to improve its data security related orders. Describe any relevant case law or recent enforcement actions. Its Privacy Rule regulates the collection and disclosure of such information. 1.4 What authority(ies) are responsible for data protection? In October 2021, the DOJ announced a new Civil Cyber-Fraud initiative to pursue cybersecurity-related fraud by government contractors and grant recipients under the False Claims Act. 7.11 Is there a publicly available list of completed registrations/notifications? This is not applicable in our jurisdiction. In 2019, New York expanded its data breach notification law to include the express requirement that entities develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information. In 2021, the FTC announced its revisions to its Safeguards Rule under GLBA with major updates to take effect in December 2022. 16.3 Is there a legal requirement to report data breaches to affected data subjects? No such registration/notification is required. Childrens information is protected at the federal level under the Childrens Online Privacy Protection Act (COPPA) (15 U.S. Code 6501), which prohibits the collection of any information from a child under the age of 13 online and from digitally connected devices, and requires publication of privacy notices and collection of verifiable parental consent when information from children is being collected. 7.12 How long does a typical registration/notification process take? and what issues must it address (e.g., only processing personal data in accordance with relevant instructions, keeping personal data secure, etc.)? The data broker registration fee in Vermont is US$100 and in California it is US$400. Continuing this trend, in March 2022, Utah enacted the Utah Consumer Privacy Act (UCPA), and in May 2022, Connecticut enacted an Act Concerning Personal Data Privacy and Online Monitoring (Connecticut Privacy Act), bringing the number of US states with comprehensive data privacy legislation up to five.
Additionally, the Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence issued a White Paper in September 2020 that provides guidance in light of the Schrems II decision. At the state level, the CCPA alters its right to opt out of sale of personal information for consumers under the age of 16. 11.3 To date, has/have the relevant data protection authority(ies) taken any enforcement action in relation to cookies? governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. While public authorities in the U.S. have not issued formal guidance in relation to the European Commissions revised SCCs, the U.S. did submit comments on the draft SCCs issued in November 2020.
Most states require notification as soon as is practical, and often within 30 to 60 days of discovery of the incident, depending on the statute. 15.2 Is consent or notice required?
This statute addresses Non-Public Personal Information (NPI), which includes any information that a financial service company collects from its customers in connection with the provision of its services. 13.1 What is the permitted scope of corporate whistle-blower hotlines (e.g., restrictions on the types of issues that may be reported, the persons who may submit a report, the persons whom a report may concern, etc.)? Upcoming laws in Virginia, Colorado, Utah, and Connecticut will incorporate this term; however, these will not be applicable until 2023. Employee privacy rights, like those of any individual, are based on the principle that an individual has an expectation of privacy unless that expectation has been diminished or eliminated by context, agreement, notice, or statute. In Vermont, the penalty is US$50 per day in addition to the registration fee of US$100. Whether the sanctions are civil and/or criminal depends on the relevant statute. Although we are yet to see the impact of these provisions on the advertising ecosystem, this will likely prove to be a space to watch over the coming years. Childrens information is protected at the federal level under the Childrens Online Privacy Protection Act (COPPA) (15 U.S. Code 6501). The CPRA will extend the written contract requirement to contractors. Similarly, the Cable Communications Policy Act of 1984 includes provisions dedicated to the protection of subscriber privacy (47 U.S. Code 551). 17.3 Describe the data protection authoritys approach to exercising those powers, with examples of recent cases. If so, how is this enforced? Some states are more active than others when it comes to data protection. Triggering personal information varies by statute, with most including an individuals first name or first initial and last name, together with a data point, including the individuals Social Security Number, drivers licence or state identification card number, financial account number or payment card information. As of May 2018, all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have statutes that require data breaches to be reported, as defined in each statute, to impacted individuals. Californias requirement went into effect in 2020, and similarly applies to the knowing collection and sale of personal information regarding consumers with which the business does not have a direct relationship (Cal. Requirements under state data privacy legislation vary by jurisdiction. 10.3 Please describe any legislative restrictions on the sending of marketing via other means (e.g., for marketing by telephone, a national opt-out register must be checked in advance; for marketing by post, there are no consent or opt-out requirements, etc.). Rather than opt out, businesses are prohibited from selling personal information of consumers under the age of 16, without affirmative authorisation from a consumer aged 1315 or from the parent or legal guardian of a consumer under the age of 13. These rights are statute-specific. Law 899-bb) identifies a series of administrative, technical, and physical safeguards which, if implemented, are deemed to satisfy New Yorks reasonableness standard under the law. The comments do not provide any specific guidance for companies, but rather reflect a concern that the draft revised SCCs may interfere with government efforts to protect public safety and national security along with joint US-EU cooperation on these issues. The CPRA, Virginia CDPA, the Colorado Privacy Act the Utah Consumer Privacy Act, and the Connecticut Privacy Act will provide a similar right.
