Monthly Archives: November 2019

Pressure mounts for federal privacy law with second bill – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a dedicated FTC office to enforce them. Cantwell also pointed out in her Bill announcement that it defines privacy as a right in federal law.

The proposed law would prevent companies from mishandling data to cause individuals harm. They’d also have to hand over a copy of the data to the individual owning it at their request and name any third party that they’d given it to. They’d also have to delete it when asked.

Companies would need to publish clear privacy policies, and they’d need to get a person’s consent before weakening their privacy measures. The consent measures are pretty close to those under the California Consumer Protection Act (CCPA) that comes into effect on 1 January 2020, in that they require companies to get permission to process someone’s data and allow individuals to opt-out of having their data transferred to others.

The legislation defines data broadly, including the usual suspects like email, financial account numbers, government-issued identifiers like social security numbers, and information about race, religion, union membership, and sexuality. It also covers things like biometric data, geolocation information, communications content or metadata, data about online activities over time and across third-party websites or online services, and even calendar appointments. The law singles out intimate photos and videos of people, too, in a clear attempt to prevent online creeps.

All the above falls under the term ‘sensitive covered data’, while ‘covered data’ seems to cast a wider net, encompassing “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”. That’s a broad definition, and like the CCPA’s seems to take in things like IP addresses.

Companies needn’t deliberately violate privacy rules to incur a penalty. The Bill also forces them to put security measures in place to avoid an accidental breach, including vulnerability assessments and training.