Free, SPOKES Privacy Virtual Conference June 22 and 23



  • Privacy Law Update

Privacy Law Update: December 20, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Digital Markets Act: Parliament ready to start negotiations with Council

Parliament gave its green light to begin negotiations with member states on rules setting out what big online platforms will be allowed to do and not do in the EU.  The Digital Markets Act (DMA) proposal blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours.  The text approved by Parliament with 642 votes in favour, 8 against and 46 abstentions sets new obligations and prohibitions directly applicable to such platforms, with a view to ensuring fair and open markets.

CCPA releases public comments for CPRA regulations

The California Privacy Protection Agency published the public comments from its stakeholder consultation on California Privacy Rights Act regulations. The comment periods were conducted Sep. 22 to Nov. 8 and broken up into four sections. The CPPA intends to have additional informational hearings to gather more feedback toward its rulemaking process. Formal rulemaking activities will begin at the conclusion of the agency’s fact gathering, which has no set timetable.

Mozilla rolls out GPC for all Firefox users, but enforcement limited to two states

Mozilla has expanded its implementation of Global Privacy Control (GPC) to all users after rolling it out on a limited basis in October.  The feature — which tells websites not to sell or share your personal data — was only available in Firefox Nightly, their pre-release channel. GPC will be available for all Firefox users to turn on if they wish to. Unfortunately for most US users, this feature may not have much effect. The GPC is required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR), as well as Colorado’s privacy law, but no other states have laws that will enforce it.

FTC takes steps toward privacy, AI rulemaking

As the debate rages on regarding whether the U.S. Federal Trade Commission should or could begin rulemaking on privacy, the commission has signaled it is not willing to wait for a consensus. On Dec. 10, the FTC filed an Advanced Notice of Proposed Rulemaking with the Office of Management and Budget that initiates consideration of a rulemaking process on privacy and artificial intelligence.

Why Ohio’s data privacy bill is on hold for now

State lawmakers are considering a bill that’s meant to protect data of Ohioans. The legislation spells out who can access data and how they can do it. But the bill has been put on hold right now.

The way the third-party cookie crumbles: Part 1 – EU and UK developments

Third-party cookies have long been “the glue that holds together the independent ad tech world.” Far surpassing their original purpose of giving “memory” to websites, these cookies are heavily relied upon by marketers to analyze and track online users. Indeed, cookie-based targeted advertisements are the reason why websites can sustain their “free” business models. But what’s good for industry has not been good for user privacy—and the tide is starting to turn.

Privacy Legislation

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy

Third-Party Risks for Data Privacy are Everywhere

Brainstorming Solutions to Supplier Management

Everybody has a process in place to demonstrate that you [the vendor] can be trusted to perform services for your client. This means a lot of paperwork and sometimes a lot of redundancy for suppliers.

All of this takes time and effort and energy to manage. What would be some potential solutions to resolve that friction for both the suppliers and for their potential clients? What are the pain points?

—Josh Harris, BBB National Programs

“One of the most obvious answers,” says Amazon’s Kelly Peterson Miranda, “is our legal obligations are growing and interoperability between those legal obligations is not always there for in-house privacy program managers who are trying to operationalize privacy programs.

“The privacy team for controllers is about oversight. How do you have adequate oversight? What are all the ingress points that are generated by third-party relationships?

“It’s not always procurement, right? Engineering is establishing third-party relationships: marketing teams are establishing third-party relationships. So, it’s about gaining the right handle on your third-party landscape and knowing who is responsible for ongoing oversight over those relationships.”

Kelly Peterson Miranda and CJ Utter met with Josh Harris for a wide-ranging Q&A during the fall session of the widely attended Spokes Privacy Technology Conference to brainstorm solutions to supplier management and risk mitigation.

Kelly is a Data Privacy Principal at Amazon and CJ Utter is Privacy Counsel for Vizio. The session’s MC, Josh Harris, is  BBB National Programs Director, Global Privacy Initiatives.

The lifecycle of third-party risk mitigation

Kelly notes that one of the challenges is “putting together an effective program to manage the relationship lifecycle.” While there is a concerted focus during onboarding, what happens afterward can be harder to pin down.

“That’s where some privacy programs start to struggle and start to deal with scalability issues”

For small to medium organizations, it typically comes down to resource management: there are not enough people and there may not be a budget for a technology-based resource to help.

For larger organizations, it comes down to creating something that provides a breadth of oversight that is scalableaccurate, [and] continuous – not something that’s a point-in-time compliance activity.

—Kelly Peterson Miranda, Amazon

CJ agrees. “It seems like there is so much effort upfront, so much due diligence, and then as the contract proceeds, or as the business relationship proceeds, the due diligence goes on the back burner.” Often there is little, if anything at all, in place that completes the data management and risk assessment lifecycle.

At the outset “You’re getting the questions answered. You understand their business relationship, you understand the use of the data, and what they’re doing to protect that data,” continues CJ. But clear to the end of the relationship cycle? Can you “confirm that they no longer have that data in their possession? That it’s been destroyed?” cautions Utter. Does the third party still have an “amount of data in their possession for legal regulations and what is required under whatever applicable law framework that they comply with?”

What’s your risk appetite?

What about an “annual or biannual risk assessments being done in house? Is this something that you would recommend undertaking? Any challenges, you see in that?” asks Josh:

CJ is quick to point out the likely bandwidth challenges.

You can think about a lot of different things that would trigger a risk assessment such as a security breach or if the relationship has changed. Typically, I see the risk assessment being reviewed whenever there’s a new statement of work added, when there’s a new engagement letter, or a new deal struck….

You may want to do a biannual one down the road, especially if there’s no change – there’s [no trigger] to review it – but typically, the times to review it are when the new contracts come in, or when there’s a change.

—CJ Utter, Vizio

“What’s the risk score that you’ve assessed during that initial assessment?” offers Kelly. “I think, higher risk relationships (it could be based on the data that’s being shared or the criticality of that vendor to your service overall) may necessitate a biannual risk assessment or audit of that particular vendor. Versus a vendor who’s receiving less data or providing not so critical of a service.

“What’s key, if we talk about relationship lifecycle, is to have a testing and monitoring program in your organization…whether that’s going to be something that that team takes on or they engage third parties to help bolster that.”

But it all depends on the question of the risk appetite of your company overall. Because that’s going to drive the resources, the timing, and the appetite. Both to take it on internally, as well as defining the relationship that you have with that third party.

—Kelly Peterson Miranda, Amazon

The controller controls

“What happens in a worst-case scenario where somebody fails, the assessment or for whatever reason is unable to maintain the standards that you would put out at the beginning?” queries Harris::

I’ve experienced this firsthand. What I’ve done is have a discussion with the business unit or the team that’s engaging the vendor to discuss the importance of the vendor and discuss the business use case. Are there any viable alternatives in the marketplace that can provide the same or close to what this vendor was going to provide?

—CJ Utter, Vizio

“This is an important topic,” says Peterson Miranda. Crucially, “before engaging in any kind of risk assessment, or audit, there has to be a meeting of the minds between legal and the business. What is the goal? What are the remediations that we can potentially control and put in place if we receive unsatisfactory answers from a vendor with which we are currently working?”

She notes that there are some tough questions to ask from the business perspective. In particular, “Are you willing to walk away? Can we walk away? And if the answer is no, and we get back an unsatisfactory answer: what is within our control, as a controller.”

From a technology perspective, are there gating things that we can put up? Pseudonymization techniques that can be put in place, or data minimization? What can we control to help ensure that our customers are not harmed by the fact that we must engage with this third party in order to provide the service to the end customer?

It all goes back to preserving that trust of the customer.

— Kelly Peterson Miranda, Amazon

Exceptions to the rule?

Josh asks, “As you encounter these cases, are they pushing you into ad hoc remediations that are outside the broader process? Some occasional special accommodation for an organization?

“Again,” offers Kelly, “it goes back to the criticality of that vendor. Are you willing to put in place an exception and, if so, how are you going to document that exception? How are you going to have oversight?

It increases your operational burden. And, in the long term, you’re potentially increasing risk because now you have an exception in an approach. Who’s going to have responsibility for that?

And as Kelly notes, it is most likely something that can’t be managed by the privacy group, but rather someone in the business: “whether that sits with product, engineering, account management, or whoever is the relationship owner.” Ultimately, what does reporting look like? How will the privacy and compliance teams “ensure that, in the end, this exception doesn’t result in compliance risk?”

As Josh rightly  and succinctly puts it, “the introduction of complications into a universe of things that are already complicated is probably suboptimal.”

The way I’ve handled it is by looking at the sensitivity of the data and having certain vendors do certain questionnaires based upon the level of data that they’re getting. If there are any exceptions, that’s noted within the contract, and there are a lot of guard rails in the contract concerning what they can do with the data or what is expected of the third party.

—CJ Utter, Vizio

“And then that’s managed within the contract lifecycle management, continues CJ, “where you can tag the contract for review at certain intervals.”

As organizations look to operationalize data privacy and manage personally identifiable data across their information ecosystems – intended to deliver value-added and frictionless experiences to their consumers – managing third-party relationships is one of the many challenges businesses both small and large grapple with.

The foregoing is just a small sample of this discussion which also covered topics like operational challenges concerning subsidiaries of third parties; the potential utility of a GDPR-like framework to assist in the lifecycle management of risk; and the needed coordination of process owners across the businesses; and the impact of the ever-changing regulatory landscape.

This discussion and others featuring some of the leading thinkers and practitioners that came together for the Fall Spokes Privacy Technology Conference can be accessed here.

Watch the entire SPOKES session here.

  • Privacy
  • Privacy Shield

Cross-Border Data Transfers: A Conversation

On November 11, 2021, in response to the uncertainty following Schrems II invalidation of the EU-US Privacy Shield, the European Data Protection Board (EDPB) issued long-awaited guidance on complying with GDPR requirements for the transfer of personal data from the EU to other jurisdictions, particularly the U.S. Fundamentally, the guidance was intended, among other things, to clarify what constitutes an international data transfer. is it a jurisdictional issue? A physical jurisdictional issue? A legal issue?

