At the federal level, HIPAA, in addition to breach notification requirements for federal agencies themselves, requires covered entities to report inappropriate uses or disclosures that threaten the security or privacy of protected health information to the Department of Health and Human Services. If the breach affects more than 500 people, this notification must be made within 60 days of the discovery of the breach in accordance with the data protection rule. The information to be submitted includes information about the company that suffered the breach, the nature of the breach, the time (start and end) of the breach, when the breach was discovered, the type of information disclosed, the safeguards taken prior to the breach, and the actions taken after the breach, including notifications to affected individuals and corrective actions. Currently, three U.S. states have three different comprehensive consumer privacy laws: California (CCPA and its amendment, CPRA), Virginia (VCDPA) and Colorado (ColoPA). Regardless of the state in which a business is located, the rights provided by the laws apply only to persons who live in those states. 6.9 Is the prior authorisation of the Data Protection Authority required? In addition to financial industry laws and regulations, major credit card companies require companies that process, store or transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS). Much of the data economy that underpins shared products and services is invisible to buyers. As your data is shared between countless third parties, not only are there more companies profiting from your data, but there are also more opportunities for your data to leak or be breached in a way that causes actual harm.

Last year, we saw a news organization use pseudonymous app data allegedly leaked by an advertiser linked to the dating app Grindr to a priest`s revelation. We read that the U.S. government buys location data from a prayer app. Researchers have found opioid addiction treatment apps that share sensitive data. And T-Mobile recently suffered a data breach that affected at least 40 million people, some of whom never had a T-Mobile account. 7.8 Does the data protection officer have to be named in a publicly available privacy statement or equivalent? Have you ever wondered what types of personal data companies store about you and what they think they know? We tried to find out. It would create stricter rules on the confidentiality of electronic communications and apply not only to the content of communications, but also to „metadata”, i.e. data describing other data. In the context of privacy and electronic communications, service providers and electronic communications networks must obtain the prior consent of the user before processing their electronic communications metadata. The definition of a data breach depends on specific state law, but generally includes unauthorized access to or acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. In December 2020, the DOJ, with FTC approval, and the attorneys general of California, Illinois, North Carolina and Ohio settled a settlement with a satellite television company to settle a cash bonus dispute regarding a judgment under the TCPA, FTC Act and other federal and state telemarketing laws.

The parties settled the dispute for more than $210 million in penalties, only $70 million less than the 2017 U.S. District Court for the Central District of Illinois. HHS faced many challenges related to the COVID-19 pandemic in 2020. Due to the rapid growth of the telemedicine model, HHS has necessarily provided flexibility in HIPAA enforcement to ensure continued access to healthcare. To this end, HHS issued NTEs (Notification of Enforcement Discretion) to healthcare providers as long as they used videoconferencing in good faith while providing telemedicine services to patients. Nevertheless, active enforcement of HHS returned in Q3 and Q4 2020, with the regulator imposing a $6.85 million penalty under HIPAA related to a malware attack that compromised the personal data of more than 10.4 million people. These rights are specific to the law. Examples of consumer rights to data portability exist under HIPAA, where individuals have the right to request that medical information held by one healthcare provider be transferred to another healthcare provider. In addition, the CCPA provides a right to data portability for California residents. Bills were considered in at least 30 states and Puerto Rico in 2020. As mentioned earlier, few consumer privacy laws were passed in 2020. Michigan`s SB 172 changes requirements for insurers who provide privacy policies to customers, and Virginia`s SB 101 allows a dealer to scan the machine-readable area of a person`s driver`s license for verification purposes, but requires the dealer to destroy stored information if the purpose for which it was provided and retained has been achieved.

In addition, three California bills have been enacted as follows: AZ HCR 2013 Status: Failed – Deferred Refers to consumer data, refers to privacy, refers to federal standard. 13.2 Are there any restrictions on the purposes for which CCTV data may be used? While the FTC did not issue formal guidance following the Schrems II decision, it provided an update indicating that it continues to „expect companies to comply with their ongoing obligations with respect to Privacy Shield transfers” and encourages these companies to adhere to „robust privacy principles.” The General Data Protection Regulation (GDPR) defines a data subject as a natural person in the European Union (EU). Personal data collected by law is any information relating to an identified or identifiable natural person. „Pseudonymised” data is excluded, but not publicly available data. It is apparent from recital (162) that the GDPR applies to the processing of personal data for statistical purposes. While not specifically a requirement to report data breaches, the Securities and Exchange Act and related regulations, including Regulation S-K, require publicly traded companies to disclose in filings with the Securities and Exchange Commission when significant events, including cyber incidents, occur. To the extent that cyber incidents pose a risk to a registrant`s ability to record, process, summarize and report information that must be disclosed in filings with the SEC Commission, management should also determine whether there are deficiencies in its disclosure controls and procedures that would render them ineffective. ID HB 492 Status: Failed – Deferred Sets out certain obligations for users of facial recognition technology, certain rights for individuals whose facial recognition data has been collected, and certain liability obligations for public entities that collect or use facial recognition technology. WI SB 851 Status: Failed Concerns consumer data protection, grants regulatory powers, provides for sanction. At the end of the year, it`s safe to say that 2020 wasn`t a good year for the passage of the state`s consumer protection laws. Below, we provide updates on the initiatives and studies of the government`s Privacy Task Force that have been active throughout the year, as well as a brief overview of the legislative proposals – and a handful of passed laws – that will change the landscape of consumer privacy laws in 2021.

The CPA applies to any business that carries on business in Colorado or that „intentionally directs, manufactures, or provides commercial goods or services to residents of Colorado.” Businesses must meet one of the two thresholds to be covered by the law, and both thresholds target a minimum number of affected consumers. Companies must control or process (i) the personal data of at least 100,000 consumers or (ii) the personal data of at least 25,000 consumers while generating revenue or receiving a discount on the sale of such data. Finally, in August 2020, the Justice Department indicted the head of security at a ride-sharing company for „obstruction of justice and misconduct of a crime related to an alleged cover-up of a 2016 data breach.” While this case is still ongoing, resolving it will be an important signal to inform companies` responses to data breaches. At least four other states, Massachusetts, New York, North Carolina and Pennsylvania, currently have serious and comprehensive proposals to protect consumer privacy in committee.