Data Privacy Happenings 📰

Hello from MineOS's monthly newsletter, The Privacy Mindset! 👋

Big things are happening in California, which is hardly a surprise given the short history of American data privacy.

First came the California Appellate Court decision two weeks ago to dismiss challenges to the implementation of CPRA amendments, making those amendments immediately enforceable. 

The CPRA was set to enter into full effect last summer, but a last minute court case argued businesses did not have enough time to prepare for the changes, which caused the deadline for enforcement to be pushed to March 29, 2024, 1 year after the amendments were finalized.

This month's ruling nullifies that, meaning businesses operating in California or targeting products/services to Californians need to already be in compliance. Furthermore, the appellate decision will allow future CPPA decisions to enter into immediate effect, setting a high bar for data privacy compliance in the state.

Yesterday kept that momentum going when AG Rob Bonta announced that the state had reached a settlement with DoorDash for $375k in just the second ever public enforcement of CCPA.  

DoorDash's violation came as a result of a marketing co-op campaign where DoorDash reportedly disclosed customer names, addresses, and transaction data to third party organizations. Bonta noted these actions constituted a "sale" under the CCPA, and as DoorDash had failed to provide notice of this arrangement or offer an opt-out to consumers, the company had violated the regulation.

California has also been sweeping websites for CCPA violations over the past several months, so expect more news out of the Golden State soon.

One thing remains true: despite many states passing comprehensive privacy laws as of late, future enforcement prospects look meager, leaving California as the lone state actively and continuously fighting the good fight for data rights.

Put Your 💰 Where Your 🤑 is

Here's your chance to test your privacy knowledge and win a $25 Amazon gift card!

Just respond to this email with your answer and we'll draw one winner from those who answered it correctly within the first 24 hours!

Which usage of AI is listed as a "limited risk" case under the EU AI Act?

A) Emotion Recognition                 

B) Spam Filters   

C) Social Scoring                           

D) Safety components of Vehicles

Product Spotlight 🔦

MineOS got 2024 going with some major improvements to the platform, such as expanding how users can handle Data Subject Requests to include handling requests in batches and straight from the Requests screen itself, as well as enabling Debug Mode in the Data Classifier module.

But maybe the feature we're most excited about from the last month is now letting users view the Email Evidence of each individual data source.

Part of what makes MineOS's data discovery & classification the best in the industry is our cutting-edge email scan technology, so to include that insight more directly as part of each data source helps track how and how often a data source is used, building transparency and accountability within the system.

Regulation Focus 🔬

New Hampshire Data Privacy Law SB255 507-H:8 1.V

"If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section."

New Hampshire passed a comprehensive data privacy law in January, although the bill is still awaiting Governor Sununu's signature to make it official. Given that the State Congress and the Governor are both Republican, the signature is merely a formality. 

Diving into the text of the bill, NH closely followed the Virginia model, which led to a law that seems a median result when compared to the other 14 state laws to have passed. New Hampshire's law carries more weight than Iowa's or Utah's, but it falls short of the rights and responsibilities within newer laws like Oregon's or Delaware's. 

The law is most disappointing when compared to New Jersey's law, given they are the first two states to pass regulation within 2024. New Jersey's law featured interesting wrinkles like AG rulemaking and the need to complete DPIAs before processing data, but New Hampshire eschews those in favor of traditional framework.

One aspect that will undermine the importance of NH's bill is the fact that impact assessments created for other states' laws can be reused to satisfy New Hampshire's responsibilities. While it might seem logical and cut through the messiness of the current US data privacy scene for a single DPIA to satisfy multiple state laws, New Hampshire is one of only a few states to include this ability. In practice then, it will make compliance with this specific bill secondary to compliance with other state laws.

Founder's Corner 🎙️

CEO & co-founder Gal Ringel

Q: What tips can you offer companies in making cross-border data transfers easier, or better managed?  

A: Cross-border data transfers are a challenging topic that need to be carefully analyzed by the company to make sure data is being transferred with the appropriate Standard Contractual Clauses (SCC) agreements in place.

If done manually, the company should review its cloud environment and make sure data is moving from different assets while staying within the boundaries of the region, such as the US. In addition, the company should check all the DPAs of their external vendors to ensure where they process and store their data.

If done automatically, it is called Data Flow assessment. Different privacy tools can automatically scan the cloud environment, assess data flow between different assets and their geo-location, and populate the results. Moreover, they scan the SaaS assets, including different cookies and javascript files, to understand how data flows and its geo-location. 

Lastly, the company should adopt a data residency approach that should force all their cloud access and external vendors from which they process and collect data to be in one specific region. 

Webinars & Events 📅

MineOS's 2024 conference circuit starts next week! Check out our booth and speaking session "Why is having One Source of Data Truth a game-changer?" as part of IAPP Data Protection Intensive in London on February 28-29!

We also just wrapped a great webinar with Reddit's Senior Director of Security, Privacy & Compliance Engineering, Jutta Williams, where we explored the EU AI Act and what it means for the practicality of data governance in the coming years.

Check out the replay here to access all the expert insights!

How did you like this month's issue?