Does the EDPB guidance provide the needed definitional clarity of what constitutes a transfer? Does it solve for Schrems? Does the current trend toward data localization solve for cross-border transfer issues are create further ambiguity and even security risk?

As part of an ongoing series, WireWheel CEO Justin Antonipillai and co-host Daniel Solove met with Peter Swire, professor at Georgia Tech’s new school of cybersecurity and privacy and a witness in the Schrems case, the Atlantic Council’s Kenneth Propp (who worked with Justin in the Obama Administration, and Orrick partner Shannon Yavorsky who advises clients on these matters, to discuss these issues. The webinar Cross-Border Transfers: A Conversation can be accessed here.

So, what is a transfer?

It’s really interesting because there’s never been a definition for international data transfer and it’s been the subject of discussion and commentary over many, many years as to what actually constitutes an international data transfer.

—Shannon Yavorsky

As Yavorsky notes, the EDPB provided a sort of three-prong test to identify whether there is a data transfer.

  • That there is a controller or processor that is subject to the GDPR;
  • That there an exporter that makes data available to an importer. “This is important because there was always a question hanging over whether any direct collection of data from individuals located in Europe by, for example, a U.S.-based entity constituted, a data transfer; and
  • That the importer is in a third country, regardless of whether the importer is subject to the GDPR.

“It almost raises as many questions as it clarifies,” opines Shannon. “There was always a question concerning what mechanisms could be used for cross-border data transfer. As the derogations got narrowed by commentary coming out of the EDPB, it became less clear that you could rely on the derogations. But for some of my clients, it’s been tremendously helpful to have more clarity on direct collection.”

“One other piece I noticed, is corporate families versus the same corporation,” says Swire. “There was some language in the discussion that if it’s an affiliated company inside a holding company, at some point, it really is a different entity. And then you have to go into all these different entities as an importer. To me, it wasn’t clear.”

Peter poses the issue of a company with different branches, perhaps one in France and one in the U.S. “It seems as if that might not be a transfer…If it’s a different corporation, probably a transfer, but inside the same company it seemed like it wasn’t a transfer.”

“I put that into the bucket of things that was not clarified,” says Antonipillai:

You get into some metaphysical/technical questions about when is a transfer occurring. A really good example of what we see regularly when you get into real-time adtech when you collect data, for say a consent, and you store it just in Europe, and now you want to resolve that consent with the same person who might be accessing a U.S. site. Is that a cross-border data flow, because, technically, there’s an access for U.S. purposes in the same company?

—Justin Antonipillai

Propp observes that the guidance obviously “has a geographic focus to it with respect to clarifying what is a transfer, and that’s helpful, but it does end up in the somewhat paradoxical situation that the companies that are already subject to the GDPR by virtue of a local establishment nonetheless have to employ transfer with related safeguards.”

The elephant in the room

“I’ve always seen a bit of a tension between the Court of Justice of the European Union (CJEU) and other European institutions when it comes to cross-border data transfer,” says Solove. “I look at the logic of Schrems and I don’t see any of the guidance solving the fundamental issues in Schrems.”

Better contractual clauses don’t really solve the big problem. And that is, if the NSA wants the data, they can get the data.

If the Data finds its way to the United States, whether it’s the same company [or not], the concerns the CJEU had in Schrems still exist in that situation. So can it just be, ‘oh cool, we’ll just not define it as a cross-border data transfer and somehow we’ll escape from all these countries?’

—Daniel Solove

“Right now, my reading of it, is it doesn’t add up, says Solove. “This is still a mess and no one’s addressing the elephant in the room.” And that elephant has a pedigree tracing back to Snowden.

The effect of the Snowden papers “turned out to be even bigger than a lot of people realize,” notes Swire. At the time the Snowden papers came out in early 2013 in June. GDPR was dead. And it’s clear that when it [overwhelmingly] passed by that the concern about the NSA was enormous and really drove the political process toward a stricter version than it would have been without Snowden.

In my testimony in the Schrems case, I wrote 300 pages explaining the many constraints that exist under us law on the NSA. That they were the strictest sets of intelligence restrictions of any of the democracies. But under European law that’s not relevant. They’re not testing us compared to Germany or France, they’re testing us compared to the CJEU standard. So, we have concerns, based in part on Snowden, that are driving [the idea of] a surveillance problem that needs a massive solution from Europe.

—Peter Swire

Be that as it may, as Yavorsky notes pragmatically queries: “But have you seen anyone actually stop data transfers? Because I haven’t.”

The Data Localization Response

The growing response to the lack of clarity, and burdensome administrative overhead concerning justification of cross-border data transfers has been to localize data. Swire notes that a recent Ernst & Young report “found that 20% of the respondents said there’s been significant data localization since Schrems.” And that “20% to report there’ve been major changes in their business to localize in is nontrivial.”

But the definition of localize may be as hard to pin down as the definition of transfer. “I wonder what they mean by localized, really?” says Antonipillai. “What I’ve heard when is when they say “localizing,” it means storing locally and accessing and processing it in a lot of places.”

The focus has primarily been on local storage. What we’re starting to see now are criteria emerging in countries like France in the context of cyber security standards, that there be limits on foreign ownership of cloud companies that operate there and, and also somehow immunity from foreign jurisdiction.

Once you add those criteria into the conversation it becomes even more complex, I think for U.S. companies to deal with.

—Kenneth Propp

And, as Propp notes, there is a deleterious effect on cybersecurity that comes with localization as “it’s very hard to do centralized management of a company’s computer system.” Furthermore, “it’s unclear whether you can buy cyber security services from overseas, the way Cloudflare got kicked out of Portugal.”

So, what’s a company to do?

Given the still-existing ambiguities post-EDPB guidance, the Schrems elephant, Snowden’s shadow, and unlikely occurrence of globally agreed standards, Solove asks the ultimate question: “what does a company do? How does a company figure out what the right level of compliance is?”

“I don’t think there’s actually a way to fully comply the way things stand now. Is every company supposed to try and do an analysis of every country’s surveillance law?”

We’ve all recognized that there are a lot of legal fictions that go on in the world of cross-border data transfer…So it comes down to what do you do in these scenarios?

At the end of the day, you have to put together a defensible narrative…and lean a little bit on the risk-based approach to the GDPR: that you’ve done your transfer impact assessment. You’ve reviewed and made any appropriate adjustments, including potentially localizing data…made efforts to implement appropriate safeguards: You’re going to be in a reasonably good position vis-a-vis a regulator coming and taking a look under the hood.

—Shannon Yavorsky

“I think it’s worth pointing out that it’s not just – or even primarily – U.S. companies that are facing this situation,” says Propp. European companies too are dealing with an unprecedented sense of uncertainty about ultimate liability.”

Until we can reconcile government access to commercial data flows, the concerns, elephants, and ambiguities are likely to remain. The question is going to continue to be with us. As Ken optimistically offers, “we’re starting to see encouraging signs of that, but it’s going to take continued initiative.”

  • Privacy
  • Regulations

Finally Solving for Schrems II?

A conversation with the European Commission’s Bruno Gencarelli

The world of data flows is a diversified world that doesn’t stop at the transatlantic dimension, although that is, of course, a core component of that issue.

A successful arrangement to the privacy shield is clearly a priority on both sides of the Atlantic. We want a solid, durable, sustainable, framework. What’s the secret recipe to get there? A framework that fulfills the requirements of the Schrems II judgment.

—Bruno Gencarelli

European Commission Head of International Data Flows and Protection, Bruno Gencarelli joined WireWheel CEO Justin Antonipillai for the plenary session of the Fall Spokes Privacy Technology Conference. And while always top-of-mind, the recent guidance issued by the European Data Protection Board (EDPB) makes this conversation particularly timely.

WireWheel’s Antonipillai was a lead author of the Privacy Shield agreement that was subsequently invalidated by Schrems II, and Bruno Gencarelli is the lead negotiator for the EU-U.S. current attempts to design the “secret recipe” that will solve for Schrems II and allow cross-border commercial data flows to proceed without the burden of case-by-case justifications. The Q&A, which can be accessed here, is well worth a listen.

A complex balancing act

“The evolution between Schrems I and II is the level of detail regarding what is expected in terms of safeguards. And those are the aspects on which we’re working. Namely: government access to data for national security purposes,” says Gencarelli. “That’s not an easy issue. It’s a complex balancing act in the U.S. as it is in any modern system around the world.”

Bruno notes that while “we are not there yet,” good progress has been made on a number of issues. Beyond the exploratory phase, his team and their counterparts in Washington, D.C., are now “exchanging text, ideas, and possible solutions.

“We, and our counterparts in Washington, share a sense of urgency, but we also share [the view] that the ‘what’ is more important than the ‘when:’ That this is an arrangement that will pass all the necessary test, including potential litigation.”

Still, for businesses trying to do the right thing, it’s a long time coming:

The Schrems II decision was July 2020. And Privacy shield is used by a lot of small and medium-sized companies to comply. To do more than might be relied on under U.S. law in order to avail themselves of a special transfer benefit from Europe. That’s a long time for small and medium-sized companies [who are looking for resolution].

—Justin Antonipillai

Simplicity and Adequacy

  1. Do you have any sense of timing on when at least a framework agreement might be reached (understanding that even after there’s a framework agreement there’s a pretty long tail)?
  2. With a new “Privacy Shield” will there still be the need to do transfer impact assessments?
  3. Other discussions and negotiations still focus on redress for national security purposes. Is that the exclusive area of negotiation at this point, or is it broader than that?

On timing, Bruno answers, not unexpectedly, “We hope we can get there as soon as possible, but I am not in a position today to tell you, when.”

What is important is the nature of the instrument. It will be an adequacy decision. And if we succeed, this will have a major, major benefit. Particularly in the post-Schrems II environment. It means that – based on certification with the Department of Commerce – companies will be able to rely on the new arrangement to export data from the EU to the U.S without having to enter into a case-by-case assessment that the Schrems II judgment requires.

—Bruno Gencarelli

This, as Bruno notes, has a significant benefit in terms of stability, cost, and simplicity. The intention is to come to an arrangement that is straightforward in nature. “That’s why we are developing adequacy,” opines Bruno.

