Most of the modern state data privacy laws have attempted to exclude from their jurisdictional reach organizations that process de minimis amounts of personal information. The state statutes create different thresholds for what constitute de minimis processing base those thresholds largely on whether the organization sells personal information. The net result is that most states
personal information
Under the CCPA, can a service provider use personal information for its own purposes if it deidentifies or aggregates it?
The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”[1] That prohibition, however, may not apply to information once…
Is a business required to include an ‘opt out of targeted advertising’ link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?
Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.
The regulations implementing the CCPA, as amended by the CPRA, require organizations to process “opt-out…
Cookies and Other Tracking Technologies May Violate HIPAA
Given recent Health and Human Services’ Office for Civil Rights guidance, HIPAA-regulated entities should consider immediately taking the steps discussed in this GT blog post to reduce the risk associated with their use of tracking technologies.
Continue Reading Cookies and Other Tracking Technologies May Violate HIPAA
‘Do Not Sell’ Links – How common are they really?
A review of the Fortune 500 conducted approximately one year after the CCPA went into effect showed that 21 percent of websites included a “Do Not Sell My Personal Information” link; 78.6 percent of websites did not include a link to opt out of the sale of personal information.[1] Over the past year, that…
How many websites now have cookie banners?
A “cookie banner” refers to a pop-up notice on a website that discusses the site’s use of cookies. There is little standardization concerning how cookie banners are deployed. For example, websites can position them in different places on the screen (e.g., across the top of the screen, across the bottom of the screen, in a…
How many businesses put up a “Do Not Sell My Personal Information” link even when they don’t have to?
The CCPA requires businesses that sell personal information to explain that consumers have a right to opt-out of the sale[1] and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes the consumer to a mechanism that permits them to exercise their opt-out right.[2] If…
Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?
The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”[1] The regulations provide as an example matching three pieces of personal information provided by the consumer with three pieces of personal information maintained by the business…
What is the difference between a category-level access request and a specific-information access request?
The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business. As the first five requests ask that a business respond with broad information about the type of information collected (as opposed to the actual information itself), they are often referred to as category-level access requests.
Is a Company Permitted to Transfer Personal Information From Europe to the US for a Discovery Request?
The Federal Rules of Civil Procedure, as well as state procedural rules, permit parties to a lawsuit to conduct discovery, in search of information and documents that may be relevant to the litigation. Parties can issue requests for documents, information (called interrogatories), and admissions of fact to other parties to the lawsuit; parties may use…