.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.png?width=148&height=200&name=Privacy%20Insider%20Book%20(mock%20w%20shadow).png)
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
There are lots of interesting stories in this week’s newsletter that I’d love to dig into, but in the interest of your time, I’ll limit myself to just one. Given the recent update to the CPRA enforcement timeline, it seems best to turn our attention to the Golden State.
Lawyers and privacy experts met at the California Lawyers Association Privacy Summit a few weeks ago. Notably, the summit included several panels hosted by privacy regulators (including California Privacy Protection Agency [CPPA] Deputy Director Macko)—and anytime a regulator speaks, it’s worth listening. Here are some of the takeaways that stood out to the Osano team in the event coverage:
- 2024 may very well be the year of privacy enforcement in California. As we covered last week, CPRA enforcement is live, and regulators are eager to show their bite matches their bark.
- The top priorities regulators identified for enforcement centered on privacy notices, opt-out-of-sale/sharing rights, and children’s privacy.
- Potential fines expected to be "significant," and other remedies (such as providing annual reports, being prohibited from business-critical activities, being subject to ongoing monitoring) are being considered too. Notably, CPPA Deputy Director Macko said that the Agency’s typical investigation uncovers “hundreds or even thousands of violations.” Regulators can seek fines of up to $7,500 per violation under the CPRA.
- Regulators’ current sweeps are focused on streaming services and employers’ compliance.
- Although the CPRA cure period has expired, regulators signaled that they would consider factors such as (1) cooperation during investigation, (2) good faith effort to comply, and (3) whether other remedies are available.
- The CPPA and Attorney General are looking at how companies are operationalizing privacy beyond just paying lip service to their privacy policies.
All in all, CPRA regulators seemed intent on showing that they are serious about enforcement. This can all seem pretty intimidating, but it’s important to remember: CPRA enforcement isn’t about generating revenue for the state of California; it’s about protecting Californian consumers. Regulators can and will look favorably at businesses that are doing their best effort to get compliant.
Best,
Arlo
Top Privacy Stories of the Week
Oman Data Protection Regulation Now in Force
A new privacy regulation is to come into force in Oman, adding to the growing wave of privacy laws in the Middle East (including Saudi Arabia and Jordan). Among other characteristics, the new law appears to align with GDPR in regard to RoPAs, policies, SRRs, breach notifications, and other requirements.
Potential CPRA Fines “Significant,” According to California Lawyers Association Privacy Summit
Lawyers and privacy regulators gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit. Notable takeaways included that 2024 is anticipated to be a major year for privacy enforcement; fines will be “significant” and accompanied by other, non-financial remedies; major enforcement focus will be paid to privacy notices, Do Not Sell/Share rights, children's privacy; and much more.
Ireland's High Court to Allow Schrems into Meta Data Transfer Case
Privacy rights campaigner Max Schrems secured the High Court’s permission to participate in Meta’s challenge to a decision requiring the suspension of the transfer and storage of user data from Europe to the US. Schrems sought to be joined as a notice party in both cases, which both Meta and Ireland’s Data Protection Commission (DPC) opposed. However, Schrems argued he has a “clear vital and direct interest” in the proceedings, as the entire inquiry into data transfers came into existence because of an original complaint he made to the DPC in 2013.
Mozilla Research Finds AI Companian Apps Fail Privacy Checks
A new category of AI chatbots serving as fantasy girlfriends fails many privacy and security standards, according to Mozilla research. Mozilla looked at AI chatbots such as iGirl: AI Girlfriend, Romantic AI, Genesia, Replika, and others, finding that many are intentionally vague about the AI training behind the bot, where their data comes from, how they protect information, and their responsibilities in case of a data breach.
Two New Irish Data Protection Commissioners Appointed
Dr. Des Hogan and Mr. Dale Sunderland have been appointed to Ireland’s Data Protection Commission (DPC), taking effect February 20, 2024, for a five-year term. The appointment is significant, as 85% of the fines issued across Europe last year, including the EU, EEA, and UK, were issued by the DPC on foot of detailed and comprehensive investigations. Ireland’s DPC as a whole carries significant weight in terms of GDPR enforcement across the EU.
Osano Blog: CPRA Enforcement: Frequently Asked Questions
With the early arrival of CPRA enforcement, we’re fielding a lot of questions about what this means for businesses, how to interpret CPRA requirements, and more. Check out our blog post to review answers to some of the most frequently asked questions on CPRA enforcement.
If you’re interested in working at Osano, check out our Careers page! Right now, we’re looking for a Lead Privacy Architect—check out the job description here to see if you’d be a good fit.
