Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. Last week the California State Assembly’s Privacy and Consumer Protection Committee voted to advance several bills to amend the California Consumer Privacy Act. The bills include a wide range of proposed amendments, including clarification of various ambiguities and drafting errors in the CCPA, as well as an expansion of the private right of action, an exemption for personal information collected and used within the employment context, a removal of the 30-day cure period for violators, and making it optional for businesses to provide a telephone number for consumer requests rather than a requirement. These bills still have a long way to go before becoming law, but this recent activity is encouraging for the many businesses and industry groups who have proactively lobbied for clarification and updates to the CCPA ahead of its effective date of January 1st, 2020.
  2. Washington State’s comprehensive privacy bill has failed, at least for now. The bill borrowed many elements from both the EU General Data Protection Regulation and the California Consumer Privacy Act, and despite support for the bill and its success in the Washington State Senate, the bill’s detractors argued that it’s consumer protections were too weak and that the bill was too heavily influenced by big tech lobbyists. The bill passed in the Senate by an overwhelming margin of 46 to 1, but found itself stalled in House committees and failed to make it to the House floor before the end of the legislative session. The bill’s proponents have already stated their commitment to passing privacy legislation in the next session, which begins in January, so that means we could still expect to see comprehensive legislation passed in Washington State sometime in 2020.
  3. Facebook has reported that it expects to receive a fine of between three and five billion dollars from the U.S. Federal Trade Commission as a result of alleged mishandling of its users’ personal information. The fine is part of an ongoing settlement negotiation between Facebook and the FTC, and result of the FTC’s probe into Facebook’s privacy practices last March after the much-reported incident with Cambridge Analytica, which the FTC has concluded amounts to a violation of its 2011 agreement with Facebook. If a settlement is not reached, the alternative would likely result in an extensive legal battle in U.S. federal court. Additional reports state that data protection authorities in various EU member states as well as Asia-Pacific countries are also in the midst of investigations into Facebook, and most recently the Canadian Privacy Commissioner released findings and offered recommendations to Facebook on how to address the alleged violations of Canadian privacy law.
  4. Greece’s national data protection authority has issued a fine of 30,000 euros to a petroleum company for unlawful processing of personal data and for failing to adopt appropriate security measures under the GDPR. According to reports, Hellenic Petroleum vendors publicly exposed sensitive personal data online after conducting a study on behalf of Hellenic, and the DPA found Hellenic to be the data controller and thus responsible for their vendor’s unauthorized exposure of the data, as well as for failing to ensure that appropriate technical and organizational measures were in place to protect the data.

That’s all for now. Thanks again for watching Last Week in Privacy, helping you to prepare for this week in privacy. See you next time.