DoorDash Hit With CCPA Enforcement Action
Hello all, and happy Thursday!Read Now
March 30, 2021
Welcome to Privacy Insider newsletter, a round-up of the week's most important privacy news.
If you're following U.S. states' race to pass privacy laws, there's been movement on three bills that are worth your attention.
In Washington state, the House Committee on Civil Rights & Judiciary passed the Washington Privacy Act (WPA). The bill, which includes a private right of action as a consumer remedy, will be passed on to the appropriation committee. This is significant because it was a private right of action that killed the WPA in its last push for passage. But, as David Stauss writes for JDSupra, this private right of action is more narrow than the previous, increasing the bill's chances for survival.
Washington is keen to get a privacy law on the books (finally) after two failed attempts and a process that began in 2019. Many expected the state to be the next to pass a privacy law after California -- until Virginia swooped in and passed its own.
Second: Oklahoma's House of Representatives passed the Oklahoma Computer Data Privacy Act on March 4. The bill looks a lot like California's Consumer Privacy Act (CCPA), but unlike the CCPA, it would require consumers' opt-in consent before businesses could collect, use or sell their personal information. However, the bill does not allow consumers to pursue a private right of action in its current form. Obviously, industry hates the opt-in consent provisions and loves that the legislation doesn't allow for private lawsuits. And for privacy advocates, the reverse is true.
Lastly, pay attention to Colorado. On March 19, lawmakers introduced the Colorado Privacy Act. The bill would allow consumers to opt-out of businesses' processing of their personal data, unlike Oklahoma's opt-in model. It also includes rights on data access, correction and deletion.
Enjoy reading, and I'll see you next week!
EU Commission reaches draft agreement with South Korea on data flows
The European Commission says it has reached a draft agreement with South Korea on the free flow of data between the two countries, Reuters reports. The agreement, which must now be approved by European Parliament and the European Data Protection Board, follows four years of negotiations. "The European Commission will now proceed with launching the decision-making procedure with a view to having the adequacy decision adopted as soon as possible in the coming months," said a spokesperson for the commission.
Following criticism about the length of time it’s taking the Irish data protection commissioner to resolve investigations of big tech companies like Facebook and Apple, one EU commissioner said the “public squabbles” have to stop. European Commission Vice President Vera Jourova said if data protection authorities can’t “focus on the issues and improve their cooperation,” the EU would “have to consider an intervention probably in the direction of a more centralized model.”
While the tourism and entertainment industries push for a COVID-19 “vaccine passport” to allow those vaccinated to travel more freely, the sensitive health data it would involve is raising privacy concerns, CNBC reports. Singapore Airlines is piloting a “travel pass” the International Air Transport Association launched that incorporates blockchain as a safeguard. The data is stored on a person’s cell phone and not in a centralized database. The EU Commission says its own proposed plan would involve “essential information” only.
Need to data map? Here’s how to get started
Data mapping sounds kind of dreadful, doesn’t it? Overwhelming at least. When you imagine the trails of data stretching for virtual miles at even small companies, mapping where it all leads can feel like an arduous task. And to be honest, it is. This how-to guide aims to inform you of the process, who to involve and what to expect.
When Google announced it would phase-out third-party cookies, it looked like a win for the privacy advocates who’ve been calling the tracking technology a privacy invasion for years. But in response, advertisers and other organizations are finding ways to create what they say is technically “first-party data,” to fuel the ad tech supply chain, Digiday reports. In addition, because the end of third-party cookies is near, there’s been a big push to collect as much first-party data as possible to compensate for the impending loss.
The U.K. government has paused an agreement with data-mining company Palantir after first signing an emergency contract with the firm in December 2020 to help fight COVID-19. Civil liberties organization OpenDemocracy filed legal proceedings against the two-year contract, which would have given Palantir access to the NHS COVID-19 database. The NHS has now agreed to conduct a data protection impact assessment ahead of any new contract, ComputerWeekly reports.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”