VeraSafe’s Weekly Data Protection Update: October 2, 2020

California Extends CCPA Employee and B2B Exemptions and Vetoes Bills Regarding Health and Genetic Privacy

California Governor Newsom just signed legislation that will extend the California Consumer Privacy Act (CCPA) exemption for HR and B2B data for an additional year – until January 1, 2022. However, this legislation will become effective only if the California voters do not approve the California Privacy Rights Act (CPRA), which contains a longer extension (January 1, 2023).

Newsom vetoed two other privacy bills that would have tightened data- and service-specific regulations beyond the CCPA’s standards. One of the nixed bills is SB 980 (Genetic Information Privacy Act), which would have created heightened privacy and security requirements for genetic data handled by direct-to-consumer genetic testing and analysis companies. The second vetoed bill, AB 1138 (The Parents’ Social Media Accountability and Child Protection Act), would have required companies that offer ‘social media’ services (such as Facebook, TikTok, Snapchat, Instagram, Twitter) to obtain parental consent before allowing a user who companies actually know to be under the age of 13 to create an account.

The French Data Protection Authority (CNIL) Unveils New Guidance on Cookies and Associated Tracking Technologies

Some key takeaways from the amended guidelines include:

  • Declining the use of online trackers must be as easy as accepting them, and users must not be subjected to complex procedures for rejecting online trackers;
  • Users must be informed of the identity of all actors using trackers, and a link to their privacy policy must be provided (but this can be provided in a second information layer);
  • Users must be able to withdraw their consent to the use of trackers at any time; and
  • Some trackers can be exempt from consent, such as authentication cookies, cookies used to limit the access to free content on a website, cookies to save the user’s choice of language, or cookies to preserve the content of an online shopping cart.  

While the CNIL will continue enforcement of its previous cookie recommendations, it will only begin enforcing against non-compliant organizations under its revised guidance in April 2021. You can find the press release and the links to the available guidance here (in French only).

Switzerland’s Parliament Has Finally Modernized Its Federal Data Protection Act (FDPA), Bringing It Closer to Data Protection Law in the EU

After three years of discussions, Switzerland has decided to revise its 28 year-old data protection law. Some of the most relevant changes include:

  • Only data of natural persons will be protected by the law. The data of legal entities will no longer be covered;
  • The possible sanctions have expanded. For instance, the person responsible for data processing within a company can be fined up to CHF 250,000 (approximately USD 271,762) if they commit a  breach of professional secrecy;
  • By contrast, companies can only be fined in limited situations (i.e., when a fine of up to CHF 50,000 is foreseen and the investigation of the offending natural person requires investigative measures that would be disproportionate to the penalty); and
  • The law provides for obligations to maintain records of processing, to carry out data protection impact assessments and to respect the principle of privacy by design.

It is not clear when the revised act will enter into force. It is dependent on (i) whether an optional referendum will be held against the law; and (ii) how fast the Federal Council can update the Ordinance that regulates some provisions in more detail. Considering this, the revised act will presumably not take effect before 2022.

The requirements of the above-mentioned laws and guidelines are not effective now or will not be enforced immediately, the earliest being in April 2021. This gives organizations time to implement the new requirements for processing personal data. As a first step, we recommend implementing a record of processing activities as one of the first key requirements under the revised Swiss Federal Data Protection Act. Having a clear overview of the data your organization processes is the cornerstone for implementing the remaining requirements such as data minimization and data deletion processes, information notices, collection and management of consent, privacy by design and privacy by default, and conducting data protection impact assessments. 

Does your organization need assistance in satisfying these obligations? Schedule a free consultation with VeraSafe today.

Contact VeraSafe to discuss your data security management and privacy program today.