These rights are statute-specific. Key sector-specific laws include those covering financial services, healthcare, telecommunications, and education. Data Protection > If it is prohibited or discouraged, how do businesses typically address this issue? The FTC has also indicated that it will initiate rulemaking proceedings in an attempt to expand its enforcement authority in the areas artificial intelligence, privacy and cybersecurity.
To the extent cyber incidents pose a risk to a registrants ability to record, process, summarise and report information that is required to be disclosed in SEC Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. Code 1798.99.82). Covered entities include those banks, mortgage companies, insurance companies, and cheque-cashers otherwise regulated by the NYDFS. It also requires the truncation of credit card numbers on printed receipts, requires the secure destruction of certain types of personal information, and regulates the use of certain types of information received from affiliated companies for marketing purposes. Overall, there was an increase in BIPA settlements in 2021 compared to 2020. If so, what are the relevant factors? The Utah Consumer Privacy Act will provide a slightly narrower right to restrict processing for the purposes of sale or targeted advertising. In January 2019, the Illinois Supreme Court offered an expansive reading of the protections of the BIPA, holding that the law does not require individuals to show they suffered harm other than a violation of their legal rights to sue. In early 2021, the FTC finalized a settlement with a videoconferencing company accused of participating in unfair and deceptive practices regarding user security. Additionally, many states apply deceptive practices statutes to impose penalties or injunctive relief in similar circumstances, or where violation of a federal statute is deemed a deceptive practice under state law. Fees vary by state. The firms settled the three actions with penalties totalling US$750,000. The FTC has taken the position that deceptive practices include a companys failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods. Prior express written consent is required under the TCPA before certain marketing texts may be sent to a mobile telephone line. Businesses established in other jurisdictions may be subject to both federal and state data protection laws for activities impacting United States residents whose information the business collects, holds, transmits, processes or shares. F. Paul Pittman The Illinois Biometric Information Privacy Act (BIPA) is notable as, at the time of writing, the only state law regulating biometric data usage that allows private individuals to sue and recover damages for violations. 7.3 On what basis are registrations/notifications made (e.g., per legal entity, per processing purpose, per data category, per system or database)?
Some laws only permit federal government enforcement, some allow for federal or state government enforcement, and some allow for enforcement through a private right of action by aggrieved consumers. Right to complain to the relevant data protection authority(ies). "Juan Rodriguez - Sullivan & Cromwell LLP, London, 2002-2022 Copyright: ICLG.com | Privacy policy | Cookie policy, Juan Rodriguez - Sullivan & Cromwell LLP, London, Economic Crime Prevention and Compliance London 2022. Similarly, the Virginia CDPA, Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act will require controllers to enter into contracts with processors. It also proscribes limitations on the use of telephone marketing, including, for instance, limiting the time of day for marketing calls, requiring the caller to provide an opt-out of future calls, and limiting the use of pre-recorded messages. Upcoming laws in Virginia, Colorado, Utah, and Connecticut will incorporate this term; however, these will not be applicable until 2023. Extraterritorial enforcement of a U.S. law would depend on a number of factors, including whether the entity is subject to the jurisdiction of the U.S. courts, the impact on U.S. commerce and the impact on U.S. residents, among other factors. In March 2022, the DOJ entered into its first settlement for nearly US$1 million with a global medical services provider for misrepresenting to the State Department that it met contractual requirements to maintain a HIPAA-compliant electronic medical records system, while knowing that the system contained data security gaps. In the absence of a data privacy framework at the federal level, states continue to pursue legislation. 17.1 Describe the enforcement powers of the data protection authority(ies). In addition to financial industry laws and regulation, the major credit card companies require businesses that process, store or transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS). Under the CCPA, the contract must restrict the service provider from retaining, using, or disclosing personal information for any purpose other than performance of the services specified in the contract. At the state level, California residents may report alleged violations of the CCPA to the California Attorney General. White & Case, The International Comparative Legal Guides and the International Business Reports are published by: Global Legal Group, ICLG's Merger Control is a tremendously useful source. The FTC remained active in regulating data security and privacy issues in 2021. When made pursuant to Mutual Legal Assistance Treaties, information requests are typically processed through the USDOJ, which works with the local U.S. Attorneys Office and local law enforcement, prior to review by a federal judge and service on the U.S. company. 10.4 Do the restrictions noted above apply to marketing sent from other jurisdictions? Some state laws, such as the CCPA, provide a right of deletion for residents of the respective states, with certain exceptions. Additionally, the Virginia CDPA, Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act will each require that a contract set forth instructions for processing, including the type of data subject to processing and the nature and purpose of processing and set specific requirements regarding engagement of subcontractors. 11.1 Please describe any legislative restrictions on the use of cookies (or similar technologies). Enforcement authority, including whether a regulator may ban a particular processing activity, is specified in the relevant statutes. At the state level, the CCPA provides a right of access for California residents to personal information held by a business relating to that resident. Legislation in Virginia, Colorado, Utah, and Connecticut have taken a similar approach to their respective definitions of consumer. If so, which entities are responsible for ensuring that data are kept secure (e.g., controllers, processors, etc.)