“So, the short answer to your question regarding transfer impact assessments is no. But yes, because in any case, as regardless of Schrems II, regardless of transfers, you need to know what you’re doing with that data. That’s key to the compliance and accountability aspect [of data handling] that will always remain.”

Justin reiterating: “That means the technical transfer impact assessment portion in which you have to evaluate the sort of regime that you’re transferring it to with respect to the U.S. companies would no longer have to conduct. They still would have to do an assessment of processing activities, just as normal.”

“Correct. Because an adequacy decision is a legal measure adopted by the EU, by which the EU says, “we have done that assessment and you have a green light for transfer.”

Redress and Resurrection

Redress is a central issue under discussion, says Gencarelli. “There are essentially two issues in Schrems II.

One is what are the conditions, limitations, and safeguards that are the basis by which data can be accessed by intelligence agencies when, for instance, it has been transferred for commercial purpose. “This is an issue for which we have made good progress around principles of necessity and proportionality: the nexus between the data which is being accessed and the national security threat is being addressed.

“And then there is the question – not an easy question, but a fundamental one – where the Court of  Justice has been the clearest and most detailed: the possibility for individuals to allege a violation of the safeguards in a court or Tribunal. These are the two questions with which we are dealing.

Companies are maintaining their compliance with the Privacy Shield principles without getting the benefit of a means of transfer. Is the expectation that if there’s a new privacy shield, that companies if they continue to do what they’ve already certified to, will get the benefit of the means of transfer? Or do you anticipate there’s going to be new requirements from a commercial perspective?

—Justin Antonipillai

“I know that certifications continue and are renewed on the U.S. side,” offers Bruno, but he cautions: “it’s very important to say that in terms of compliance with the GDPR requirements that those certifications are of no value for the moment. From the European side, the privacy shield is dead.

“But we believe also in resurrection. And that’s what we’re working on.”

Gencarelli emphasizes that the EU team is focused on the government access part of the deal because that is the grounds on which the Court of Justice invalidated the Privacy Shield.

It is noteworthy that this is exactly what the recent EDPB guidance failed to address. As legal scholar Daniel Solove opined in a recent conversation with Justin: “Right now, my reading of it, is it doesn’t add up, says Solove. “This is still a mess and no one’s addressing the elephant in the room.” I.e., government access to data is the central thrust of Schrems II.

Of course, notes Bruno,” the commercial aspect – which is what matters in daily life or businesses – do have additional compliance requirements” but they are not the focus of the negotiations. “If there are any changes, they would be quite minimal.”

There have been widely reported discussions on the proposals that have been coming from the U.S., the Justice Department, and judicial panels on redress. And while I don’t mean to suggest the redress element of it is any more or less difficult than necessity and proportionality, redress has some very difficult aspects when you try to reconcile it with the elements of standing and judicial ability under U.S. law. So, there are some tricky elements to that.

—Justin Antonipillai

“What I can tell you” offers Bruno – understandably constrained by the sensitivities of ongoing negotiations – “is that we want a solution that works in both systems

“The question of standing, is of course, very important. And recently, the Supreme Court said to the legislature that there are things you cannot do in this area, there are limits. We are also seen that there are redress mechanisms that exist in the judiciary branch as well as the executive branch.

“Redress in an area such as national security is, of course, is subject to legitimate limitations to fully take into account the sensitivity and confidentiality of issues that might be involved. Those constraints exist on both sides of the Atlantic.”

Around the world in four minutes

There are many more opportunities as countries are converging on the idea that it’s not about identity. It’s about converging on common safeguards.

—Bruno Gencarelli

Given the immediacy (and complexity) of the issues, this is a conversation that could easily last well into the night. Unfortunately, though understandably, Bruno’s schedule is constrained. In the remaining minutes of the keynote Q&A, Bruno reminds us that while the EU-U.S. data transfers are at the forefront, there is much going on throughout the world in this regard, and he provides some insight.

As a scoop for your audience, we have completed negotiations with Korea, and if everything goes well, it will be adopted by the EU next week. By the end of the year, there will be a free flow of data between the EU and South Korea.

—Bruno Gencarelli

Bruno also notes that “the adequacy decisions we adopted with the UK (one for the GDPR, the other for law enforcement cooperation, are a very important part of the post-Brexit relationship.”

Other initiatives highlighted by Bruno include:

  • Work on a number of tools that can cover regions creating an amplifying network effect. Model clauses are now adopted and used as part of that convergence by a number of jurisdictions around the world. Switzerland has adopted the same model clauses as the EU, and the UK has a proposed version as well.
  • New Zealand, while not exactly the same model, has presented some important commentaries.
  • Regional organizations such as Southeast Asia countries –Singapore, Indonesia, Malaysia, and others – have adopted a set of model clauses to facilitate transfers within the region. This is seen as useful to facilitate transfers between that region and the rest of the world. Work is being done to build on this common practice and capture many jurisdictions.
  • The same is happening with Latin America.

Bruno closes the conversation with a missive regarding the recent trend in data localization:

There are obstacles to data flows, which have nothing to do with the protection of privacy, though they might sometimes use the protection of privacy as a pretext. I’m thinking about a number of data localization requirements we increasingly see.

We are negotiating a lot of trade agreements with countries such as New Zealand, Australia, Indonesia, Tunisia, Chili, and others. At the multilateral level, we are proposing an approach based on a straightforward prohibition of data localization requirements.

—Bruno Gencarelli

Watch the entire SPOKES session here

  • Privacy Law Update

Privacy Law Update: December 6, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

EDPB Discusses Data Transfer Guidance Considerations, Key Points

With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR’s original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others.  EDPB Secretariat Head Isabelle Vereecken said during a LinkedIn Live conversation with IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP, the EDPB’s decision to act had less to do with answering or creating questions than it did with providing consistency, clarity and legal certainty.

Parsing Through Potential Impacts of EDPB Data Transfer Guidance

The European Data Protection Board’s new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer? The answer comes across as straightforward, but the debate behind it and the implications of it are anything but. IAPP Vice President & Chief Knowledge Officer Caitlin Fennessy, CIPP/US, dives into the practical impacts and policy considerations stemming from the new guidance.

New Data Protection Standards for Adtech Companies Proposed by UK ICO, But Actual Changes Remain Questionable as Leadership Changes Hands

A new Commissioner’s Opinion issued by the UK’s Information Commissioner’s Office (ICO) reiterates the country’s data protection standards and lays out its vision of future regulation plans for ad tech companies, calling for solutions that are more privacy-focused and worthy of user trust.  The actual impact of this opinion on the country’s data protection standards is questionable given that it does not clearly indicate any new regulations for adtech; it simply implies that previously lax enforcement by ICO may be stepped up. This could depend greatly on the organization’s leadership, however, which is presently in flux. The opinion was issued by Elizabeth Denham, whose term as Information Commissioner comes to an end November 30 and whose replacement does not step in until January 2022.

India’s PDPB Set For Parliament’s Consideration

The Joint Parliamentary Committee (JPC) on November 22 adopted the draft report on the Personal Data Protection (PDP) Bill 2019, after almost two years of deliberations.  According to sources, the report will now be presented in the Winter Session of Parliament along with the PDP Bill 2019, for discussion.  The final meeting of the JPC included several MPs, including three Congress leaders, Jairam Ramesh, Gaurav Gogoi and Manish Tewari raising dissent.

5 Steps to Comprehensive Privacy Compliance

While universally desired by individuals and enterprises alike, true privacy is nearly unobtainable. On a conceptual level, adhering to privacy may appear straightforward, but the logistical and technological challenges getting there are daunting. To holistically incorporate privacy into an organization, one has to take stock of the challenges that have historically impeded compliance efforts and continuously re-evaluate privacy strategies.

WhatsApp Pushes Privacy Update To Comply With Irish Ruling

WhatsApp is adding more details to its privacy policy and flagging that information for European users, after Irish regulators slapped the chat service with a record fine for breaching strict EU data privacy rules.  Starting Monday, WhatsApp’s privacy policy will be reorganized to provide more information on the data it collects and how it’s used. The company said it’s also explaining in more detail how it protects data shared across borders for its global service and the legal foundations for processing the data.

Privacy Legislation

IAPP State Privacy Law Tracker

IAPP Federal Law Tracker

IAPP Chart Compares Us Privacy Legislation Proposals

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy

Rise of the Privacy Operations Leader

In the early years of privacy legislation, the focus was on legal interpretation and high-level understanding. What do the principles mean? How do you reconcile the European-style data protection regime, the US, and others? Naturally, the general counsel’s office and executive leadership – the C Suite – was the locus of corporate response.

Today, privacy has moved out from legal and into the broader organization. As data privacy and protection concerns all facets of the business –marketing, sales, product development, data governance, et al. – it requires programmatic design, implementation, and control. It requires more than legal expertise. It also requires operational expertise.

We look to a framework to understand how we can take all of these obligations and boil them down to something that we can pragmatically implement within our organization. A framework will really help to not only just boil a lot of this down into more usable concepts; it’s also going to be able to scale with your organization as well.

—Katie Pimentel

WireWheel CEO Justin Antonipillai moderated a panel to discuss the challenges of operational privacy, and the resultant rise of the privacy operations leaders. The panelists are Lisa Barksdale, Zillow Group Director of Privacy, Katie Pimentel, Yahoo Assistant General Counsel, Global Privacy, and Tara Jones, Yahoo Legal Services Manager, Global Privacy.

Privacy Operations Fundamentals

Of course, you need to need to understand what privacy laws mean, “but the business really wants to know how it’s going to impact them. And there are fundamental things you absolutely need to do right,” says Zillow’s Barksdale. First, you need to perform a gap analysis in each area of the business to understand what you are dealing with, know the key players and then develop a framework to help identify those things that require focus.

Privacy Notice Management: make sure they’re comprehensive and make sense. If you have “50 different notices, that’s really hard to operationalize and make sense of, so you want to drill down on that” suggests Lisa.

