Page 36 - SMRH Eye on Privacy 2019 Year in Review Brochure
P. 36

personal information and still avoid sending an annual notice include sharing with a third party to perform services for the covered entity, to perform a transaction that a consumer authorizes, or with the consumer’s consent.
PUTTING IT INTO PRACTICE: Entities regulated by the CFTC will now enjoy the same exception to the annual notice requirement as other financial services firms. Companies who are thinking about whether or not the exception applies should examine their sharing practices, as well as understand whether any practices have changed since the last-sent notice.
Will CCPA’s Definition of Consumer Be Narrowed?
Posted on April 11, 2019
In response to the concern of many that the definition of consumer is so broad as to cover employees, a bill has been introduced in California to exclude employees from the scope of CCPA. As those who have been following CCPA are aware, the definition of “consumer” is extremely broad. Under the proposal, amended on March 25 of this year, the definition would specifically exclude from the definition information collected by a business “in the course of a person acting as a job applicant,” employee, contractor, or agent of the business. The carve-out goes on to clarify that this would hold true only if the individual’s information is used “for purposes compatible with the context” in which they gave it to the company.
PUTTING IT INTO PRACTICE: We are continuing to monitor this and other developments of CCPA. No Federal Court Standing for BIPA Violation Without Injury
Posted on January 16, 2019
A lawsuit against US Cold Storage under the Biometric Information Privacy Act was recently dismissed because, the court held, the violations of the law were merely technical. As a result, the plaintiff did not have sufficient standing. This decision echoes the other cases we have reported on recently.
Here, the plaintiff alleges that his former employer collected and stored his fingerprints without his consent. (BIPA requires written notice and consent to collect and use biometric information.) The court concluded that the lack of consent alone did not amount to an injury. In reaching its decision, the court pointed out that the plaintiff knew his fingerprints had been collected. He also knew that his fingerprints were used to track his working hours.
In reaching its decision, the court mirrored other courts that have concluded there has been no injury. In particular, when the person knows their biometric information was collected. Also, when the information hasn’t been shared with any third parties.
PUTTING IT INTO PRACTICE: While BIPA cases are getting dismissed, companies should nevertheless check their fingerprint practices and ensure that they are comfortable with their notice and choice process.
     35 Eye on Privacy 2019 Year in Review























































































   34   35   36   37   38