Indeed, the FTC has continued to bring enforcement actions against companies falsely claiming participation in Privacy Shield. In early December, the FTC settled with four companies on this issue, bringing the total number of Privacy Shield enforcement actions to 21 since 2016. In one case, the company’s privacy policy indicated that it participated in the program, even though its certification had lapsed. In another case, the company stated in its privacy policy that it “agreed to adhere to the Privacy Shield Principles,” and that it would “comply with the” framework. It had also started an application with the Department of Commerce. However, it didn’t finish that process. The FTC found the statements made in the privacy policy misleading, insofar as it represented that the company was a participant.
PUTTING IT INTO PRACTICE: As we enter into 2020, companies should keep in mind not just new laws like CCPA (and any others that might get issued next year). Existing privacy laws and principles also will continue to impact privacy statements. When updating and reviewing their privacy policies, businesses should take the opportunity to review their policies for accuracy, and should consider building into their privacy program methods for keeping their statements current.
California Follows Vermont, Requires Data Broker Registration
Posted on October 14, 2019
Joining Vermont, California will now require data brokers to register with the California Attorney General. The law was signed October 11, 2019. It applies to companies that “knowingly” collect and sell personal information about consumers with whom they do not have a “direct relationship.” They must register with the AG by January 31, 2020.
For purposes of the law, a sale is defined as it is under CCPA. Namely, giving personal information to third parties either for money or for “other valuable consideration.” The authors of the law compare data brokers and more typical ecommerce businesses. With the former, the consumer does not know about the company’s use of her information or how to control that use.
To register, data brokers will need to provide information and pay a fee to the AG. Information the AG will collect is brokers’ contact information and according to the law, can provide information about information about its data collection practices. The AG will keep a public list on its website of registered data brokers. There are some exceptions to the registration requirement. This includes companies regulated by GLB and FCRA. Companies who do not register as required face potential civil penalties of $100 for each day it fails to register.
PUTTING IT INTO PRACTICE: Companies considered “data brokers” will need to address this new registration requirement, in addition to that which exists in Vermont, as we have written about before.
Brazil’s New Privacy Law One Year Away
Posted on August 20, 2019
Global corporations will soon have another privacy law acronym to address. In one year (August 2020), Brazil will join the fray with its own general privacy law, the Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law or LGPD). The law was passed in 2018, and is set to go into effect a year from now. While the law was designed to be similar to the EU’s GDPR, it is not identical. Individuals will receive very similar access and deletion rights. Like GDPR, the law also contemplates data impact assessments, and provisions in contracts between controllers and processors of personal data. Also like GDPR, the law has extraterritorial impact, applying to those who process or collect information in Brazil, even if the entity is itself outside of the country. There are, though, differences between LGPD and GDPR. For example the amount of time to respond to individuals’ rights requests will be shorter. The
 Eye on Privacy 2019 Year in Review 12