Some thoughts from the interactive ad industry on CCPA compliance from a new IAB CCPA Benchmark survey. Allowing the placement of third party trackers for the purpose of advertising is likely a sale. Participants down the advertising chain are sometimes “businesses,” sometimes “service providers” and sometimes “third parties.” Many give CCPA rights to individuals outside California. Deeper dive into these and other insights from the IAB CCPA Benchmark survey in this client alert.…

The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone… Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C). Lots of emphasis on the laws of the country of transfer and pushing back on government requests. Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement) provisions. Requirements for transparency to the individuals. Individual redress, third party beneficiary and liability as among the entities Details in …

Brace yourselves, the post-Schrems II supplemental measures are coming! The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures. “The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as…

“The LGPD replicates the GDPR’s extraterritorial scope and then takes it one giant step further. The LGPD, like the GDPR, applies to processing carried out in Brazil, as well as processing related to the offering or provision of goods or services to individuals in Brazil,” writes Caitlin Fennessy for IAPP, the International Association of Privacy Professionals. “Importantly…if your company is processing personal data related to individuals in Brazil, the LGPD ( Lei Geral de Proteção …

Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information: Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the identified risks to citizens — not only when…

The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency  and the Federal Deposit Insurance Corporation are issuing an interagency paper on Sound Practices to Strengthen Operational Resilience. Key takeaways re: third party management Identify and analyze third-party risk of critical operations and core business lines. Prioritize third-party dependencies that are most significant. Establish relationships with third parties through formal agreements. Establish processes and benchmarks for monitoring third…

The Gibraltar Regulatory Authority has issued helpful guidance on data protection considerations for the use of video conferencing applications (VCAs). Key recommendations: Consider the implications of VCAs and their compliance with data protection laws to choose the one best suited to your organization’s needs. Establish appropriate technical and organizational security measures to protect personal data when using VCAs. Establish data protection policies where proportionate. Consider transparency and fairness when using VCAs, particularly if monitoring staff.…