Tag: Privacy

COVID-19, Labor & Employment, Regulatory

Best Practices for Maintaining Employee Privacy Regarding COVID-19

Written by Jeremy Mittman and Susan Kohn Ross

The situation surrounding COVID-19 is, to the say the least, fluid and scary. The ultimate outcome of the disruption to the business community is also unclear. There are nonetheless a couple of topics we can talk about right now with some degree of certainty on which businesses may want to focus as we all struggle to deal with the very human toll of this pandemic. One is employee privacy and is addressed in this edition. The cybersecurity topics worthy of immediate attention will be covered in a subsequent blog post.

We start here with the confidentiality obligation of employers regarding information about the health of their employees. If someone on your staff becomes infected, as a general proposition, as the employer, you may not share that information with other employees. The Centers for Disease Control published an Interim Guidance for Businesses and Employers, and stated: “If an employee is confirmed to have COVID-19, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act.” Since COVID-19 has spread to many different countries, the privacy laws in those countries also need to be considered. For example, the European privacy law – the GDPR – addresses privacy around health data, plus local public health authorities in those countries will have their own protocols to follow.

Continue reading “Best Practices for Maintaining Employee Privacy Regarding COVID-19”

Unknown's avatarmskllpLeave a comment
Cybersecurity, Regulatory

New Revisions to the CCPA

Network security icon with graphic diagram on mobile screen.
Photo Credit: istock.com/COMiCZ

By Susan Kohn Ross

The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.

To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes. Continue reading “New Revisions to the CCPA”

Unknown's avatarmskllpLeave a comment
Cybersecurity, Regulatory

California Consumer Privacy Act: Are You Ready? (Part 2)

Data Security system Shield Protection Verification
Photo Credit: istock.com/Rawpixel

By Susan Kohn Ross

In Part 1, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that time frame, but also seek to provide much-needed guidance to industry.

Most of the legislative changes focused on narrowing the definition of personal information, clarified the time frame which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions: Continue reading “California Consumer Privacy Act: Are You Ready? (Part 2)”

Unknown's avatarmskllpLeave a comment
Cybersecurity, Regulatory

California Consumer Privacy Act: Are You Ready? (Part 1)

CCPA California Consumer Privacy Act Lock Orange and Gold
Photo Credit: istock.com/Torrey

By Susan Kohn Ross

In the last few weeks we have seen both regulatory and legislative action that has helped to clarify the scope and impact of the California Consumer Privacy Act (“CCPA”). By way of a refresher, the CCPA seeks to protect the personal information of California consumers by giving them greater knowledge about the nature and extent of the data collected about them, how it is used (sold or shared) by those who possess it, and how the individual consumer can control the use of his/her personal data. The CCPA applies to companies, regardless of where they are located, which:

  • Have annual gross revenues in excess of $25 million;
  • Alone or in conjunction with others annually buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or
  • Derive 50% or more of their annual revenues from selling consumer personal information.

This framework leaves companies to ask some very basic questions before deciding next steps:

  • What is our annual gross revenue (not limited to California income)?
  • Do we have the personal information of at least 50,000 consumers, households or devices located in California?
  • Do we sell the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
  • Even if we do not sell that personal data, do we disclose any portion of it to any third parties?

If you answered more than $25 million to the first question or yes to any of the remaining questions, you could be subject to the CCPA, but there is more to the analysis. The next important question is: do you hold personal data belonging to any California consumers, households or devices? If you answered no, you can breathe a sigh of relief. If not, get ready for the year-end push! Continue reading “California Consumer Privacy Act: Are You Ready? (Part 1)”

Unknown's avatarmskllpLeave a comment
Immigration

US Visa Applicants Now Required To Provide Social Media Identifiers

Social media concept
Photo credit: iStock.com/Urupong

By Benjamin Lau and David Rugendorf.

On May 31, 2019, the US Department of State updated their Form DS-160 (online nonimmigrant visa application) and Form DS-260 (online immigrant visa application) to collect social media identifiers for those applying for nonimmigrant and immigrant visas. Applicants for US visas are now being asked to provide all social media identifiers they have used within the past five (5) years. This update was announced in a statement to the press by a US Department of State official on June 1, 2019.

A social media “handle” or “identifier” is any name used by the individual on social media platforms including, but not limited to, Facebook, Twitter, and Instagram. The updated visa application forms currently employ a drop-down menu which list the specific social media platforms for which identifiers are being requested. An example of the drop-down menu from online visa application form can be seen below: Continue reading “US Visa Applicants Now Required To Provide Social Media Identifiers”

Unknown's avatarmskllpLeave a comment
Cybersecurity, International Business, International Trade, Regulatory

CA Consumer Privacy Act Gets a Rewrite

Cybersecurity of network of connected devices and personal data security
Photo credit: iStock.com/NicoElNino

By Susan Kohn Ross

When the law was signed by then Governor Brown (see our prior Alert here), the expectation was that Attorney General Becerra would issue the enabling regulations by July of this year, which would allow a phase-in period. Then by January 1, 2020, the requirements would be clear and companies would be able to properly formulate and implement their compliance policies. Regretfully, things are not going as expected.

First, in accordance with the law, General Becerra organized a series of public meetings: Continue reading “CA Consumer Privacy Act Gets a Rewrite”

Unknown's avatarmskllpLeave a comment
Cybersecurity, International Business, International Trade, MSK Blog

The GDPR is Coming – Are You Ready?

GDPR Webinar Invite l BackgroundBy Susan Kohn Ross and Aaron Wais

On May 25, 2018, important European regulations regarding data privacy and protection go into effect that will have a major impact on American companies, many of whom don’t realize they will be subject to compliance with its requirements. The General Data Protection Regulations (the “GDPR”) will have severe penalties for non-compliance (as high as €20 million or 4% of annual worldwide turnover). The GDPR will also have very broad territorial reach applying not only to European entities, but also to entities located outside of Europe (including those in the U.S.) that process the personal data of living European individuals residing in the covered countries, including if the company:

  • Offers goods or services to individuals in the covered countries (e.g., e-commerce, capital raising, fund raising, immigration);
  • Employs individuals in one or more of the countries;
  • Monitors the behavior of individuals in any of these countries; and
  • Collects, stores, or processes the personal data of affected individuals on behalf of others.

For these purposes, the European definition of personal data mirrors nicely the American definition of personally identifiable information. Given the severe penalties and broad reach, it is important that each company in the U.S. consider whether the GDPR applies to its operations and, if so, how best to comply. Continue reading “The GDPR is Coming – Are You Ready?”

Unknown's avatarmskllpLeave a comment