Privacy Insider: October 11, 2021

Most of the time, when you read a new law, the most important detail is the effective date. After all, that's the date you must comply with the law, right?

While that's true for California's newest privacy law, there's a catch: the California Privacy Rights Act contains a provision requiring that organizations must be able to provide consumers access to all the data collected about them starting a full year before the law becomes effective on Jan.1, 2023. So, if your roadmap to comply with California stretched over the next two years, you'll want to pay attention to this.

It's a sneak provision that could bite you, if not.

In this week's lead story, journalist Sam Pfeifle explains in-depth what you must do to comply with the California law. But here are the highlights on key changes within the CPRA:

• Even companies that simply "share" data are now covered by the CPRA, it's not just those that sell it.
• You must tell consumers the service providers and third parties with whom you share data.
• If a consumer asks that you delete their data, you also have to extend that deletion to anyone with whom you've shared that data.
  
  

These provisions operationalize the CPRA's requirement that consumers have the "right to access" their data. Under the previous law, the California Consumer Privacy Act, this was called the "right to know," but its name was revised. 

It's an important enough topic that we're going to have a Twitter Spaces chat about it this week. If you're interested in learning more about how to comply with the CPRA's look back, join us Thursday, Oct. 14, for a 20-minute briefing at this link. For details beforehand, or if you're just not into Twitter, check out Sam Pfeifle's piece for us below. 

Enjoy reading, and I'll see you next week!

How to comply with that sneaky 'look-back' provision in California's new privacy law

We’re closing in on Jan. 1, 2023, when the California Privacy Rights Act (CPRA) will come into effect. It replaces the California Consumer Privacy Act, making it look a bit more like Europe’s privacy law. And while the effect date is technically 2023, there’s a sneaky provision embedded in the legislation that requires organizations to be able to show consumers all the data you’ve collected about them starting on Jan. 1, 2022. A whole year ahead of time. Here’s what you need to do to prepare. 
Read Story

Report: More breaches in 2021 to date than in all of 2020

The number of data breaches this year already surpassed the total number in 2020, Fortune reports. According to an Identity Theft Research Center report, there have been 1,291 data breaches so far this year. In 2020, there was 1,108 total. The most popular hacking tools related to cyberattacks have been phishing and ransomware. 
Read Story

European Parliament vote calls for a ban on facial recognition

Last week, the European Parliament called for a ban on police use of facial recognition technology in public places and in predictive policing, Politico reports. “This is a huge win for all European citizens,” said Peter Vitanov, who introduced the adopted resolution. While it doesn’t change anything legally, the resolution indicates how Parliament might vote in upcoming negotiations on an artificial intelligence bill drafted by the European Commission, which calls for restrictions on facial recognition technology. 
Read Story

Japanese tech giant hit by cyberattack on US systems

Japanese technology company Olympus has confirmed it was hit by a cyberattack that shut down its systems in the U.S., Canada and Latin America last weekend, TechCrunch reports. It’s the second time Olympus has reported an attack in two months, though the previous incident affected its European, Middle East and Africa networks. A ransomware note indicated BlackMatter, a ransomware-as-a-service group, was responsible. It’s unclear whether the same group conducted this hack. Olympus said its investigation is ongoing, and it will provide updates as information becomes available. 
Read Story 

California governor signs genetic data privacy and security law

Last week, California Gov. Gavin Newsom signed legislation aiming to protect individuals from identity theft better. AB 825 expands the definition of personal data within state data breach requirements to include biometric data. SB 41 establishes the Genetic Information Privacy Act, which will require genetic data companies like 23andme, among others, to tell consumers about its data practices and disclosures. It requires consumers’ express consent for a genetic testing company to share data with law enforcement. The rules take effect Jan. 1, 2022. 
Read Story

Google removes ‘stalkerware’ app ads 

Google has removed several ads selling “stalkerware” to consumers for violating its policies, TechCrunch reports. The spyware apps target parents who want to monitor their children’s messages and locations. But they’re often used by abusers to spy on their spouses’ phones, the report states. The rise in such nefarious uses in recent years prompted the Federal Trade Commission to take action against spyware developers. In August, Google banned apps designed to spy on another person without their authorization. Google recently found five stalkerware app makers’ ads as recently as last week. 
Read Story