? Nevertheless, Q3 and Q4 of 2020 saw the return of HHSs active enforcement, which continued through 2021, with the regulator issuing a US$5.1million penalty under HIPAA in relation to a malware attack that compromised the personal data of over 9.3 million people. To this end, in 2020, HHS issued NDEs (Notification of Enforcement Discretion) to healthcare providers so long as they exercised good-faith use of videoconferencing while providing telehealth services to patients. The Telephone Consumer Protection Act (TCPA) (47 U.S. Code 227) and associated regulations regulate calls and text messages to mobile phones, and regulate calls to residential phones that are made for marketing purposes or using automated dialling systems or pre-recorded messages. Some state Attorneys General have also offered resources on their websites for victims of identity theft and for companies suffering data security breaches. At the time of writing, additional federal legislation that would increase protections for childrens privacy online has been introduced and is currently pending. Massachusetts, for example, has strong data protection regulations (201 CMR 17.00), requiring any entity that receives, stores, maintains, processes, or otherwise has access to personal information of a Massachusetts resident in connection with the provision of goods or services, or in connection with employment, (a) to implement and maintain a comprehensive written information security plan (WISP) addressing 10 core standards, and (b) to establish and maintain a formal information security programme that satisfies eight core requirements, which range from encryption to information security training. 12.5 What guidance (if any) has/have the data protection authority(ies) issued in relation to the European Commissions revised Standard Contractual Clauses published on 4 June 2021? Vermont and California maintain publicly available lists of registered data brokers. Specifically, in 2020, California amended the CCPA with the California Privacy Rights Act (CPRA), which expanded the rights granted to consumers and increased compliance obligations on businesses. 12.1 Please describe any restrictions on the transfer of personal data to other jurisdictions. For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must provide local media notice, in addition to individual notices. The required disclosure must include how the operator responds to so-called do not track signals or other similar mechanisms. 3.1 Do the data protection laws apply to businesses established in other jurisdictions? 8.6 What are the responsibilities of the Data Protection Officer as required by law or best practice? USA. While not specifically a data breach notification obligation, the Securities and Exchange Act and associated regulations, including Regulation S-K, require public companies to disclose in filings with the Securities and Exchange Commission when material events, including cyber incidents, occur. In addition, the FTCs Commissioners have continued to emphasise their commitment to pursuing enforcement actions against companies that engage in unfair or unreasonable privacy and data security practices. However, since the invalidation of the Privacy Shield Framework in Schrems II, the mechanisms to govern data transfers from the EU to the U.S. are limited largely to use of SCCs, BCRs, or derogations. This is not yet applicable in our jurisdiction. Anonymous reporting generally is permitted. By way of example, under the TCPA, individuals are permitted to withdraw consent given to receive certain types of calls or texts to residential or mobile telephone lines. More recently, we have seen a number of states push towards enacting comprehensive consumer data privacy laws. As described above, the FCC has become more aggressive in its enforcement of the Truth in Caller ID Act and issued its largest ever fine of US$225 million against health insurance telemarketers for making one billion illegally spoofed robocalls. With respect to receiving data from abroad, prior to Schrems II, the EU-US Privacy Shield Framework provided a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. By way of example, individuals may report unwanted or deceptive commercial email (spam) directly to the FTC, and telemarketing violations directly to the FCC. Several laws permit consumers to restrict marketing activities involving their personal data. Some states provide individuals with the right not to have telephone calls recorded without either consent of all parties to the call or consent of one party to the call. Further, the CPRA will also increase administrative fines to $7,500 for any violation involving personal information of minors under the age of 16. 9.2 If it is necessary to enter into an agreement, what are the formalities of that agreement (e.g., in writing, signed, etc.) This is not applicable to our jurisdiction. 18.2 What guidance has/have the data protection authority(ies) issued? We anticipate that the following topics will remain hot over the next year: state-level consumer data privacy law initiatives will continue to proliferate as more states move laws through their legislatures, possibly driving action at the federal-level, including possible rulemaking proceedings by the FTC; issues surrounding the collection and protection of biometric information (especially in relation to student privacy); consumer access to financial relief and other remedies when their data protection rights are violated, even in the absence of a showing of harm; issues surrounding AdTech and targeted behavioural advertising; issues relating to automated decision making fueled by artificial intelligence and machine learning; an increased focus by legislators and regulators alike on cybersecurity issues, particularly in the wake of data breaches and ransomware attacks involving significant technology vendor software and industrial operations; and targeting of cryptocurrency and digital assets such as non-fungible tokens by cybercriminals. The FTC recommends privacy-by-design practices that implement reasonable restrictions on the retention of data, including disposal once the data has outlived the legitimate purpose for which it was collected. