A MoFo Privacy Minute Series
- A MoFo Privacy Minute Q&A: New TCPA Requirements For Informational Robo Calls (2 May 2023)
My company makes informational calls using pre-recorded messages or artificial voices. The federal regulation that regulates these calls under the Telephone Consumer Protection Act (TCPA) has been amended, and the new rules become effective on July 20, 2023. What are the new requirements for these kinds of calls? - A MoFo Privacy Minute Q&A: EU-U.S. Data Privacy Framework (4 January 2023)
After the European Commission (EC) adopts its adequacy decision on the EU-U.S. Data Privacy Framework (DPF), will companies still be required to perform a Transfer Impact Assessment (TIA) when transferring personal data to the U.S. on the basis of SCCs and BCRs? - A MoFo Privacy Minute Q&A: California Employers: Get Ready for Requests from California Employees (12 September 2022)
The California bills that would have extended the California privacy law exception for employee data did not pass this summer. So, I have to get my company’s HR department ready to receive and process data access, deletion, and correction requests from present and former employees, job candidates, and independent contractors. These have different ramifications than consumer requests. What do I need to know?
- A MoFo Privacy Minute Q&A: California Attorney General Announces $1.2 Million Settlement with Sephora for “Sale” of Personal Information to Ad Tech and Web Analytics Providers in Alleged Violation of CCPA (1 September 2022)
What can I learn from the California AG’s CCPA settlement with Sephora to check whether my own business’s privacy notice and opt-out mechanisms relating to online advertising and analytics meet the AG’s expectations?
- A MoFo Privacy Minute Q&A: California Privacy Protection Agency’s CPRA Rulemaking Process Is Underway – What Should Businesses Care About? (22 July 2022)
I heard that the public comment period on the proposed regulations under the California Privacy Rights Act (“CPRA”) recently started. What issues in the proposed regulations are businesses likely to comment on to influence the final regulations to be more business-friendly?
- A MoFo Privacy Minute Q&A: What PI Access Rights Will California Employees Have Under CPRA Starting January 1, 2023? (18 July 2022) My company is preparing to respond to employee rights requests under the California Privacy Rights Act (CPRA) when the law’s employee exemption expires in January 2023. What is the scope of an employee’s right to receive the personal information that their employer has about them?
- A MoFo Privacy Minute Q&A: Belgian Regulator Further Shapes the Contours on When to Appoint a DPO and Who Can Hold the Position (10 March 2022) Preventing, detecting, and responding to credential-stuffing attacks has always been a challenge for my company, and every company, since the credentials are not actually stolen from us. Yet our customers are still harmed if the credentials are used to access their accounts with us. What measures can companies use to address credential-stuffing attacks?
Q:Do I need to appoint a DPO if I use cookies?
Q:Does the GDPR require documenting the decision on whether or not to appoint a DPO?
Q:Are purely advisory leadership roles compatible with the DPO role?
- A MoFo Privacy Minute Q&A: How to Defend, Detect, Prevent, and Respond to Credential Stuffing (2 February 2022)
Preventing, detecting, and responding to credential-stuffing attacks has always been a challenge for my company, and every company, since the credentials are not actually stolen from us. Yet our customers are still harmed if the credentials are used to access their accounts with us. What measures can companies use to address credential-stuffing attacks?
- A MoFo Privacy Minute Q&A: New York City Enacts New Law Regulating the Use of Artificial Intelligence Tools in Employment Decisions (5 January 2022)
My company has a location in New York City. What are the requirements for employers under New York City’s new law about automated employment decision tools, and what happens if my business fails to meet the requirements?
- A MoFo Privacy Minute Q&A: 14 December 2021
During our webinars, our attendees ask us great questions. In this final issue of A MoFo Privacy Minute for the year 2021, we chose three of your questions to answer. Stay tuned for more in 2022!
Q: Please explain the difference between pseudonymous and de-identified information under the three laws. Can I consolidate the definitions together and apply one protocol for my business?
Q: What is the difference in scope between the HIPAA and GLBA exceptions under the CPRA, VCDPA, and CPA?
Q: What must contracts with services providers/processors say about audit rights? - A MoFo Privacy Minute Q&A: 11 November 2021
My company is a financial institution subject to the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act and we have an information security program that conforms to the Safeguards Rule that has been in effect for almost two decades. What do we need to add to our program to comply with the revised Safeguards Rule, and how much time to do we have to add it?
- A MoFo Privacy Minute Q&A: 13 October 2021
My company would like to collect COVID-19 vaccination status of its employees and clients. Is this permitted under HIPAA?
- A MoFo Privacy Minute Q&A: 21 September 2021
Can a company require proof of a COVID-19 vaccination to visit work sites and/or venues in the EU or the UK?
- A MoFo Privacy Minute Q&A: 9 September 2021
I think of cookie consent requirements as being driven by European law, specifically the EU ePrivacy Directive. But I recently heard that Russia also has a cookie consent requirement. Is this really the case? If so, do the requirements apply to a business that is not a Russian company?
- A MoFo Privacy Minute Q&A: How to respond to data protection authority inquiries about compliance with Russian data localization rules? (5 August 2021)
I heard that the Russian data protection authority (Roskomnadzor) has sent out thousands of inquiries to businesses (including businesses outside Russia) asking them to confirm, within 30 days, that they store personal information of Russian citizens in Russia in compliance with Russia’s data localization law.
My company received the letter. What do I need to know?
My company is registered with the Russian tax authority, but we did not receive such an inquiry. Should I be concerned? - A MoFo Privacy Minute Q&A: Lina Khan, Policymaker Critical of Big Tech’s Privacy Practices, Appointed as New FTC Chair (24 June 2021)
Who is Lina Khan, and what is the likely impact of her appointment as chair of the Federal Trade Commission?
- A MoFo Privacy Minute Q&A: 1 June 2021
Do breach notification laws require me to notify regulators or individuals when my business inadvertently sends an email to the wrong person that contains a small amount of personal information about another person?
- A MoFo Privacy Minute Q&A: 18 May 2021
The new California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will be operative on January 1, 2023. That seems like a lot of time to prepare, and the CPRA regulations are not out yet. When should I begin, and how can I phase out the work over 2021 and 2022?
- A MoFo Privacy Minute Q&A: 4 May 2021
We recently notified our lead data protection authority in the EU of a data breach we suffered. Do we need to also notify the UK data protection authority (ICO) or will our lead DPA forward the notification to the ICO as part of an ongoing cooperation?
- A MoFo Privacy Minute Q&A: 14 April 2021
Our cyber insurance broker is bracing its clients for a tough cyber insurance renewal this year. Is there anything we can do to help make things go more smoothly?
.