Consumer Data Privacy

Subscribe to Consumer Data Privacy via RSS

The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

By Brian A. Meenagh and Avinash Balendran

With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation — Federal Law No. (15) of 2020 (the New CPL) — entered into force on 16 November 2020, repealing Federal Law No. (24) of 2006. In particular, the New CPL extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

One stand-out provision in the New CPL is Article 4(5), which places an obligation on Entities (as defined below) to protect “consumers’ privacy and data security”. Article 4(5) also implies that Entities should not use consumer data for “the purposes of promotion or marketing”.

The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties.

By Alain Traill and Gail Crawford

The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own products and services, with third parties. The proposals, released on 11 June 2019 by the Department for Business, Energy and Industrial Strategy (BEIS) in its Smart Data report and consultation, are indicative of a wider drive toward requiring companies to free up access to the data they hold. The drivers behind this include a desire to increase competition, foster the growth of data-driven services, and improve consumer choice.

The proposals follow the introduction of a range of sector-specific initiatives in the UK and is part of a concerted government focus on digital strategy, as evidenced in its recent white paper on Regulation for the Fourth Industrial Revolution, as well as the National Data Strategy introduced last year.

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law.

By Jennifer Archie, Michael Rubin, and Scott Jones

Key Points:

  • A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
  • The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
  • The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.

Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices.

By Jennifer Archie, Gail Crawford, Andrew Moyle, Serrin Turner, and Brian Meenagh

Hacking of organizations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed plan can avoid delays and mistakes, minimize conflicts between functions, and ensure regulatory, legal and contractual reporting requirements are met.

Take Preventative Action

No one can predict when or how a cybersecurity breach will occur, but organizations should take active steps to prepare. The following five actions can help ensure an organization’s cyber-readiness.

1. Adopt and continuously optimize a formal cybersecurity program:

While any program should be tailored to industry and regulatory schemes, generally the program must have the following core components.

By Gail Crawford and Lore Leitner

Today, after more than four years of debate, the General Data Protection Regulation (GDPR, or the Regulation) enters into force. The GDPR will introduce a rigorous, far-reaching privacy framework for businesses that operate, target customers or monitor individuals in the EU. The Regulation sets out a suite of new obligations and substantial fines for noncompliance. Businesses need to act now to ensure that they are ready for when the Regulation becomes enforceable after the

By Jennifer Archie and Rebekah Lewis

WH Report2.JPGThe Obama Administration has unveiled a 50-page blueprint for consumer data privacy, including a recommendation for a federally legislated and FTC-enforced Consumer Privacy Bill of Rights. While it would not alter existing laws, the legislation would extend privacy protections to unregulated sectors and preempt conflicting state law. The Administration’s framework also recommends a national standard for security breach notifications.

The report proposes an immediate “multistakeholder process” to develop enforceable codes of conduct, and embraces