Data protection authorities worldwide, including France’s Commission Nationale de l’Informatique et des Libertés (CNIL), the California attorney general (CAG), and the U.S. Federal Trade Commission (FTC), recently have indicated their intention to increase privacy enforcement efforts against mobile apps. As the digital landscape continues to evolve, data protection and privacy concerns remain
privacy policy
How many businesses put up a “Do Not Sell My Personal Information” link even when they don’t have to?
The CCPA requires businesses that sell personal information to explain that consumers have a right to opt-out of the sale[1] and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information” that takes the consumer to a mechanism that permits them to exercise their opt-out right.[2] If…
CPRA’s effective date is around the corner… but how many businesses actually updated their privacy policies the first time for the CCPA?
In order to help businesses understand and benchmark industry practice, Greenberg Traurig attorneys analyzed the publicly available privacy policies of companies within the Fortune 500.[1] As of October 2022 – nearly two years after the CCPA took effect – 71% of companies had updated their privacy policies to account for the CCPA.[2] It…
Do companies have to create an internal privacy policy (not a privacy notice) under the ISO 29100 privacy framework?
One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:
- Provides an internal organizational framework for setting objectives,
- Includes a commitment to satisfy applicable privacy safeguarding requirements,
- Includes a commitment to continual improvement.
The privacy policy envisioned under…
Have companies in different industry sectors updated their privacy policies at different rates for the CCPA?
Yes.
In order to help businesses, understand and benchmark industry practice, Greenberg Traurig LLP analyzed the privacy policies of companies within the Fortune 500. As of December 2020, there was significant divergence between the rates at which companies in different industry sectors had updated their privacy policies to account for the CCPA. While all of…
How many businesses updated their privacy policies for the CCPA?
In order to help businesses understand and benchmark industry practice, Greenberg Traurig, LLP analyzed the privacy policies of companies within the Fortune 500. As of December 2020 – 12 months after the CCPA had gone into effect and six months after the CCPA became enforceable – 71.8% of the companies within the Fortune 500 had…
If a business drafted a privacy policy to comply with the CCPA does the business need to revise its policy for the CPRA?
The CCPA requires that a business include 15 specific disclosures in its privacy policy. These include, for example, disclosures relating to the enumerated categories of personal information that the business collects, the categories of personal information that are shared with service providers or other third parties, and consumers’ ability to request access to and deletion…
Does a business have to provide a privacy policy directly to a consumer if it obtains the consumer’s data from a third party (i.e., purchases it)?
The regulations implementing the CCPA require that “[e]very business . . . shall provide a privacy policy in accordance with the CCPA and the [regulations].”1 The regulations clarify that a business meets its obligation to “provide” a privacy policy by posting the policy online or, if it does not operate a website, “mak[ing] the…
Is a business required to provide its privacy policy ‘at or before’ the point at which information is collected?
No.
A privacy policy typically discloses the following information to the public:
- The categories of information collected from a data subject directly and from third parties about a data subject,
- The purpose for which information is collected and used,
- The ability (if applicable) of a data subject to opt out of their information being sold,
…