  • Regulatory Initiatives: As more regulations come into effect domestically and globally, this needs to be managed.
  • Reporting: “I love reporting,” enthuses Barksdale. “It shows what we’re doing, how we’re doing it, and how we’re performing against requirements.” It also provides insight to senior leadership.
  • Policy Management: Make sure that you have a solid internal privacy policy.
  • Risks and Controls: Comprehensive monitoring and testing program is paramount to ensure your businesses are adhering to your policies and procedures.
  • Meetings and Forums are vital to excavating and understanding any issues you may have.
  • Devise an overall governance routine to guide action.

You also need to define and document your organization’s privacy principles. Zillow identifies ten core privacy principles for their internal privacy policy which Lisa notes “is important for the businesses and our target audience to understand.” Zillow privacy principles:

  1. Transparency
  2. Purpose Limitation
  3. Proportionality
  4. Participation
  5. Accountability
  6. Accuracy
  7. Confidentiality
  8. Protection
  9. Retention
  10. Sharing

As Antonipillai notes, for those just starting out, the Fair Information Practice Principals (the core of the Privacy Act of 1974) provide a framework that is widely accepted and that is emulated in many states’ laws as well as internationally.

Okay, so how do you really operationalize that?

I do get questions like, “okay, it all makes sense, but how do we really operationalize this? Who are the people? How do we organize?” says Lisa. At Zillow, the core privacy operations leadership comprises:

  • The Program Manager
  • The Business Line Relationship Manager
  • Privacy Legal
  • The Data Manager
  • The Monitoring and Testing Manager
  • Privacy Champions

The Privacy Manager aligns with the CPO and acts as the lead program manager (PM) covering all elements across the program. “They may have some subject matter expertise in certain things, but they are responsible for getting things over the line.”

The Business Relationship Manager is responsible for developing and creating the privacy impact assessments (PIAs) and working with various committees.

Privacy Legal, of course, creates the standards within the organization, tracking the evolving regulatory landscape, interpreting the regulations, and translating how that impacts the businesses.

The Data Manager, working closely with data governance, covers the creation and implantation of record of processing activities (ROPA) and tools and manages data mapping and inventory obligations.

The Monitoring and Testing Manager identifies and documents the controls and processes to ensure adherence to the privacy policies applicable to the individual businesses.

One of the things that is a challenge for a lot of privacy programs is headcount….We created privacy champions, that sit in the business and operate as liaisons between the business and the privacy office.

They are the subject matter experts of their business. And we have invested in educating them and training them on privacy and how it impacts their areas.

—Lisa Barksdale

How do you know it’s all working?

The answer to this question speaks to the importance of developing a comprehensive framework including testing and controls. As WireWheel works with both small businesses and large multinationals, Antonipillai is seeing more and more companies starting to audit (internally or with external help) much like audits and certifications have been used in finance (e.g., SOC with SOC Type 1 and Type 2 audits) and data security (using the NIST framework as Katie, Tara, and Lisa discussed with us here).

Getting a pulse on your program after you stood it up is probably as critical as standing up the program.

You put all these processes in place, set up all these resources, and you think all right, I’ve got everything covered. But nobody’s adopted the PIA – you have them trickling in. Groups are failing their monitoring and testing. The controls aren’t working.

—Lisa Barksdale

“You can either get an external company to come in and do a health diagnostic on your program or you work closely with internal audit,” offers Barksdale. “In either case, it’s important to get that health diagnostic.”

“When you start to dig into ROPAs and developing controls,” cautions Katie, “I would highly recommend doing these under privilege. When you start lifting up rocks within your organization you don’t always know what’s going to be underneath. [You may] uncover some things that you probably won’t want to be discoverable.

It’s why reporting is so critical. “You want to look at your metrics and ensure that they make sense. And if they don’t, dive in there and figure out why. You would hate for the regulators to come in and let you know it’s not working before you identify that yourself.

For privacy governance programs the big picture benefit is scalability repeatability and testability. Well, how do you make that work? Developing controls.

Controls drafting and implementation is critical to ensuring that you can understand what that program is doing, you can understand where the gaps are. That’s, the only way that your program is truly going to be testable and without testability, you can’t (with a straight face) go to a regulator and say, “Sure my program’s working…all the processes are being followed.”

—Katie Pimentel

In addition to controls, says Katie, critical to a privacy governance program is understanding your data. And “records of processing assessments (ROPAs) to really understand the who, what, why, where, and how, of your information processing is going to help you understand if there are areas of non-compliance or high risk.”

Launching the Program

This may seem overwhelming to smaller organizations without the infrastructure and resources of Yahoo or Zillow, but the same fundamental principles apply at any scale. As Yahoo’s Tara Jones notes, “even in a multibillion-dollar company, we still started at the grassroots with spreadsheets.”

Over the course of a year, Tara and her team were able to present a business case to the executive committee to justify acquiring privacy technology to support their efforts and chose WireWheel. “When we began working with WireWheel to tackle this project we ended up needing more than 1200 assessments for our business,” says Tara.

When that data begins to filter in, we then have to figure out…For what purpose are we analyzing it, how are we going to analyze it, what tools are we going to use for that analysis. You need a plan in place to determine what is going to happen with this data. How are you going to analyze it? What are you going to report on?

That is very easily overwhelming because there is so much data.

—Tara Jones

Of course, not everything fits in a neat box. As Tara points out, there will be exceptions and it is critical to developing an exception handling process as well: “Is there going to be an exception process? Who’s going to be in charge of the exceptions? Who’s going to have to approve or deny? If it’s denied, who’s going to work with the business to make sure that we’re able to still do business?”

As Katie opines, “this is another area where, again, the framework just really became critical for us.”

Ultimately, it is not a one-size-fits-all affair. The implementations, workflows, and how privacy operations are organized will be unique to each organization and its data profile. However, the underlying principles, such as those outlined in the Fair Information Practices Principles, are a common feature.

This is why employing a framework is so valuable. They provide the necessary overall structure that ensures you are adhering to best practices with regard to privacy while providing the flexibility within which to build the specific policies and procedures that best suit your business. The alternative is an ad hoc approach with is difficult (more likely impossible) to manage, control, or scale, effectively.

Key Takeaways

  • Complete a Risk and Gap analysis
  • Prioritize the privacy issues and risks of the business
  • Document your privacy principles
  • Establish an operational framework
  • Develop metrics and reporting
  • Know your business controls environment
  • Identify & leverage key stakeholders in the business
  • Be prepared to quickly manage risks identified through ROPA data
  • Privacy Law Update

Privacy Law Update: November 22, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Dispatch From Brussels: Some Clarification For EU Data Transfers On The Horizon

One of the major topics at the IAPP Data Protection Congress 2021 in Brussels, Belgium, involves questions around transfers of personal data from the European Union. Though many questions remain beyond this event, some clarifications are on the way. European Commission Head of International Data Flows and Protection Bruno Gencarelli offered a start during a conversation with Goodwin Partner Lore Leitner.

The Future Of Data Protection In the EU’s Digital Market Strategy

After years of preparing for and implementing the EU General Data Protection Regulation, policymakers in the region are far from finished with the broader regulation of the digital realm. Earlier this year, the European Commission announced its ambitious digital strategy and, over the course of 2021, it released a host of draft legislation to undergird what it calls the coming “digital decade.” The intent of the strategy is to cultivate a healthy digital marketplace in the EU for personal and non-personal data alike.

Are Profiling and Automated Decision Making the Same Thing?

No.  Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:

  1. An activity must involve “an automated form of processing
  2. An activity must be “carried out on personal data;
  3. The objective of the activity must be “to evaluate personal aspects about a natural person.

Privacy Legislation

Lawmakers Reintroduce Online Privacy Act

U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., proposed the Online Privacy Act, a bill previously raised by the two lawmakers in 2019. The bill includes prior provisions for data subject rights and the creation of the Digital Privacy Agency to handle privacy rights violations enforcement. Additionally, the bill adds provisions for an Office of Civil Rights within the new enforcement agency while allowing state privacy regulators to share enforcement powers alongside the agency and state attorneys general.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy
  • Regulations

Six Tips for Complying with PIPL

The Personal Information Protection Law (PIPL) passed by the People’s Republic of China on 21 August and effective November 1, 2021, is not the GDPR.[1] While it shares some familiar grammar with the General Data Protection Regulation, its underlying precept is of a much different nature.

The foundational principle of the GDPR rests on a perceived human right to privacy. PIPL, on the other hand, is premised on China’s broader ‘informatization’ policy, which Chinese President Xi Jinping has described as the modern equivalent of industrialization” (Brumfield, 2021). And, given the “socialist” nature of China’s economy, information (including personal information and its monetization) defined as an industry, is controlled by the state.

The comparison to the GDPR works in a superficial way. The language is similar and at the end of the day, people will get privacy notices, the use of personal data is restricted to certain purposes, and there are onward transfer provisions.

But, on a not that much deeper level, this is a fundamentally different law. The EU is motivated fundamentally by protection of human rights. And I think China is fundamentally motivated by the assertion of sovereignty over the data. They want to control the information in the country…they don’t want American tech companies to control it. They don’t want Chinese tech company to control it.

—Ed McNicholas, Ropes & Gray LLP

As part of an ongoing series of conversations, WireWheel CEO, Justin Antonipillai and privacy legal scholar Daniel Solove were joined by Mingli Shi and Ed McNicholas. Their discussion is available here.

Mingli Shi is an attorney at Qualcomm responsible for compliance with global privacy laws, and a frequent contributor to a think tank Digital China affiliated with Stanford’s Cyber Policy Center. Ed McNicholas is a Partner, and the U.S. leader of the Data Privacy and Cybersecurity Practice at Ropes and Gray, and was a litigator in the Clinton Whitehouse.

No “Legitimate Purpose”

China has a national strategy for a Digital economy,” notes Mingli. “China’s digital industry is booming…and the government has clearly expressed its determination to take great efforts to promote and invest in industries around data, big data, and AI.” Interestingly,

The original word used in China privacy law literally translates as interests in rights, but the Chinese phrase is more focused on the interest aspect rather than the rights.  China’s privacy law, and its data governance…is focused on national interests in…cyber sovereignty and data sovereignty.