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. For example, the New York Department of Financial Services (NYDFS) adopted regulations in 2017 that obligate all regulated entities to adopt a cybersecurity programme and cybersecurity governance processes. Civ. 2446). As described more fully below, other federal statutes primarily address specific sectors, such as financial services or healthcare. In contrast, business-to-business telephone communications, except those intended to induce the retail sale of non-durable office or cleaning supplies, are exempt from the Telemarketing Sales Rule described in question 9.3 below. Data broker registration for both Vermont and California may be completed online. If the appointment of a Data Protection Officer is only mandatory in some circumstances, please identify those circumstances. Even if a business does not have a physical presence in a particular state, it typically must comply with the states laws when faced with the unauthorised access to, or acquisition of, personal information it collects, holds, transfers or processes about that states residents. 10.2 Are these restrictions only applicable to business-to-consumer marketing, or do they also apply in a business-to-business context? covers common issues including relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of a data protection officer and processors. Due to rapid growth of the telehealth model, HHS necessarily provided flexibility in its enforcement of HIPAA to ensure continued access to healthcare. White & Case, Shira Shamir 8.4 Can a business appoint a single Data Protection Officer to cover multiple entities? Potential sanctions are statute/regulator-specific. For example, eighteen states have adopted the Insurance Data Security Model Law developed by the National Association of Insurance Commissioners. The Video Privacy Protection Act (VPPA) (18 U.S. Code 2710 et seq.) 16.4 What are the maximum penalties for data security breaches? By way of example, in 2020, the HHS and the attorneys general of 42 states entered into a US$39.5 million settlement with a health insurer in relation to a data breach affecting the health records of over 79 million individuals. For instance, under CAN-SPAM, marketing emails or emails sent for the primary purpose of advertising or promoting a commercial product or service may be sent to those not opting out, provided the sender is accurately identified, the subject line and text of the email are not deceptive, the email contains the name and address of the sender, the email contains a free, simple mechanism to opt out of future emails, and the sender honours opt-outs within 10 days of receipt. This act established the national Do Not Call list of telephone numbers that cannot be used for marketing communications (calls and texts) and disclosure requirements for companies engaging in telephone marketing. While there is no lawful basis for processing requirement under U.S. law, the FTC recommends that businesses provide notice to consumers of their data collection, use and sharing practices and obtain consent in limited circumstances where the use of consumer data is materially different than claimed when the data was collected, or where sensitive data is collected for certain purposes. For example, under certain circumstances, employees are entitled to receive copies of data held by employers. Penalties are statute- and fact-specific. At the federal level, other than breach notification requirements pertaining to federal agencies themselves, HIPAA requires Covered Entities to report impermissible uses or disclosures that compromise the security or privacy of protected health information to the Department of Health and Human Services. The Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, as well as state surveillance laws, may come into play where cookies collect information from the computer on which they are placed and report that information to the entity placing the cookies without proper consent. The standard for when notification is required varies from unauthorised access to personal information, to unauthorised acquisition of personal information, to misuse of or risk of harm to personal information. The FTC also continued to increase its efforts to enforce obligations for the protection of childrens privacy under the Childrens Online Privacy Protection Act (COPPA). When required or voluntarily obtained, employers typically obtain consent for employee monitoring through acceptance of employee handbooks, and may provide notice by appropriately posting signs. Other federal statutes have opt-out rather than opt-in consent requirements. Some states include additional triggering data points, such as date of birth, mothers maiden name, passport number, biometric data, employee identification number or username and password. Code 1798.99.82). Under many state data protection statutes, a consumer is an individual who engages with a business for personal, family or household purposes. These rights are statute-specific. Most statutes define a breach of the security of the system as involving unencrypted computerised personal information, but some states include personal information in any format. This is not yet applicable in our jurisdiction. In addition, with the growing prevalence of telemarketers using spoofed caller IDs, the FCC is becoming more aggressive with its enforcement of the Truth in Caller ID Act. The information to be submitted varies by state but generally includes a description of the incident, the types of information exposed, the timing of the incident and its discovery, actions taken to prevent future occurrences, information about steps individuals should take to protect themselves, information resources, and any services offered to impacted individuals such as credit monitoring. USA Chapter In addition, the FTC Act and state deceptive practices acts have underpinned regulatory enforcement and private class action lawsuits against companies that failed to disclose or misrepresented their use of tracking cookies. Significantly, New Yorks SHIELD Act (N.Y. Gen Bus. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expect(s) voluntary breach reporting. There is no single principal data protection legislation in the United States (U.S.). The states that have mandated data broker registration generally do not require a specific description of relevant data processing activities. 17.4 Does the data protection authority ever exercise its powers against businesses established in other jurisdictions? It is noted that the FTC, which regulates deceptive practices, has brought enforcement actions relating to the transmission of marketing emails or telemarketing calls by companies who have made promises in their publicly posted privacy policies that personal information will not be used for marketing purposes.
