Colorado could soon become the third state with a comprehensive privacy law. Senators voted 34-0 Tuesday to concur with House amendments to SB-190. The House passed the bill 57-7 Monday. The Senate kept House changes including language clarifying that nothing in the law provides for a private right of action. The bill goes next to Gov. Jared Polis (D), whose office didn’t comment now. Polis is widely expected to sign, particularly given the wide voting margins in the House and Senate, said Ballard Spahr privacy attorney Greg Szewczyk in an interview. SB-190 follows Virginia’s model with much of the same terminology and big-picture requirements, so having Colorado as the third state law probably won’t significantly complicate U.S. privacy rules, he said. Unlike Virginia, but as in California, Colorado’s attorney general would have to make rules implementing the bill, he said: “As to how difficult compliance is going to be, that may have a significant impact.” One big difference with Virginia is that Colorado would allow enforcement by district attorneys in addition to the AG, Szewczyk noted. Colorado’s law is “a mixed bag” that lawmakers should seek to strengthen in future years, Common Sense Media Director-State Advocacy Joseph Jerome told us: “I don’t think it’s anybody’s dream privacy law, but ... it’s certainly a marked improvement over what was able to pass out of Virginia earlier this year.” DAs joining enforcement could be useful, he said. SB-190 has good parts, including requiring companies to honor browser privacy signals as an opt-out, but “the bill needs to be stronger to fully protect consumers, including by tightening up potential loopholes for targeted advertising, and clarifying that consumers can’t be charged for exercising their privacy rights,” emailed Consumer Reports Senior Policy Analyst Maureen Mahoney. Computer and Communications Industry Association Privacy Counsel Keir Lamont said “the prospect of an increasingly divergent set of state-level compliance obligations further underscores the need for federal action to establish baseline privacy rules.”
Samsung called its deal with Walmart to equip 740,000 employees with Galaxy XCover Pro smartphones (see 2106030028) its largest U.S. enterprise deal. The phone has an immersive display, “powerful camera” and long-lasting battery, Samsung blogged Friday: On-the-job functions include mobile clock-in, access to scheduling and inventory management via the camera, which doubles as a barcode scanner. Workers can tap a co-worker's name and initiate a push-to-talk conversation from the phone using a physical side key. Knox security software creates separate work and personal profiles.
Walmart is giving 740,000 store employees a new, free Samsung Galaxy XCover Pro smartphone with case and protection plan, plus an app designed to help them manage daily schedules, said the retailer Thursday. Employees will be able only to access the app’s work features while they’re on the clock, but they can use the phone as their own personal device if they choose “with all the features and privacy they’re used to,” it said. Walmart won't have access to employees' personal data, it said. Employees previously shared Walmart-owned handheld devices on the job.
Public Citizen said WhatsApp “backed down” from implementing “degraded” privacy protections for its users (see 2105140057). “Thank you for stopping what you never should have started,” Digital Rights Program Director Burcu Kilic said Tuesday. “Now please also undo what you coerced millions of people into accepting.” The company didn’t comment.
Some Amazon and Microsoft contracts with EU institutions are under investigation for compliance with privacy law, the European Data Protection Supervisor said. It's considering whether the use of cloud services provided by Amazon Web Services and Microsoft under contract to EU agencies, and the European Commission's use of Microsoft Office 365, meet general data protection regulation requirements. The probes are intended to ensure that EU institutions comply with the European Court of Justice decision in Schrems II. In October, the watchdog ordered EU bodies to report on their data transfers to non-EU countries; findings confirmed that institutions increasingly rely on cloud-based software and infrastructure or platform services from large providers, some of which are in the U.S. and subject to law deemed to allow disproportionate surveillance activities by authorities. The EDPS acknowledged that some cloud contracts were signed before the judgment, and that Amazon and Microsoft implemented new systems to align themselves with it. Nevertheless, it said, “these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.” The goal of the investigation into the use of Microsoft Office 365 is to verify compliance with prior EDPS recommendations on the use of the company's products and services. Microsoft told us it will “actively support the EU institutions to answer questions raised” by the EDPS and is “confident to address any concerns swiftly.” Amazon didn't comment.
A New York privacy bill has “strong teeth,” Consumer Reports said Monday. The Senate Consumer Protection Committee advanced the bill by Chairman Kevin Thomas (D) to the floor last week (see 2105180028). “Unlike other industry-supported bills that have been introduced this year, this bill protects consumers’ privacy by default,” said CR Senior Policy Analyst Maureen Mahoney.
With ransomware attacks like Colonial Pipeline “in the spotlight recently,” Palo Alto Networks data shows the average ransom paid in 2020 tripled from 2019, “and in 2021 it's more than doubled again,” said CEO Nikesh Arora on a Thursday call for fiscal Q3 ended April 30. Organized groups with “near-nation state discipline” are perpetrating “coordinated attacks,” he said. Healthcare corporations are a common target, as are government entities and “shared infrastructure,” he said. Especially vulnerable are organizations that “run their operations on technology that is decades old, sometimes predating the internet,” said Arora. “They continually bolt on new technologies to automate facilities, and make them compatible with the modern internet, but those platforms are inherently insecure.” Cyber defenses are fragmented, “making it very challenging to block sophisticated attacks,” and extending the time “to discovery and repair,” he said: “More and more businesses and consumers are coming online without a baseline of productive protection.” Q3 revenue of $1.07 billion grew 24% year over year, ahead of guidance for 21% to 22% growth. Its fiscal Q4 outlook is for revenue to grow 22% to 23% again. The stock closed 5.8% higher Friday at $362.45.
Oppositions are due June 4, replies June 14 on USTelecom's petition for reconsideration in docket 17-59 asking the FCC to clarify a notification requirement, said Thursday's Federal Register. USTelecom asked to "confirm that the notification and blocked call list requirements are only required for analytics-based blocking, whether opt-in or opt-out, and not for contexts in which there would not be any reasonable expectation for them."
New York state privacy and robocalls bills advanced to the Senate floor Tuesday. One Consumer Protection Committee member voted against the privacy bill (S-6701) by Chairman Kevin Thomas (D). Sen. Jim Tedisco (R) said he was voting no due to nonprofits' concerns. Three voted yes, while two voted aye without recommendation, meaning they wanted to move it to the House floor while reserving their full support. The comprehensive privacy measure “creates transparency, control and oversight,” said Thomas at the livestreamed hearing. It would require companies to get consumer opt-in consent, and authorizes attorney general enforcement, private rights of action and class actions. The panel voted unanimously for the robocalls bill (S-6267), which would require that telecoms block calls from subscribers who requested blocking of their own numbers. Providers would have to block calls from numbers that aren't valid North American numbering plan numbers, that are valid but not allocated to a provider, or that are allocated but unused.
The Supreme Court declined to hear a cellphone privacy case about when it’s OK for police to require someone to unlock an encrypted device. SCOTUS said Monday it denied a petition for writ of certiorari in Andrews v. New Jersey (see 2104020029), an appeal of the New Jersey Supreme Court decision that the state didn’t violate the Fifth Amendment when it required Robert Andrews to turn over passwords for two cellphones. The federal high court turned down a similar Pennsylvania case in October (see 2010050042). The New Jersey attorney general’s office declined comment. Representing Andrews as counsel of record, the American Civil Liberties Union didn’t comment.