This Week in Privacy: 19 July 2021
July 19, 2021
Ohio: Privacy bill introduced in House
Ohio became the latest state to introduce a comprehensive privacy law as the Ohio Personal Privacy Act was introduced to the House of Representatives.
The OPPA applies to businesses that conduct business in Ohio, or produce products or services targeted to consumers in the state, that satisfy one or more of the following criteria:
- the business's annual gross revenue generated in Ohio exceeds $25 million;
- during a calendar year, the business controls or processes personal data of 100,000 or more consumers; and
- during a calendar year, the business derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.
In addition, the OPPA provides consumers with various rights such as the right to be informed, right to access, right to deletion, and the right to request data to not be sold to third parties. Moreover, the OPPA notes that the Attorney General has exclusive authority to enforce the law and that a business has an affirmative defense against allegations of violations if that business creates, maintains, and complies with a written privacy program that reasonably conforms to NIST standards and frameworks.
Read more here.
Italy: Garante releases new guidelines on cookies with a six-month compliance deadline
The Italian data protection authority released its finalised guidelines on cookies which aim to protect users' personal data when browsing online.
With respect to profiling cookies, the guidelines highlight that consent must be requested through a clearly distinguishable banner, through which users must also be offered the possibility to continue browsing without being tracked in any way. The guidelines also clarify that simply scrolling down a web page does not constitute consent, and that users should have the right to withdraw consent at any time. Moreover, the guidelines specify that information provided to users must also indicate any other recipients of personal data and the time period for which their data will be retained, and that such information can be given in different formats, such as through videos or pop-ups.
Finally, the guidelines stipulate that organisations have six months to comply with its requirements.
Read more here.
India: DSCI publishes data protection handbook for AI developers
The Data Security Council of India released a handbook on data protection and privacy for developers of artificial intelligence.
The handbook establishes practical guidelines for responsible AI development and promotes ethical and privacy considerations from the design stage. In terms of ethics, the handbook outlines six key principles: transparency, accountability, mitigating bias, fairness, security, and privacy. In addition, the handbook considers the current data protection framework in India, providing a summary of the Information Technology Act, 2000 and the Personal Data Protection Bill, 2019.
Read more here.