—Mingli Shi, Qualcomm

McNicholas notes that while it is PIPL that has “burst onto the scene, there are actually a whole series of laws” enacted by China including the 2017 cybersecurity law, the 2018 state secrets law, and biosecurity law “that altogether assert what I think chairman Xi has been very clear about: the notion of data sovereignty. That China wants to be in charge of the information in China.”

While extremely broad – perhaps purposefully so – in its language, the concept of sovereignty and control is both tacitly and implicitly expressed in PIPL. As Solove notes, there are provisions that notably diverge from the GDPR and are much more restrictive:

One is the requirement is there has to be a Personal Information handler in the company in China: a representative for foreign data handlers.

And there are no legitimate purposes or lawful basis to process data which is I think is the most common. Lawful basis used to process data under the GDPR. So, I’m wondering how this is going to play out without that lawful basis.

—Daniel Solove, John Marshal Harlan Research Professor of Law, George Washington University Law School

Mingli affirms that “the law is quite clear. Foreign organizations that would be subject to China, privacy law need to establish a local office or appoint a local data protection staff based in China.” She further notes that PIPL also includes an additional category of protected information called “Important Information.” However, it does not define it.

PIPL is about Localization, Control, and “National Security”

Antonipillai notes that while PIPL would receive a lot of attention under any circumstances, “everybody’s paying attention to the Chinese Government’s move to block the IPO of Diddy. It appears to have been based, in part, on the amount of data that Diddy holds on Chinese persons and what going public in the U.S. would do to what can be perceived as a strategic amount of data in the possession of Diddy.”

They see, I think everyone does, that data is the new oil…and they will have an industrial policy for tech companies the same way they have industrial policy for other segments of the economy…China is practicing socialism – not the kind of socialism we talk about in American politics – real socialism. With industrial policy that is using the sovereign interests to control corporate activity. I think that we will see more like the Diddy case coming forward.

— Ed McNicholas, Ropes & Gray LL

Ms. Shi notes that the “extraterritorial application of privacy law is not unique to China. GDPR has similar requirements for organizations that get the personal data of EU residents….China, privacy law also adopts this approach. If foreign organizations process personal data of people in China or they assess the behaviors of people in China, then they are subject to China’s privacy law.”

Mingli further cautions that PIPL relies heavily on notice and consent as well as organizational obligations like regular auditing and data categorization (including “important information”).

If you do cross-border transfers, you need to pay attention to whether your data is subject to the localization requirement by default. And if you are a bigger platform and run a big social media service or you run an app store then you are subject to additional liabilities and you need to have an independent supervisory body composed of external experts to supervise your data activities…”

—Mingli Shi, Qualcomm

Ultimately, says McNicholas, “if you have an office in China, think, can we just localize that data? Do we really need to export it? There’s a lot of data export that happens because it’s easier for companies…Chinese contractual mechanisms, warns Ed, might be “more onerous and require a bit more consideration” than Standard Contractual Clauses. I think this regime will just become more focused on localization over the long run.

What do organizations need to do now?

With so little time to prepare, what should organizations consider to accommodate PIPL? Fortunately, says McNicholas, “I don’t know that a well-run Chinese program is going to be all that different than a well-run European program.”


Key considerations include:

  1. The increased importance of data inventory and data mapping.
  2. Pay particular attention to personal data of Chinese persons if your company has enough that it might be perceived as a strategic asset.
  3. Pay close attention to additional types of data including “important data” and data generated by “critical information infrastructure operators” doing business in China.
  4. Pay attention especially to the extraterritorial transfer nature of the law which carries with it any number of consequences (not yet completely defined).
  5. Ascertain whether you need to locally store certain data at your China-based operations.
  6. Make sure you know how the organization is using data for marketing purposes and integrating that data in analytics platforms.
  • Privacy Law Update

Privacy Law Update: November 15, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

UK Supreme Court Overturns Court of Appeal to Disallow Google Data Privacy Class Action

On November 10, 2021, the UK Supreme Court issued a unanimous Judgment in Lloyd v Google LLC [2021] UKSC 50, overturning a ruling of the Court of Appeal and disallowing a data privacy class action.  The Judgment denied Mr. Lloyd the ability to pursue a collective claim for compensation on behalf of around four million iPhone users in England and Wales whose internet activity data were allegedly collected by Google in late 2011 and early 2012 for commercial purposes without the users’ knowledge or consent, and in alleged breach of section 4(4) of the Data Protection Act 1998 (“the 1998 Act”). The 1998 Act has since been replaced by the UK GDPR and the Data Protection Act 2018 (“the 2018 Act”). The claim was backed by substantial litigation funding.

IAPP ANZ Summit Online: A chat with NZ Privacy Commissioner John Edwards

On his third day as New Zealand’s Privacy Commissioner in 2014, John Edwards was asked during a committee hearing about his approach to the role. “I said I want to make privacy easy,” Edwards said. “I want to make privacy easy for agencies to implement, I want to make it easy for consumers to access privacy-friendly options, and I want to make it easy for people to have access to remedies when things are wrong. That became my mantra and I think it fits.”

Update On The Belgian Data Protection Authority’s Investigation Of IAB Europe

IAB Europe is informed by the Belgian data protection authority (the APD) that its Litigation Chamber is close to finalizing a draft ruling that will conclude its investigation of IAB Europe and its role in the Transparency & Consent Framework (TCF). The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) in the coming 2-3 weeks under the Cooperation Procedure laid down in the GDPR.  Those DPAs will have 30 days to review it.  Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.

IAPP publishes updated ‘Privacy and Data Protection in Academia’ report

Today, demand for qualified privacy professionals is surging. Soon, societal, business and government needs for practitioners with expertise in the legal, technical and business underpinnings of data protection could far outstrip supply. To fill this gap, universities around the world are adding privacy curricula in their law, business and computer science schools. The IAPP’s Westin Research Center has catalogued these programs with the aim of promoting, catalyzing and supporting academia’s growing efforts to build an on-ramp to the privacy profession.

Facebook plans to remove thousands of sensitive ad-targeting options

Facebook Inc (FB.O) said on Tuesday it plans to remove detailed ad-targeting options that refer to “sensitive” topics, such as ads based on interactions with content around race, health, religious practices, political beliefs or sexual orientation. The company, which recently changed its name to Meta and which makes the vast majority of its revenue through digital advertising, has been under intense scrutiny over its ad-targeting abilities and rules in recent years

Privacy Legislation

Singapore: Data privacy update

This data privacy update addresses the amendments to the Personal Data Protection Act, the changes to the Spam Control Act, the publication of the Cyber Security Agency of Singapore (CSA)’s report on the Singapore Cyber Landscape in 2020, and the proposed new licensing framework for cybersecurity service providers.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: November 8, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

Why it is unlikely the announced supplemental SCCs will materialize

The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers).  This announcement is a change in course for the EC. When the EC launched the 2021 SCCs this summer, Recital 7 stated they are unnecessary when the data processing by the data importer is already directly governed by GDPR. According to the EDPB meeting minutes, the EC will develop a set of additional SCCs specifically for these transfers, it can be inferred that the EDPB viewed the issue differently and that the EDPB considers such transfers still subject to the transfer rules (otherwise, no supplemental SCCs would be required for this situation).

Enhancing protections for children’s data

From the disparities that online monitoring software can exacerbate among remote learners, to the harms teens are exposed to via dark patterns and algorithms, an increasingly complex batch of privacy problems revolve around the use of children’s data.  Many of these problems surfaced in public last month when The Wall Street Journal published an investigative series entitled “The Facebook Files” that sought to document the “ill effects” of these platforms. According to one internal study leaked in the reports, about one in three (32%) teen girls who felt bad about their bodies said that using Instagram made them feel even worse. Sizeable minorities of teens, especially girls, also said social media compounded their struggles with problems such as anorexia, self-harm and suicidal thoughts.

Mark Zuckerberg’s metaverse may be as privacy flawed as Facebook

Mark Zuckerberg’s pursuit of the metaverse, the reason behind Facebook’s rebranding as Meta, raises significant questions about data privacy in the next frontier of tech.  A bit of genetics, a world of potential.  Despite Facebook’s repeated data lapses over the years, Zuckerberg said during his company’s Connect event on Thursday that he’s taking a thoughtful approach to privacy as he attempts to build the immersive, virtual world for users known as the metaverse.

Facebook to delete users’ facial-recognition data after privacy complaints

Facebook said it will shut down its face-recognition system and delete the faceprints of more than 1 billion people.  “This change will represent one of the largest shifts in facial recognition usage in the technology’s history,” said a blog post Tuesday from Jerome Pesenti, vice president of artificial intelligence for Facebook’s new parent company, Meta. “Its removal will result in the deletion of more than a billion people’s individual facial recognition templates.”

Data Privacy: Your Greatest Competitive Advantage

Data privacy has become a top priority for businesses over the past few years. As penalties for improper data use and storage continue to escalate, the typical motivator for businesses has been to avoid the regulatory consequences of non-compliance. While this may be seen as a reasonable commercial approach, many businesses fail to realize that ensuring data privacy for consumers is not just a box to check off to mitigate the risk of financial consequences. The fact is, building trust with consumers by ensuring their privacy may just be your next greatest competitive advantage.

Developing a Defensible CPRA Disposition Process

Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA) may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. CPRA Section 1798.100.

Privacy Legislation

Democratic senator introduces data privacy legislation

Sen. Catherine Cortez Masto (D-Nev.) is introducing legislation aimed at strengthening data privacy protections for American consumers.  The Digital Accountability and Transparency to Advance Privacy Act would apply standards to all data collection, processing, storage and disclosure — including that it only be done for legitimate business or operational purposes.  The legislation would also bar companies from using consumer data in discriminatory ways and from engaging in deceptive data practices.

Five Immediate Steps to Take in Preparation for China’s New Comprehensive Privacy Law

China has recently joined the list of countries that have adopted the world’s strictest data-privacy laws. Given China’s desirability as both a market for and a source of data, companies worldwide have started making early efforts to mitigate the impact of these new requirements on their businesses. This client alert provides five concrete steps that an organization can take now that China’s new privacy law has become effective.

