California Remains a Privacy Bellwether
Hello all, and happy Thursday!Read Now
July 13, 2023
Hello all, and happy Thursday!
We took last week off to celebrate the Fourth of July, and boy, did we miss some headlines.
Let’s start with the CPRA. Businesses who were unable to become CPRA-compliant in time for its July 1st enforcement deadline can breathe a sigh of relief—the California Privacy Protection Agency (CPPA) has pushed enforcement back an entire year to March 29th, 2024. That doesn’t mean businesses subject to the CPRA shouldn’t give a fig about their data collection practices until next year, though.
For one, compliance is a complicated, ongoing process (many businesses who were unable to attain sufficient compliance by July 1 should be aware of that fact). But more importantly, statutory violations of the CPRA—that is, violations of the actual written text of the CPRA as passed by the legislature—are still enforceable. This recent decision applies only to the regulatory requirements established on March 29, 2023—that is, the specific rules set out by the CPPA. In practical terms, this means the enforcement delay shouldn’t affect your efforts at becoming compliant with the CPRA.
Another huge headline in the data privacy world: The EU Commission has ruled the EU-U.S. Data Privacy Framework as adequate! Ever since Schrems II invalidated the Privacy Shield in 2020, EU-U.S. data transfers have been on shaky legal ground. This new framework adds a degree of legitimacy and stability that had been lacking in international data transfers—though privacy advocacy groups are already gearing up to challenge the decision.
Last but not least: Meta’s launched its Twitter competitor, Threads. Given the dissolution of Twitter’s data privacy practices and Meta’s already poor track record, we’re obviously watching the new social media platform closely. Things aren’t looking great for Threads from a data privacy perspective; the platform isn’t available in the EU due to the complexity of keeping Threads compliant with EU regulation, which reflects poorly on its likely data privacy practices.
And those are just the major headlines! A dozen more data privacy stories took place while much of the Osano team was at the beach—serves us right for taking a break.
P.S. We’re looking for a strategic, experienced, and empathetic individual to join our growing marketing team as Head of Product Marketing! Take a look at the job description if you or someone you know might be a good fit.
In a recent lawsuit, the California Chamber of Commerce argued that California voters intended for CPRA enforcement to begin one year after the issuance of regulations. Because the California Privacy Protection Agency (CPPA) issued these regulations late, the Superior Court of California ruled that enforcement would begin one year from the actual date the CPPA finalized its regulations—since regulations were issued on March 29, 2023, that means enforcement will begin march 29, 2024, instead of July 1 of this year, as originally planned.
Effective July 11, the Eu-U.S. Data Privacy Framework has received an adequacy decision from the European Commission. In essence, this decision concludes that the European Commission believes the Data Privacy Framework ensures U.S. protection of personal data transferred between the countries is comparable to that offered in the EU.
EU member states are not included in the more than 100 countries in which Threads initially launched. Meta spokespeople indicated that the delay was due to the complexity of complying with laws coming into effect next year, which has been interpreted as referring to the EU’s Digital Markets Act.
Beyond Meta’s reluctance to submit to the Digital Markets Act, its new microblogging platform also collects data in a way that bumps up against existing EU regulations, such as the collection of sensitive data, employment data, body and health data, and more. What’s more, Threads cannot be deleted unless Instagram is also deleted.
Although the EU Commission has determined that the EU-U.S. Data Privacy Framework is adequate for the protection of EU data, non-profit group NOYB (None of Your Business), led by Austrian privacy activist Max Schrems, vowed to challenge the decision.
Privacy programs are important—but what actually is a privacy program? What sorts of activities will you carry out in your privacy program? This blog lists out the 16 essential elements of a data privacy program, pointing you toward the right privacy and compliance activities to undertake at your organization.
If you’re interested in working at Osano, check out our Careers page! Notably, we’re looking for a strategic, experienced, and empathetic individual to join our growing marketing team as Head of Product Marketing.
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.