sensitive personal information

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.[1] That does not necessarily mean, however, that a controller

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. [1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not mean, however, that a controller must make every decision with respect to the processing of information.

The European

On March 10, 2021, Rep. Suzan DelBene (D-Wash.) introduced the first comprehensive consumer privacy bill of the 117th Congress. The Information Transparency and Personal Data Control Act is designed to “establish a uniform set of rights for consumers and create one set of rules for businesses to operate in,” according to a press release from

Maybe not. The European Data Protection Board (EDPB) issued draft practical guidance on various types of data breaches to assist companies with identifying situations in which a data security incident may need to be reported to EU supervisory authorities (the government regulator for privacy in various EU member countries).

The EDPB addresses a very common

Maybe.

“Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to replace the credit card number).[1] In some instances, tokens are created through the use of algorithms, such as hashing

The CCPA requires that a business include 15 specific disclosures in its privacy policy. These include, for example, disclosures relating to the enumerated categories of personal information that the business collects, the categories of personal information that are shared with service providers or other third parties, and consumers’ ability to request access to and deletion

Typically, no.

The CCPA excludes from the definition of “personal information” information that is “publicly available” and defines that term to mean “information that is lawfully made available from federal, state, or local government records.”[1]

Although the majority of information received from government records is, therefore, excluded from the definition of “personal information,” the

Yes.

The CPRA adds “sensitive personal information”[1] to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information