California’s Internet of Things (IoT) law, which goes into effect on January 1, will regulate organizations that manufacture (or contract with another company to manufacture) certain types of connected devices that are sold or offered for sale in California. The law will require IoT device manufacturers to equip each connected device “with a reasonable security feature or features” that are:  Appropriate to the nature and function of the device Appropriate to the information the device…

A “sale” by any other name? “We consider, and think the average consumer would consider, that when information is exchanged across devices and platforms, such that an ad follows the consumer from desktop to phone and from site to site, this constitutes a sale of their personal information from one business to another.” Californians for Consumer Privacy has provided this and other comments on the IAB CCPA framework. Click here for the full statement.…

Prep for CCPA now, enjoy compliance later. The Future of Privacy Forum’s Stacey Gray and Polly Sanderson’s comparison of two federal privacy bills shows that steps businesses are taking to comply with the CCPA will serve them well if a federal law is passed: Revise your privacy notice; draft by category: Both bills require detailed public privacy policies, including: categories of data collected/transferred, processing purposes, retention practices, and how to exercise rights. Address access requests:…

Beware the federal privacy bill. “Although there are key differences, the two [federal privacy] bills also have important similarities:  a set of individual rights combined with boundaries on how businesses collect, use, and share information. individual rights including access, correction, deletion and portability for personal information, along with rights to give “affirmative express consent” before the collection and processing of “sensitive” categories of information and to opt out of the sale or transfer of personal…

If at first you GDPR, CCPA, CCPA again. A new CCPA fact sheet published by the California Attorney General provides a concise summary of the law and sets forth some steps that entities subject to GDPR may need to take to comply with CCPA. This includes: Additional data mapping to reflect the different requirements under CCPA. Review and reconcile the different definitions of personal information and applicable rules on verification for handling consumer requests. Updating…

A new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act (COPRA), has been introduced by Senate Commerce Committee Ranking Member Maria Cantwell (D-Wash.) and Senators Ed Markey (D-Mass.) Brian Schatz (D-Hawaii) and Amy Klobuchar (D-Minn.). Key novel provisions per International Association of Privacy Professionals (IAPP) Research Director Caitlin Fennessy: individual consent for data processing, including express affirmative consent for processing sensitive data “duty of loyalty,” prohibiting covered entities from engaging in deceptive or…

The Digital Advertising Alliance has published guidance on the use of a tool for opt out requests under CCPA under its (voluntary) self-regulatory principles. Takeaways: Both the entity that owns and operates the digital property and collects Personal Information directly from a consumer (publisher) and a third party that indirectly collects Personal Information through the publisher’s digital property (third party) are required to honor California “Do Not Sell” requests. Third Parties: When a consumer exercises…