No. A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime. As a result, a company can utilize a

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not

Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of

Many modern data privacy statutes are designed to encourage compliance by permitting organizations to cure an alleged violation of the statute prior to a regulatory enforcement action. The ability to cure may have been included in recognition of the fact that modern data privacy statutes impose obligations that may be foreign to many organizations (i.e.,

On April 29, 2022, China’s National Information Security Standardization Technical Committee (commonly referred to as “TC260”) released a draft Technical Guideline on Personal Information Cross-Border Transfer Certifications (Cert Guideline). While the Cert Guideline is still in draft form and thus subject to change, it provides some clarification regarding the certification process for cross-border transfers of

Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the noticeable exception of the California Consumer Privacy Act (CCPA) and its

Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations:

The term “Transfer Impact Assessment” or “TIA” is relatively new to the world of data privacy. Indeed, according to one widely used legal database the term was not referenced within any academic journals or secondary sources until 2021.[1] The term has come to refer to a written analysis, conducted by a controller or a

Gretchen A. Ramos is quoted in a Cybersecurity Law Report article titled “Navigating Post-Schrems II International Data Transfer Waters: Challenges and TIAs.” The article discusses the challenges companies may face as they complete transfer impact assessments (TIAs) and update their standard contractual clauses (SCCs).

Click here to read the full article. (subscription required)

Greenberg Traurig is sponsoring the ACC’s 2022 Cybersecurity Summit, taking place March 8-10, 2022.

On March 9, Shareholder Gretchen A. Ramos, co-chair of the firm’s Global Data, Privacy & Cybersecurity Practice, will deliver the keynote session, “New Global Data Protection Laws.” The session will cover new privacy laws, structuring compliance efforts, obtaining