Updates to Saudi Arabia’s Data Protection Law

Whilst European and North American businesses are well accustomed to dealing with complex data protection legislation, businesses in the MENA region have by and large not had to consider the same in their local markets.  From a Saudi standpoint, the recently published Personal Data Protection Law (published on 24 September 2021 and effective as of 23 March 2022 (“Effective Date”)) (“PDPL”) changes this, imposing national regulation of data protection on companies across the Kingdom.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: November 1, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

G-7 Trade Ministers agree on digital trade principles

During a 22 Oct. meeting, the G-7 Trade Ministers agreed on digital trade principles, including the free flow of data across borders. “We should address unjustified obstacles to cross-border data flows, while continuing to address privacy, data protection, the protection of intellectual property rights, and security,” a press release said. “We recognize the importance of enhancing cooperation on data governance and data protection and identifying opportunities to overcome differences.” The Trade Ministers said they will work together to “explore commonalities in our regulatory approaches and promote interoperability.”

EDPB Adopts Guidelines on Restrictions on Data Subject Rights Under GDPR

On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.

Connecting The Dots: Making Sense Of Recent FTC Developments

Coincidence is best defined as events or circumstances that casually occur in correspondence with one another. But what looks like coincidence can sometimes turn out to be more coordinated action than anything else. This potential blurred line is something being raised following a flurry of activity involving the U.S. Federal Trade Commission’s privacy work.  The FTC has been in the spotlight over recent months with news regarding a potential funding boost, a call to begin privacy rulemaking, personnel moves, and a number of activities pertaining to enforcement. Having all these developments crop up all at once could certainly stir arguments over coincidence versus coordination, but there’s no questioning these moves indicate the commission is in for an overhaul.

Draft Bill In Australia Proposes Higher Privacy Penalties, Parental Consent For Minors

The Australian government released a Privacy Act review discussion paper, along with a draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The bill would impose higher penalties for privacy violations, create a new Online Privacy Code and require social media companies to obtain parental consent for users under 16. Under the proposal, the maximum $2.1 million penalty for privacy breaches will increase to up to $10 million, or three times the value obtained through misuse of information, or 10% of an entity’s annual Australian turnover. The code would be developed by industry to regulate social media services, data brokers and large online platforms, including requirements for transparency on how they handle personal information. The government is accepting submissions on the draft through Dec. 6.

Privacy Legislation

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Regulations

Data Privacy Laws in 2022: What You Need to Know

Introduction to Data Privacy in 2022

Over the past few years, the proliferation of data privacy laws has accelerated around the world.

And this trend is not about to stop. ​​According to Gartner, “by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations”. But it is important to note that not all privacy regulations are created equal and the levels of data privacy, data protection, scope, or business obligations can vary widely. The map below, by DLA Piper, provides a good visualization of not only the current coverage for data privacy law but also their strengths and robustness.

We have listed below summaries of the key privacy regulations you should be aware of and will keep updating this page as new regulations are introduced or as amendments are added.


Table of Contents

US Data Privacy Laws by State
International Data Privacy Laws
Key Risks of non-compliance

Understand key similarities and differences across global privacy regulations with our Privacy Law table

Download Now

US Data Privacy Laws by State

In this section

California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
Virginia Consumer Data Privacy Act (CDPA)
Colorado Privacy Act (CPA)
Federal Data Protection Laws

At this time, the United States does not have a comprehensive federal data privacy law. Although there have been many attempts over the past decades to coordinate data privacy and protection matters, there is still not one framework. You can check this useful tracker developed by IAPP to monitor federal privacy bill introductions and developments.

In the absence of a federal privacy framework, some states have taken the lead and passed new comprehensive data privacy laws, inspired by the European General Data Protection Regulation (GDPR). As new state regulations are adopted, we will keep updating this page.

The California Consumer Privacy Act (CCPA) was the first comprehensive data privacy law. The CCPA was signed into law on June 28, 2018 and went into effect on January 1, 2020.

This California data privacy law is currently applicable to for-profit entities that collect personal information from California residents and meet any of the following thresholds:

(i) At least $25 million in gross annual revenue,

(ii) Buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes or,

(iii) Derives more than 50% of its annual revenue from the sale of personal information.

In addition, the CCPA also introduces new consumer rights for Californian residents such as the right to know, the right to delete, the right to opt-out of sale, and more.

For more details about the CCPA and what it may mean for your business, please visit our CCPA overview.


The California Privacy Rights Act (CPRA) is the 2nd version of CCPA, which is why many have nicknamed it CCPA 2.0. Alastair Mactaggart, the architect behind CCPA, introduced CPRA in Fall 2019 and gathered enough signatures to prepare a ballot initiative and bypass the legislature. On November 3, 2021, California voters approved Proposition 24 by a 13% margin, giving birth to the CPRA. The CPRA will go into effect on January 1, 2023.

Compared to the CCPA, the CPRA adds the following:

  • Threshold application for organizations collecting personal information from Californian residents,
  • New consumer rights such as the Right to rectification or the Right to Limit Use and Disclosure of Sensitive Data,
  • Definition of a “Contractor”,
  • Definitions of data sale and sharing,
  • Automatic $7,500 fine for a violation involving the personal information of minors,
  • Annual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security,
  • Creation of a California Privacy Protection Agency (CPPA) to enforce CPRA compliance,
  • Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA.
  • And more!

The CPRA contains a 12-month lookback provision, meaning that businesses will have to make sure their data collection practices are compliant with the CPRA from January 1, 2022. While you may be tempted to delay to a later stage, just know that CCPA enforcement has been in effect and enforcement actions should increase as the California Privacy Protection Agency (CPPA) structures its team and operations.

For more details about the CPRA and understand how it differs compared to CCPA, please refer to our CCPA vs CPRA overview.

The Virginia Consumer Data Protection Act (CDPA) was signed into law by Governor Ralph Northam on March 2, 2021 and will go into effect on January 1, 2023.

The CDPA became the second comprehensive data privacy law to be adopted in the US and was greatly inspired by the CPRA. Although many similarities exist between the two laws, there are also key differences:

  • Consumers must opt-in to the collection and use of their sensitive data for processing
  • The CDPA requires Data Protection Impact Assessments for any processing involving targeted advertising, data sales, profiling, or sensitive data; or any data processing that presents a “risk of harm”
  • The CDPA does not require the addition of a “Do Not Sell My Personal Information” link on websites
  • The enforcement of the CDPA will be done by the Virginia Attorney General’s Office

For a deeper dive into the Virginia CDPA, please refer to our CDPA overview.


The Colorado Privacy Act (CPA) unanimously passed on May 26, 2021 and was signed into law on July 7, 2021 by Governor Jared Polis. The CPA will go into effect on July 1, 2023.

CPA became the third comprehensive data privacy regulation adopted in the US, after California with its CCPA and CPRA, and after Virginia with the CDPA.

While the CPA is similar to the CCPA and CDPA, certain elements distinguish the Colorado law from the two other regulations and will require additional compliance efforts from companies that fall within its jurisdiction. For example:

  • The CPA does not specify a monetary value in its applicability criteria so it will be up to each company to monitor the Colorado residents and households it acquires.
  • The CPA requires eligible businesses to implement a means for consumers to opt-out of the processing of their personal data for purposes of profiling
  • In addition, the CPA clearly prevents eligible businesses from using dark patterns for obtaining opt-in consent from consumers

Continue your reading about the Colorado Privacy Act with our CPA overview.

Quickly compare US State Privacy Laws with our Interactive Privacy table

Compare Now

Federal Data Protection Laws

Although the US does not have a comprehensive federal privacy law today, there are multiple federal regulations governing the collection of information online and specifying data protection requirements. Here are some of the main regulations you may encounter.


The Health Insurance Portability and Accountability Act, also known as HIPAA, is a federal law that came into effect on April 14, 2003 and that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s prior consent or knowledge.

As per the HHS, HIPAA requires “appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”

HIPAA also “gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”

This comprehensive regulation defines the covered entities, the permitted use of data, the exemptions as well as patient data protection protocols. You can learn more about HIPAA on the CDC website and on the HHS website.


The Children’s Online Privacy Protection Rule, also known as COPPA, is a US Federal Data Privacy law passed by Congress in 1998 and took effect in April 2000.

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age, as per the FTC’s website.

At a high level, the act specifies:

  • That sites must require parental consent for the collection or use of any personal information of young Web site users.
  • What must be included in a privacy policy, including the requirement that the policy itself be posted anywhere data is collected.
  • When and how to seek verifiable consent from a parent or guardian.
  • What responsibilities the operator of a Website legally holds with regards to children’s privacy and safety online, including restrictions on the types and methods of marketing targeting those under 13.

You can access the full official text of COPPA on the FTC website.


The Fair Credit Reporting Act, also known as FCRA, was enacted in 1970 and went into effect on April 25, 1971. According to the FTC, the primary purpose of the FCRA is to “promote fairness, accuracy, and privacy of the personal information contained in the files of the credit reporting agencies.”

This federal law regulates the “collection of consumers’ credit information and access to their credit reports.”

The FCRA created numerous new consumer rights and business obligations covering scope, credit report content, dispute, access to data, and much more.

You can review both a summary and the full text of the FCRA on the FTC’s website.


The Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999 and requires “financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.”

The scope of the data covered (10+ data points) as well as the regulated entities covering organizations that either process loans or assume credit risks have had far-reaching impacts. GLBA has provided consumer protection benefits like:

  • Private or sensitive information being secured against unauthorized access,
  • Customers being notified of private information sharing between financial institutions and third-parties, and having the ability to opt-out if desired,
  • User and employee activity being tracked including any attempts to access sensitive information or protected records.

You can access the full text of GLBA here.

US Privacy Act of 1974

In 1974, Congress passed the US Privacy Act of 1974, containing important data privacy and protection for US consumers. The primary purpose of the Act is to “balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them”.

Some of the highlights and new developments of the Privacy Act are the following:

  • Right of US citizens to access and copy any data held by government agencies,
  • Right of citizens to correct any information errors contained in their data,
  • Agencies should follow data minimization principles when collecting data – least information “relevant and necessary” to accomplish its purposes,
  • Access to data is restricted on a need-to-know basis – for example, employees who need the records for their job role,
  • Sharing of information between other federal (and non-federal) agencies is restricted and only allowed under certain conditions.