Additionally, the Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence issued a White Paper in September 2020 that provides guidance in light of the Schrems II decision. At the state level, the CCPA alters its right to opt out of sale of personal information for consumers under the age of 16. 11.3 To date, has/have the relevant data protection authority(ies) taken any enforcement action in relation to cookies? governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles. While public authorities in the U.S. have not issued formal guidance in relation to the European Commissions revised SCCs, the U.S. did submit comments on the draft SCCs issued in November 2020.
Most states require notification as soon as is practical, and often within 30 to 60 days of discovery of the incident, depending on the statute. 15.2 Is consent or notice required?
This statute addresses Non-Public Personal Information (NPI), which includes any information that a financial service company collects from its customers in connection with the provision of its services. 13.1 What is the permitted scope of corporate whistle-blower hotlines (e.g., restrictions on the types of issues that may be reported, the persons who may submit a report, the persons whom a report may concern, etc.)? Upcoming laws in Virginia, Colorado, Utah, and Connecticut will incorporate this term; however, these will not be applicable until 2023. Employee privacy rights, like those of any individual, are based on the principle that an individual has an expectation of privacy unless that expectation has been diminished or eliminated by context, agreement, notice, or statute. In Vermont, the penalty is US$50 per day in addition to the registration fee of US$100. Whether the sanctions are civil and/or criminal depends on the relevant statute. Although we are yet to see the impact of these provisions on the advertising ecosystem, this will likely prove to be a space to watch over the coming years. Childrens information is protected at the federal level under the Childrens Online Privacy Protection Act (COPPA) (15 U.S. Code 6501). The CPRA will extend the written contract requirement to contractors. Similarly, the Cable Communications Policy Act of 1984 includes provisions dedicated to the protection of subscriber privacy (47 U.S. Code 551). 17.3 Describe the data protection authoritys approach to exercising those powers, with examples of recent cases. If so, how is this enforced? Some states are more active than others when it comes to data protection. Triggering personal information varies by statute, with most including an individuals first name or first initial and last name, together with a data point, including the individuals Social Security Number, drivers licence or state identification card number, financial account number or payment card information. As of May 2018, all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have statutes that require data breaches to be reported, as defined in each statute, to impacted individuals. Californias requirement went into effect in 2020, and similarly applies to the knowing collection and sale of personal information regarding consumers with which the business does not have a direct relationship (Cal. Requirements under state data privacy legislation vary by jurisdiction. 10.3 Please describe any legislative restrictions on the sending of marketing via other means (e.g., for marketing by telephone, a national opt-out register must be checked in advance; for marketing by post, there are no consent or opt-out requirements, etc.). Rather than opt out, businesses are prohibited from selling personal information of consumers under the age of 16, without affirmative authorisation from a consumer aged 1315 or from the parent or legal guardian of a consumer under the age of 13. These rights are statute-specific. Law 899-bb) identifies a series of administrative, technical, and physical safeguards which, if implemented, are deemed to satisfy New Yorks reasonableness standard under the law. The comments do not provide any specific guidance for companies, but rather reflect a concern that the draft revised SCCs may interfere with government efforts to protect public safety and national security along with joint US-EU cooperation on these issues. The CPRA, Virginia CDPA, the Colorado Privacy Act the Utah Consumer Privacy Act, and the Connecticut Privacy Act will provide a similar right. These rights are statute-specific. Key sector-specific laws include those covering financial services, healthcare, telecommunications, and education. Data Protection > If it is prohibited or discouraged, how do businesses typically address this issue? The FTC has also indicated that it will initiate rulemaking proceedings in an attempt to expand its enforcement authority in the areas artificial intelligence, privacy and cybersecurity.
