During a recent keynote at the Nordic Privacy Arena in Sweden, I offered seven things Nordic companies should consider when doing business in the United States.
For your reading pleasure:
- Personal data can’t travel to the United States, but the data minimization and purpose limitation of Article 5 of the GDPR is coming to a US privacy law near you, so pay attention to your consumer expectations and secondary uses in the United States as well!
- Don’t be so sensitive (data). A US privacy law definition of Sensitive Information is greater than or equal to Section 9 Personal Data. You need an opt-out for unnecessary uses in California and you need an opt-in and DPIA in Virginia. You need inferences drawn from personal information and personal information as well. Additionally, in the wake of Dobbs, the FTC is also going after your sensitive data.
- Your privacy notice probably needs to be revised, if not for unique CCPA/CPRA additions (like categories and sharing in the last 12 months), then for the higher standard of transparency now required (think at least to DPC Ireland in WhatsApp). Remember to pay attention to your misleading design/dark patterns.
- You need other opinions. Make sure you have notices when collecting and that they include any CPRA additions (this is similar, but not identical to the GDPR first layer notice). Also, make sure your opt-out notice does what it’s supposed to do without any misleading design (and opting out is as easy as opting in). And finally, make sure your loyalty programs are not financial incentives. If so, you need to do the analysis and disclosure.
- Beware of your cookies. Yes, in the United States, really. We now have two annual enforcement reports from the California Attorney General’s office with cookie enforcement. We have a $1.2 million execution against Sephora and an $18 million cookie settlement in Massachusetts. So it’s time to get a CMP in the US and make sure the one you choose supports global privacy controls.
- You must change your DPA. Even an Art 28 DPA isn’t exactly good enough for ACPL, but if you have controller-to-controller sharing, you should definitely bring your data sharing agreements up to snuff, since ACPL is much more prescriptive at this subject. 7) Personal data subject access requests are coming to employees in California in January 2023, so now is the time to leverage your EU employees’ DSAR processes, gather your vendors, and prepare.