You can review the full text of the US Privacy Act on the DOJ website.


Although not a truly comprehensive data privacy law, some refer to the Federal Trade Commission Act (FTC Act) in 1914 as the first federal privacy law.

Under the FTC Act, the Commission is empowered to:

  • (a) prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce,
  • (b) seek monetary redress and other relief for conduct injurious to consumers,
  • (c) prescribe rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices,
  • (d) gather and compile information and conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce, and
  • (e) make reports and legislative recommendations to Congress and the public.

To date, the Federal Trade Commission has broadly relied on Section 5 of the Federal Trade Commission Act (FTC Act) to investigate and enforce against consumer protection violations, including in the context of data privacy and security.

You can access the full text of the FTC Act on the FTC website.

International Data Privacy Laws

In this section

EU General Data Protection Regulation (GDPR)
Brazil’s General Data Protection Law (LGPD)
China Personal Information Protection Law (PIPL)
Canada Anti-Spam Law (CASL)

The General Data Protection Regulation (GDPR) changed the privacy landscape and inspired recent privacy laws in the US and around the world. The GDPR went into effect on May 25, 2018 but it was years in the making. The IAPP has a fairly extensive timeline of privacy developments leading to the adoption of GDPR.

The GDPR’s primary aim is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.

The GDPR introduced consumer rights to all EU residents, require data protection and privacy impact assessments, and added the opt-in consent which should be “freely given, specific, informed and unambiguous” given by a “clear affirmative action.”

The regulation also introduced 7 key principles:

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality
  • Accountability

If you want to learn more about the GDPR, please check out our complete GDPR guide.

The Brazilian Lei Geral de Proteção de Dados (LGPD) went into effect on September 18. 2020 but the administrative sanction provisions of the LGPD went into effect on August 1, 2021.

The LGPD is the first comprehensive data privacy regulation in Brazil and drew inspiration from the GDPR. While many similarities exist between the LGPD and GDPR, there are notable differences mostly around the definition of the data in scope, the extraterritoriality, the data protection officer requirements, or the consumer privacy rights requests (DSARs).

Similar to the GDPR, the LGPD requires organizations to appoint Data Protection Officers, conduct Data Protection Impact Assessments, maintain records of processing activities and more.

For a full overview of the LGPD, please refer to our complete guide.

The recent Personal Information Protection Law (PIPL) passed on August 20, 2021 is the first comprehensive data privacy law in China based on China’s constitution. Going into effect on November 1, 2021, it is announced as a “game-changer for companies in China”.

The PIPL has extraterritorial effects: it applies not only to companies processing personal information within China but also to companies processing personal information outside China where processing activities are for the purposes of providing a product or service, analyzing the behavior of Chinese residents. The PIPL requires foreign companies to set up a special institution or to appoint a representative in China for handling personal information protection matters.

In addition, the PIPL introduced specific guidelines to collect consumer consent, data subject rights requests as well as processor’s obligations.

To learn more about PIPL, check out our complete PIPL guide.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian data privacy law that went into effect on April 13, 2000. It is Canada’s main federal privacy law governing data collection by the private sector.

The PIPEDA has broad applicability and “applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”

Under PIPEDA, personal information refers to “any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).”

While there are no definitions about Sensitive Data or requirements for Privacy Assessments, Consent and Consumer rights are two essential aspects of the PIPEDA.

To learn more about exemptions, data breach requirements and key consent principles, simply check out our in-depth review of PIPEDA.

The Canada Anti-Spam Law (CASL) was introduced in 2010 and went into effect on July 1, 2014. The CASL’s primary purpose is to reduce “the harmful effects of spam and related threats” and “help create a safer and more secure online marketplace”, as per the enforcement agency website.

The CASL is a comprehensive data privacy law created to combat spam and prevents organizations, including foreign ones, from sending unsolicited or misleading commercial electronic messages (“CEM”) or programs to consumers without their consent.

You can click here to learn more about the CASL and its business obligations.

Key risks of non-compliance

If your organization operates in multiple jurisdictions, you will likely have to comply with multiple regulations. As you can see, while many of these regulations share a common approach, their differences can be hard to understand and operationalize within your business in order to achieve privacy compliance.

However, the risks associated with non-compliance can have negative business outcomes:

  • Lost revenues: Consumer complaints may impact your brand image, decrease trust among your customer base and impact your revenues. According to KPMG, privacy is a growing concern for 86% of consumers and 40% of US consumers do not trust companies to ethically use their personal information and a growing number are now willing to act by taking their business somewhere else.
  • Increasing costs: Penalties can add up very quickly under most privacy regulations so you want to make sure you minimize your compliance risk to a minimum. More than 200 lawsuits alleging a range of CCPA have already been filed in federal courts.
  • Resource allocation: Your team may use the 30-day grace period to fix or cure the alleged violation, potentially deprioritizing other important projects focused on improving your acquisition, retention, and product initiatives. Identifying your key gaps prior to a law going into effect is crucial.
  • Talent retention: Some of your top, privacy-centric employees may decide to leave for a privacy-first company, potentially limiting your innovation throughput and your growth.
  • Privacy performance: If you do not think through the strategic aspect of your privacy program to comply with privacy regulations, building a coalition internally around a common vision for your privacy approach will be difficult, hence limiting the impact of your privacy team.

Continue your reading


The current patchwork of international privacy regulations can be difficult to understand. It is an even more challenging task to incorporate and operationalize in your privacy program. While these laws may share a common approach and many similarities, you will see that many specificities need to be accounted for when it comes to the scope of the protected data, types of and responses to consumer rights, assessment requirements, and more.

Our team has standardized the main provisions across these key regulations in an interactive privacy table to make it easier for you to understand their similarities and differences.

Compare eligibility, consumer rights obligations, data breach requirements, penalties, and more now on our interactive privacy table!

  • Regulations

CCPA Enforcement: Key Insights from One Year


The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020 and enforcement started on July 1, 2020. Although a coalition of 60 organizations was calling to delay the enforcement of CCPA due to COVID, the Office of the Attorney General (OAG) began sending out notices of noncompliance on July 1, 2021.

On July 19, 2021, Attorney General Bonta released a CCPA enforcement update and provided a list of 27 examples of enforcement actions the OAG had taken.

The release reported that “upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violation are either within the 30-day cure period or are under active investigation.”

Top Violations

Based on the sample provided by the OAG, we ranked the top violations in the following table.

#1 Violation: Non-Compliant Privacy Policy

More than half of the examples provided by the OAG focused on noncompliant privacy policies. It is important to note that these notices of noncompliance took many forms. 

In one example, a business did not provide notice of the required CCPA consumer right and did not explicitly state whether or not it had sold personal information or transferred personal information for a business purpose in the past 12 months. The business received a second violation because their updated privacy policy was “difficult to read” and contained “unnecessary legal jargon”. In response, the business significantly revised its privacy policy to address these concerns.

In several other examples, businesses posted privacy policies that did not provide notice of the required CCPA consumer rights. 

For more information on what’s needed in a CCPA privacy policy, view this blog.

#2 Violation: Lack of Request Methods

Six examples of enforcement actions out of the 27 were about processes surrounding Data Subject Access Requests (DSARs).

In one instance, a business that distributes children’s toys did not include the methods for consumers to exercise their CCPA rights to request to know and delete. The business also claimed in its privacy policy that it could charge a fee for processing a consumer’s request to know. After being notified of alleged noncompliance, the business updated its privacy policy to address these issues.

In another instance, an education technology company providing online learning platforms for schools, higher education, and businesses, had a non-compliant privacy policy because it did not provide notice of the required CCPA consumer rights and did not include the methods for consumers to exercise their CCPA rights to request to know and delete. The business also did not have the “Do Not Sell My Personal Information” link on its internet homepage. After being notified of alleged noncompliance, the business updated its privacy policy to address these areas and added the “Do Not Sell My Personal Information” link to its homepage.

#3 Violation: Sale of Personal Information

In one example, a business maintained third-party online trackers on its retail website that shared data with advertisers about consumers’ online shopping while neither imposing a service provider contractual relationship on these third parties nor processing consumers’ requests to opt-out that were submitted via a user-enabled global privacy control, e.g., a browser extension that signaled the GPC. After being notified of alleged noncompliance, the company worked with its privacy vendor to effectuate consumer opt-out requests and avoid sharing personal information with third parties under conditions that amounted to a sale in violation of the CCPA.

In a different case, a business’s disclosures regarding its sale of data were also confusing, and the business did not appear to provide a mechanism for consumers to opt out of the sale of their personal information. The business also made consumers take additional steps to opt-out by directing consumers to a third-party trade association’s tool designed to manage online advertising. After being notified of alleged noncompliance, the business added a “Do Not Sell My Personal Information” link and updated its opt-out webform that allowed consumers to fully opt-out of the sale of personal information, including personal information that was exchanged for targeted advertising.

To access the full list of examples, simply visit this page. 

Key insights

While many insights could be drawn from these examples, we listed our 3 key takeaways.

First, the CCPA enforcement is not targeting any specific industry. While a large number of enforcement actions were targeting online businesses and data-driven organizations, other industries such as Automotive, Grocery Retail, Consumer Electronics or Children’s Toys Distribution were also on the list. 

Second, updating your privacy policy to cover key CCPA requirements should be the first step to show the regulator your organization covers the basics which are:

  • Include the CCPA notice in your privacy policy 
  • Disclose information about the use, collection, and sale of data 
  • Present the CCPA DSAR methods 
  • Provide consumers adequate information regarding opt-outs in your privacy policy
  • Explicitly state whether your business has sold or transferred any PI in the past 12 months 
  • Provide instructions in your privacy policy for authorized agents to submit DSAR 
  • Clarify obligations as a service provider vs business (if applicable)
  • Make sure your privacy policy is easy to read and understandable to the average consumer 

Finally, you will want to think about managing your privacy request flow end-to-end. Out of the 27 examples, 13 enforcement actions covered either the failure to publish an adequate “Do Not Sell My Personal Information” link or to manage the DSAR process. Check our complete DSAR guide that can help you to understand the key challenges in the DSAR process and the solutions you could implement. 


