Ch-Ch-Ch-Changes
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: August 24, 2023
Published: December 29, 2020
Welcome to the latest edition of the Privacy Insider newsletter. Each week, we send you the latest and smartest news in the world of data privacy.
One of the greatest mistakes we see companies making is assuming that as long as their own privacy program is compliant with the governing laws, they're safe. But in fact, under various privacy laws, companies are also responsible for the choices their vendors are making with the data shared with them.
A story in the Privacy Insider this week illustrates the importance of understanding this and the risks companies face if they don't take vendor-risk management seriously.
Recently, the US Federal Trade Commission settled with a financial institution over allegations they violated the Gramm-Leach Bliley Rule, which regulates such institutions. The FTC alleged the organization shared data with a third-party vendor that "performed text recognition scanning on mortgage documents" that it stored on the cloud in plain text without proper protections.
It may seem unfair to get dinged by the U.S. privacy regulator over something you yourself didn't do, but that's not only the rule for financial institutions under Gramm-Leach-Bliley. Responsibly managing your third-party vendors is required broadly under laws that continue to proliferate, as well as under California's Consumer Privacy Act and the EU General Data Protection Regulation.
It's a reminder to thoroughly vet your third-party vendors before entering into relationships with them. Not only that, it's important to continue to monitor your vendor's privacy practices over time to ensure that you don't find yourself under the FTC's watchful eye.
Stay safe and warm over the new year, and we hope you enjoy this week's edition. See you in 2021!
Here are the top stories you might have missed:
FTC settles with financial institution who didn’t properly manage its vendor
The U.S. Federal Trade Commission announced a settlement Dec. 15 with a financial institution that the agency said “claimed to oversee the data security practices of one of its service providers as required under the Gramm-Leach Bliley Act’s Safeguards Rule. “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
Read Story
2. Health experts say COVID vaccination data collection is risky
Plans in California to collect personal information in the name of thwarting COVID-19’s spread are raising privacy concerns. While experts say collecting names, addresses and birth dates is essential to tracking the efficacy of nearly created vaccines, some health experts say that kind of data collection could prevent vulnerable populations, such as illegal workers in the U.S., from seeking vaccination, the Los Angeles Times reports.
Read Story
3. Is 2021 the year the US will pass a privacy law?
Business Insider predicts that U.S. Congress will pass a federal privacy law in 2021. The impetus just might be the proliferation of state and global data protection and privacy laws in recent years, including California’s Consumer Privacy Act (soon to be replaced by the California Privacy Rights Act) and the EU’s General Data Protection Regulation. “The 116th Congress has put forth at least 20 proposed privacy bills or drafts,” but it remains to be seen which will get enough bipartisan consensus to pass.
4. EU-UK agreement is good news for data flows
National Law Review reports on the “EU-UK Trade and Cooperation Agreement,” signed Dec. 24, and its effects on post-Brexit data flows. The agreement provides “transitionary provisions stating that transfers of personal data from the EU to the U.K will not be considered transfers of personal data to a third country during the Specified Period, and, as such, will not be prohibited by the GDPR.” That’s good news for the U.K., which has worried about being deemed an “adequate” third country for the sake of data transfers from the EU to the U.K.
Read Story
5. EU regulators starting to align on GDPR
BankInfoSecurity reports that there’s starting to be some consensus among EU data protection regulators over violations of the General Data Protection Regulation. “But in some respects, it's like a meal,” says attorney Jonathan Armstrong in the report. “It is easier to say when you've had a bad meal rather than what are the essential ingredients for a good one. … So proving that you had good technical and organizational measures in place will always be a high bar, because something has happened despite the measures you had to stop it."
Read Story
6. China’s privacy law will set the stage for facial recognition
China’s new data privacy law will determine the future of facial recognition surveillance in the country, OODA Loop reports. The Personal Information Protection law, a draft of which was released in mid-October, will “clarify when facial biometrics can be used,” according to the report.
Read Story
7. Remote schooling’s impact on student privacy
The onslaught of changes that COVID-19 brought didn’t spare schools. In a story for Marketplace Tech, the Future of Privacy Forum’s Amelia Vance discusses the state of student privacy in the U.S. While there are plenty of laws regulating what can and can’t be done with student data, not everyone knows about them. Said Vance, “There was a great survey that Common Sense Media did a couple of years ago, that said only 25% of teachers had been trained on student privacy, and many of the laws that have passed aren’t necessarily passed down tot he school districts who are supposed to enforce them.”
Read Story
8. Using vehicle data to solve crimes isn’t without risks
NBC News reports on law enforcement’s increasing use of vehicle data to solve crimes. “"It helps convict people, and it can help prove they are innocent," Berla founder Ben LeMere said. "Children's bodies have been found. Families have had closure." But privacy advocates say collecting vehicle information has privacy implications, partly because the data collected to solve crimes “can also be used to commit them,” the report states.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.