To the extent cyber incidents pose a risk to a registrants ability to record, process, summarise and report information that is required to be disclosed in SEC Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. Code 1798.99.82). Covered entities include those banks, mortgage companies, insurance companies, and cheque-cashers otherwise regulated by the NYDFS. It also requires the truncation of credit card numbers on printed receipts, requires the secure destruction of certain types of personal information, and regulates the use of certain types of information received from affiliated companies for marketing purposes. Overall, there was an increase in BIPA settlements in 2021 compared to 2020. If so, what are the relevant factors? The Utah Consumer Privacy Act will provide a slightly narrower right to restrict processing for the purposes of sale or targeted advertising. In January 2019, the Illinois Supreme Court offered an expansive reading of the protections of the BIPA, holding that the law does not require individuals to show they suffered harm other than a violation of their legal rights to sue. In early 2021, the FTC finalized a settlement with a videoconferencing company accused of participating in unfair and deceptive practices regarding user security. Additionally, many states apply deceptive practices statutes to impose penalties or injunctive relief in similar circumstances, or where violation of a federal statute is deemed a deceptive practice under state law. Fees vary by state. The firms settled the three actions with penalties totalling US$750,000. The FTC has taken the position that deceptive practices include a companys failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods. Prior express written consent is required under the TCPA before certain marketing texts may be sent to a mobile telephone line. Businesses established in other jurisdictions may be subject to both federal and state data protection laws for activities impacting United States residents whose information the business collects, holds, transmits, processes or shares. F. Paul Pittman The Illinois Biometric Information Privacy Act (BIPA) is notable as, at the time of writing, the only state law regulating biometric data usage that allows private individuals to sue and recover damages for violations. 7.3 On what basis are registrations/notifications made (e.g., per legal entity, per processing purpose, per data category, per system or database)?
Some laws only permit federal government enforcement, some allow for federal or state government enforcement, and some allow for enforcement through a private right of action by aggrieved consumers. Right to complain to the relevant data protection authority(ies). "Juan Rodriguez - Sullivan & Cromwell LLP, London, 2002-2022 Copyright: ICLG.com | Privacy policy | Cookie policy, Juan Rodriguez - Sullivan & Cromwell LLP, London, Economic Crime Prevention and Compliance London 2022. Similarly, the Virginia CDPA, Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act will require controllers to enter into contracts with processors. It also proscribes limitations on the use of telephone marketing, including, for instance, limiting the time of day for marketing calls, requiring the caller to provide an opt-out of future calls, and limiting the use of pre-recorded messages. Upcoming laws in Virginia, Colorado, Utah, and Connecticut will incorporate this term; however, these will not be applicable until 2023. Extraterritorial enforcement of a U.S. law would depend on a number of factors, including whether the entity is subject to the jurisdiction of the U.S. courts, the impact on U.S. commerce and the impact on U.S. residents, among other factors. In March 2022, the DOJ entered into its first settlement for nearly US$1 million with a global medical services provider for misrepresenting to the State Department that it met contractual requirements to maintain a HIPAA-compliant electronic medical records system, while knowing that the system contained data security gaps. In the absence of a data privacy framework at the federal level, states continue to pursue legislation. 17.1 Describe the enforcement powers of the data protection authority(ies). In addition to financial industry laws and regulation, the major credit card companies require businesses that process, store or transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS). Under the CCPA, the contract must restrict the service provider from retaining, using, or disclosing personal information for any purpose other than performance of the services specified in the contract. At the state level, California residents may report alleged violations of the CCPA to the California Attorney General. White & Case, The International Comparative Legal Guides and the International Business Reports are published by: Global Legal Group, ICLG's Merger Control is a tremendously useful source. The FTC remained active in regulating data security and privacy issues in 2021. When made pursuant to Mutual Legal Assistance Treaties, information requests are typically processed through the USDOJ, which works with the local U.S. Attorneys Office and local law enforcement, prior to review by a federal judge and service on the U.S. company. 10.4 Do the restrictions noted above apply to marketing sent from other jurisdictions? Some state laws, such as the CCPA, provide a right of deletion for residents of the respective states, with certain exceptions. Additionally, the Virginia CDPA, Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act will each require that a contract set forth instructions for processing, including the type of data subject to processing and the nature and purpose of processing and set specific requirements regarding engagement of subcontractors. 11.1 Please describe any legislative restrictions on the use of cookies (or similar technologies). Enforcement authority, including whether a regulator may ban a particular processing activity, is specified in the relevant statutes. At the state level, the CCPA provides a right of access for California residents to personal information held by a business relating to that resident. Legislation in Virginia, Colorado, Utah, and Connecticut have taken a similar approach to their respective definitions of consumer. If so, which entities are responsible for ensuring that data are kept secure (e.g., controllers, processors, etc.)