With the recent nomination of Ashkan Soltani to lead the California Privacy Protection Agency, enforcement is not only here to stay but is likely to increase as the agency starts building its team and resources. “I am eager to get to work to help build the agency’s team and begin doing the work required by the CCPA and the CPRA,” said Soltani.

The CPRA regulation has a one-year lookback period, meaning your business should be ready by January 1, 2022. Are you ready to comply with CPRA?

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo

  • Marketing
  • Regulations

What do I need for my website to be compliant for data privacy?

After new privacy laws passed in Virginia, Colorado, and California, many clients ask us what they need to do to make sure that their website is compliant today and into the future for data privacy.

For a website to meet data privacy compliance requirements, depending on the geography, it must easily provide access information including:

  1. The right privacy policies
  2. The ability for customers to manage their cookies
  3. The ability for customers to exercise their privacy rights

1. Compliant websites have the right privacy policies for visitors

GDPR (Europe) Privacy Policy Requirements

If an organization is doing business with or is located in the EU, their privacy policy needs to comply with the GDPR. This includes providing people with a GDPR compliant privacy policy (i.e., privacy notice) that is:

  • Concise, transparent, intelligible, and easily accessible
  • Written in clear and plain language, particularly for any information addressed specifically to a child
  • Delivered in a timely manner (i.e. at point of collection of personal information or in the persistent banner at the bottom of the webpage)
  • Provided free of charge

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice:

  • The identity and contact details of the organization, and its Data Protection Officer
  • The specific purpose(s) for the organization to process an individual’s personal data (the legal basis for processing)
  • The legitimate interests of the organization (or third party, where applicable)
  • Any 3rd party or categories of 3rd party of an individual’s data is shared with
  • The details regarding any transfer of personal data to a third country and the safeguards taken
  • The retention period or criteria used to determine the retention period of the data
  • The details about exercising data subject’s rights including:
    • The right to withdraw consent at any time (where relevant)
    • The right to lodge a complaint with a supervisory authority
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences.

CCPA/CPRA (California) Privacy Policy Requirements

To comply with California website privacy policy requirements, privacy notices and policies must be

  • Easy to read and understand
  • Available to languages in which the business operates
  • Reasonably accessible to people with disabilities
  • Presented with a conspicuous link if a website homepage or on the download or landing page of a mobile application
  • Inclusive of information on consumers’ privacy rights and how to exercise them:
    • Right to Know, the Right to Delete/Correct, the Right to Opt-Out of Sale, and the Right to Non-Discrimination.[1]
    • Categories of personal information collected
    • Categories of sources where personal information is collected
    • Categories of 3rd parties personal information is shared with
    • Purpose for which personal information is being used
  • Updated annually

For CPRA, your privacy policy must make consumers aware of their additional right to request that you limit your use and disclosure of their sensitive personal information.

CDPA (Virginia) Privacy Policy Requirements

For Virginia, the controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • The categories of personal data collected or processed by the controller or a data processor;
  • The purposes for which the categories of personal data are processed;
  • An estimate of how long the controller may or will maintain the consumer’s personal data;
  • An explanation of how and where consumers may exercise their rights
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

CDPA does not expressly require businesses to display a privacy notice at or before the point of the collection of personal data, nor does it require businesses to provide a “do not sell my information” link.

CPA (Colorado) Privacy Policy Requirements

The CPA’s privacy notice required disclosures are nearly identical to those required by the VCDPA, requiring that controllers provide a reasonably accessible, clear and meaningful privacy notice that includes:

  • the categories of personal data collected or processed
  • the purposes for processing of personal data
  • how and where consumers may exercise their rights and how to appeal a controller’s action in response to a request
  • categories of personal data shared with third parties
  • the categories of third parties with whom the controller shares personal data.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt-out of the sale or processing.

2. The ability for customers to manage cookies

Privacy regulations require the capability for consumers to manage cookie consent. Cookies are small files that websites send to your device that the sites use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce website, or your login information.[2]

For your website to be compliant with privacy regulations, your visitors must have control of the cookies marketing and digital advertisers place. In particular, they have to have control over third-party cookies. Third-party cookies are cookies that are stored in the user’s computer and that are created by a website with a domain name other than the one the user is currently visiting.[3]

Whether you fall under these regulations depends on your size and your business model.

GDPR Cookie Consent

To be compliant with GDPR, website visitors must be able to opt-in to cookies on their browser. Cookies cannot be placed on a browser without freely given, specific, informed and unambiguous consent given by a clear affirmative action.

CCPA and Cookie Consent

California’s CCPA requires that companies offer their customers the ability to opt out of the sale of their data. Specifically, there needs to be a ‘Do Not Sell My Personal Information’ link at the bottom of the homepage. It covers the sharing of personal data captured by cookies and other tracking technologies with third parties like Facebook, Google, and others. Therefore, to be compliant, you should enable consumers to opt out of these tracking cookies.

Cookie Consent and Future Privacy Legislation

When CPRA (California), CDPA (Virginia), and CPA (Colorado) go into effect, website visitors will have to be able to have control over the cookies placed on their browser and to be able to:

  • Opt-out of processing personal data
  • Opt-out of automated decision-making
  • Opt-out of target and re-targeting
  • Opt-in processing sensitive data

3. Exercising Privacy Rights (Data Subject Access Requests or DSARs)

GDPR Rights (DSAR) Requests

In order for a website to comply with GDPR, customers must have the ability to:

  • Access. Deliver all personal information you have on a consumer.
  • Correct. Correct the information you have on me.
  • Delete. Delete personal information from databases.
  • Restriction of Processing. Limits how companies can process personal data.
  • Data Portability. Provide consumers their data so that consumers can use it elsewhere.
  • Object. Object to the way their personal data is being used.
  • Avoid Automated Decision Making. Eliminate the ability for personal data to be used in an automated way without human involvement.

CCPA Rights (DSAR) Requests

In order for a website to comply with CCPA, customers have to be able to access and delete private information and tell companies not to sell their private information.

Privacy Rights Requests for Future Privacy Legislation

In the future, in Virginia (CDPA), Colorado (CPA) and California (CPRA) companies, in addition to access, delete and do not sell, you will have to allow consumers to:

  • Correct my data
    • Correct the information you have on me
  • Do not collect and use my sensitive data
    • Do not use ethnicity, financial, or identification information in analysis (e.g., segment performance)
    • Consent is required in CA, VA and CO.
  • Do not process my personal data for advertising
    • Use customer information (e.g., purchase history) to inform any advertising
    • Use browser information (e.g., cookies) to inform advertising on site and elsewhere

In summary, in the United States, for your website to be compliant today, you need to enable:

  • Do not “sell/share” my personal data
    • Stop your website from sharing data via cookies to marketing partners
    • Stop employees from sharing customer lists with marketing partners (e.g., Facebook for Lookalike targeting) or data brokers services
    • Have a ‘Do Not Sell My Personal Information’ link at the bottom of your homepage
  • Delete, access my personal information
    • Deliver all personal information you have on consumer
    • Delete personal information from databases

In the future, you will need to allow website visitors to:

  • Do not process my personal data for advertising
    • Use customer information (e.g., purchase history) to inform any advertising
    • Use browser information (e.g., cookies) to inform advertising on-site and elsewhere
  • Do not share personal info for cross-context behavioral advertising
    • Share cookie data with ad exchanges / platforms
  • Do not use for automated decision-making
    • Do not use to create unique customer experiences on the web-based on browsing behavior
  • Do not collect and use my sensitive data
    • Do not use ethnicity, financial, identification information in analysis (e.g., segment performance)
    • (opt-in is required in VA)
  • Allow consumers to make requests about their data
    • Access, Delete, Correction

Another note, while CA has stated the Global Privacy Control (GPC) is recognized as a valid means of opt-out it isn’t a requirement in any law. If you accept GPC signals you should state it in your privacy policy. If it is in your privacy policy (like anything else) you should be sure to actually do it.


Companies should make sure that they have in place:

  • The right privacy and cookie policies
  • A cookie management solution they choose, not only works today but well into the future
  • The ability to collect and fulfill rights requests required right now, as well as the ones required in the future

Additionally, companies must have the appropriate persistent links to privacy policies and subject rights on their website and download pages of mobile applications.

Here is a summary table of the rights and preferences required by each law:

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: October 25, 2021

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!

Newsworthy Updates

IAPP-EY release Annual Privacy Governance Report 2021

The COVID-19 pandemic and the evolution of remote/hybrid/office work, compliance issues related to the EU General Data Protection Regulation and California Consumer Privacy Act, emerging laws around the world and throughout the U.S., and more, have shaped the state of the privacy profession in 2021. The “Privacy Governance Report,” produced by the IAPP in collaboration with EY and EY Law, takes an in-depth look at the ongoing effects of privacy leadership, budgets, staff and reporting structures, and the workflow around data subjects and processing vendors over the past year.

The UK’s data protection reforms: Analyzing the proposed changes

In September, the U.K. The Department for Digital, Media, Culture and Sport released a consultation document proposing a raft of changes to the U.K.’s data protection law. Some are small changes and clarifications intended to resolve uncertainties in the EU General Data Protection Regulation’s drafting, while others are fundamental reforms to the operation of the U.K.’s data protection laws and the obligations and protections they bring. Bird & Bird’s Ruth Boardman and Clara Clark Nevola summarize and offer a color-coding scale for assessing the severity of the main changes proposed in the consultation document.

Amazon Challenges Record $865 Million EU Data-Protection Fine Inc. appealed a record 746 million-euro ($865 million) penalty for allegedly violating the European Union’s tough data-protection rules.  The challenge comes after CNPD, Luxembourg’s data protection regulator, where Amazon has its EU base, slapped the U.S. tech giant with the fine in July.   The regulator ruled that Amazon violated the bloc’s General Data Protection Regulation, or GDPR, through its processing of users’ personal data.  The decision was triggered by a 2018 complaint from French privacy rights group La Quadrature du Net.

Privacy Legislation

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo