The term controller refers to the entity that determines the “purposes and means” of how personal data will be processed.1 Determining the “means” of processing refers to deciding “how” information will be processed.2 That does not mean, however, that a controller will make every decision with respect to the processing of information.
The
One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:
The privacy policy envisioned under
On Wednesday, May 12, 12:00 – 1:00 p.m. ET, join GT for a webinar on the current state of the law in the United States and Europe when it comes to the use of cookies, pixels, scripts, and other tracking technologies online.
New laws, including the California Consumer Privacy Act (CCPA), the California Privacy
The terminology used by the ISO 29100 privacy framework arguably most closely aligns with the terminology used under the GDPR. The following chart provides a side-by-side comparison of commonly used terms and concepts as they appear in the European GDPR, the California CCPA, and the newly passed Virginia Consumer Data Protection Act.
| ISO 29100 | Europe |
Unlike other privacy frameworks that recommend that companies be scored or self-score, using a maturity model (e.g., a score from one to four), the ISO 29100 privacy framework does not identify a specific methodology for assessing compliance or maturity.
In a unanimous decision released on April 22, 2021, the U.S. Supreme Court upended decades of lower court precedent by finding that Section 13(b) of the Federal Trade Commission Act (FTC Act) does not authorize the FTC to seek, or a court to award, equitable monetary relief such as restitution or disgorgement. Instead, in AMG
The ISO 29100 privacy framework does not include formal requirements that a company must follow, but it does provide bullet points under each of its proposed principles that discuss what it means to adhere to the principle and many organizations refer to those bullet points as proposed controls. In total, the original version of the
The ISO 29100 privacy framework sets forth the following eleven core principles:
1. Consent and choice
2. Purpose legitimacy and specification
3. Collection limitation
4. Data minimization
5. Use, retention and disclosure limitation
6. Accuracy and quality
7. Openness, transparency and notice
8. Individual participation and access
9. Accountability
10. Information security
11. Privacy compliance
Jena M. Valdetero, co-chair of global law firm Greenberg Traurig, LLP’s U.S. Data, Privacy & Cybersecurity Practice, has been named to Cybersecurity Docket’s 2021 Incident Response 40 list, which “recognizes the 40 best data breach response attorneys in the business.” This year’s honorees were announced at the annual Incident Response Forum Masterclass,
New regulations to the California Consumer Privacy Act (CCPA) took effect in March that prohibit businesses from using on their websites “dark patterns” that make it difficult for California consumers to opt out of the sale of their personal information.
A dark pattern is a potentially manipulative user interface design that can have the effect,