? Nevertheless, Q3 and Q4 of 2020 saw the return of HHSs active enforcement, which continued through 2021, with the regulator issuing a US$5.1million penalty under HIPAA in relation to a malware attack that compromised the personal data of over 9.3 million people. To this end, in 2020, HHS issued NDEs (Notification of Enforcement Discretion) to healthcare providers so long as they exercised good-faith use of videoconferencing while providing telehealth services to patients. The Telephone Consumer Protection Act (TCPA) (47 U.S. Code 227) and associated regulations regulate calls and text messages to mobile phones, and regulate calls to residential phones that are made for marketing purposes or using automated dialling systems or pre-recorded messages. Some state Attorneys General have also offered resources on their websites for victims of identity theft and for companies suffering data security breaches. At the time of writing, additional federal legislation that would increase protections for childrens privacy online has been introduced and is currently pending. Massachusetts, for example, has strong data protection regulations (201 CMR 17.00), requiring any entity that receives, stores, maintains, processes, or otherwise has access to personal information of a Massachusetts resident in connection with the provision of goods or services, or in connection with employment, (a) to implement and maintain a comprehensive written information security plan (WISP) addressing 10 core standards, and (b) to establish and maintain a formal information security programme that satisfies eight core requirements, which range from encryption to information security training. 12.5 What guidance (if any) has/have the data protection authority(ies) issued in relation to the European Commissions revised Standard Contractual Clauses published on 4 June 2021? Vermont and California maintain publicly available lists of registered data brokers. Specifically, in 2020, California amended the CCPA with the California Privacy Rights Act (CPRA), which expanded the rights granted to consumers and increased compliance obligations on businesses. 12.1 Please describe any restrictions on the transfer of personal data to other jurisdictions. For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must provide local media notice, in addition to individual notices. The required disclosure must include how the operator responds to so-called do not track signals or other similar mechanisms. 3.1 Do the data protection laws apply to businesses established in other jurisdictions? 8.6 What are the responsibilities of the Data Protection Officer as required by law or best practice? USA. While not specifically a data breach notification obligation, the Securities and Exchange Act and associated regulations, including Regulation S-K, require public companies to disclose in filings with the Securities and Exchange Commission when material events, including cyber incidents, occur. In addition, the FTCs Commissioners have continued to emphasise their commitment to pursuing enforcement actions against companies that engage in unfair or unreasonable privacy and data security practices. However, since the invalidation of the Privacy Shield Framework in Schrems II, the mechanisms to govern data transfers from the EU to the U.S. are limited largely to use of SCCs, BCRs, or derogations. This is not yet applicable in our jurisdiction. Anonymous reporting generally is permitted. By way of example, under the TCPA, individuals are permitted to withdraw consent given to receive certain types of calls or texts to residential or mobile telephone lines. More recently, we have seen a number of states push towards enacting comprehensive consumer data privacy laws. As described above, the FCC has become more aggressive in its enforcement of the Truth in Caller ID Act and issued its largest ever fine of US$225 million against health insurance telemarketers for making one billion illegally spoofed robocalls. With respect to receiving data from abroad, prior to Schrems II, the EU-US Privacy Shield Framework provided a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. By way of example, individuals may report unwanted or deceptive commercial email (spam) directly to the FTC, and telemarketing violations directly to the FCC. Several laws permit consumers to restrict marketing activities involving their personal data. Some states provide individuals with the right not to have telephone calls recorded without either consent of all parties to the call or consent of one party to the call. Further, the CPRA will also increase administrative fines to $7,500 for any violation involving personal information of minors under the age of 16. 9.2 If it is necessary to enter into an agreement, what are the formalities of that agreement (e.g., in writing, signed, etc.) This is not applicable to our jurisdiction. 18.2 What guidance has/have the data protection authority(ies) issued? We anticipate that the following topics will remain hot over the next year: state-level consumer data privacy law initiatives will continue to proliferate as more states move laws through their legislatures, possibly driving action at the federal-level, including possible rulemaking proceedings by the FTC; issues surrounding the collection and protection of biometric information (especially in relation to student privacy); consumer access to financial relief and other remedies when their data protection rights are violated, even in the absence of a showing of harm; issues surrounding AdTech and targeted behavioural advertising; issues relating to automated decision making fueled by artificial intelligence and machine learning; an increased focus by legislators and regulators alike on cybersecurity issues, particularly in the wake of data breaches and ransomware attacks involving significant technology vendor software and industrial operations; and targeting of cryptocurrency and digital assets such as non-fungible tokens by cybercriminals. The FTC recommends privacy-by-design practices that implement reasonable restrictions on the retention of data, including disposal once the data has outlived the legitimate purpose for which it was collected. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. For example, the New York Department of Financial Services (NYDFS) adopted regulations in 2017 that obligate all regulated entities to adopt a cybersecurity programme and cybersecurity governance processes. Civ. 2446). As described more fully below, other federal statutes primarily address specific sectors, such as financial services or healthcare. In contrast, business-to-business telephone communications, except those intended to induce the retail sale of non-durable office or cleaning supplies, are exempt from the Telemarketing Sales Rule described in question 9.3 below. Data broker registration for both Vermont and California may be completed online. If the appointment of a Data Protection Officer is only mandatory in some circumstances, please identify those circumstances. Even if a business does not have a physical presence in a particular state, it typically must comply with the states laws when faced with the unauthorised access to, or acquisition of, personal information it collects, holds, transfers or processes about that states residents. 10.2 Are these restrictions only applicable to business-to-consumer marketing, or do they also apply in a business-to-business context? covers common issues including relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of a data protection officer and processors. Due to rapid growth of the telehealth model, HHS necessarily provided flexibility in its enforcement of HIPAA to ensure continued access to healthcare. White & Case, Shira Shamir 8.4 Can a business appoint a single Data Protection Officer to cover multiple entities? Potential sanctions are statute/regulator-specific. For example, eighteen states have adopted the Insurance Data Security Model Law developed by the National Association of Insurance Commissioners. The Video Privacy Protection Act (VPPA) (18 U.S. Code 2710 et seq.) 16.4 What are the maximum penalties for data security breaches? By way of example, in 2020, the HHS and the attorneys general of 42 states entered into a US$39.5 million settlement with a health insurer in relation to a data breach affecting the health records of over 79 million individuals. For instance, under CAN-SPAM, marketing emails or emails sent for the primary purpose of advertising or promoting a commercial product or service may be sent to those not opting out, provided the sender is accurately identified, the subject line and text of the email are not deceptive, the email contains the name and address of the sender, the email contains a free, simple mechanism to opt out of future emails, and the sender honours opt-outs within 10 days of receipt. This act established the national Do Not Call list of telephone numbers that cannot be used for marketing communications (calls and texts) and disclosure requirements for companies engaging in telephone marketing. While there is no lawful basis for processing requirement under U.S. law, the FTC recommends that businesses provide notice to consumers of their data collection, use and sharing practices and obtain consent in limited circumstances where the use of consumer data is materially different than claimed when the data was collected, or where sensitive data is collected for certain purposes. For example, under certain circumstances, employees are entitled to receive copies of data held by employers. Penalties are statute- and fact-specific. At the federal level, other than breach notification requirements pertaining to federal agencies themselves, HIPAA requires Covered Entities to report impermissible uses or disclosures that compromise the security or privacy of protected health information to the Department of Health and Human Services. The Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, as well as state surveillance laws, may come into play where cookies collect information from the computer on which they are placed and report that information to the entity placing the cookies without proper consent. The standard for when notification is required varies from unauthorised access to personal information, to unauthorised acquisition of personal information, to misuse of or risk of harm to personal information. The FTC also continued to increase its efforts to enforce obligations for the protection of childrens privacy under the Childrens Online Privacy Protection Act (COPPA). When required or voluntarily obtained, employers typically obtain consent for employee monitoring through acceptance of employee handbooks, and may provide notice by appropriately posting signs. Other federal statutes have opt-out rather than opt-in consent requirements. Some states include additional triggering data points, such as date of birth, mothers maiden name, passport number, biometric data, employee identification number or username and password. Code 1798.99.82). Under many state data protection statutes, a consumer is an individual who engages with a business for personal, family or household purposes. These rights are statute-specific. Most statutes define a breach of the security of the system as involving unencrypted computerised personal information, but some states include personal information in any format. This is not yet applicable in our jurisdiction. In addition, with the growing prevalence of telemarketers using spoofed caller IDs, the FCC is becoming more aggressive with its enforcement of the Truth in Caller ID Act. The information to be submitted varies by state but generally includes a description of the incident, the types of information exposed, the timing of the incident and its discovery, actions taken to prevent future occurrences, information about steps individuals should take to protect themselves, information resources, and any services offered to impacted individuals such as credit monitoring. USA Chapter In addition, the FTC Act and state deceptive practices acts have underpinned regulatory enforcement and private class action lawsuits against companies that failed to disclose or misrepresented their use of tracking cookies. Significantly, New Yorks SHIELD Act (N.Y. Gen Bus. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expect(s) voluntary breach reporting. There is no single principal data protection legislation in the United States (U.S.). The states that have mandated data broker registration generally do not require a specific description of relevant data processing activities. 17.4 Does the data protection authority ever exercise its powers against businesses established in other jurisdictions? It is noted that the FTC, which regulates deceptive practices, has brought enforcement actions relating to the transmission of marketing emails or telemarketing calls by companies who have made promises in their publicly posted privacy policies that personal information will not be used for marketing purposes.