CCPA set to move forward

CCPA set to Move Forward as Scheduled Despite COVID-19 Challenges.

California Consumer Privacy Act (CCPA) is set to move forward, as scheduled on July 1, 2020, despite the challenges presented by the COVID-19 pandemic.


As various states and countries implement lock downs and stay at home orders in effort to deal with the coronavirus pandemic, many events, initiatives and processes are being cancelled, or at best delayed. Many businesses and other organizations have resorted to shutting down, or digitising their operations to cope with the uncertain times. However, for California Attorney General Xavier Becerra, there is no intention to delay the implementation of California Consumer Privacy Act, which is expected to be enforced on or before July 1, 2020. Despite pushback from a coalition, who is asking for this initiative to be postponed, as businesses and organisations focus on dealing with challenges presented by COVID-19, Becerra seems, so far, unmoved. 


The California Attorney General plans to proceed with implementation of the law despite pushback.


An advisor for the California Attorney General affirmed that they are committed to enforcing the law upon finalizing the rules or July 1, whichever comes first, and stated “”We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” The coalition, which is now comprised of 60 groups, stated “A temporary deferral in enforcement of the CCPA would relieve many pressures and stressors placed on organizations due to COVID-19 and would better enable business leaders to make responsible decisions that prioritize the needs and health of their workforce over other matters.”


The Civil Code allows for an enforcement of the CCPA on July 1, but not prior to that.


According to one of the groups which is part of the coalition “The law, Civil Code Section 1798.85(c), states that ‘The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.’ So that means July 1, period.”

CCPA was approved on September 2018

Initial Proposed Regulations were first published on October 11, 2019 and two sets of modifications, on February 10, 2020 and March 11 2020, have been released since then.

According to Cristina Contero Almagro, Aphaia’s Partner, “one should note that CCPA was approved on September 2018, commencing on January 1, 2020, subject to the publication of the final regulations. This means that businesses have had more than a year so far to adapt their processes to the main requirements of the CCPA”.


Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and CCPA consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

statement on privacy implications of mergers

EDPB Releases Statement on Privacy Implications of Mergers.

The European Data Protection Board released a statement last month on the privacy implications of mergers.

The European Data Protection Board has expressed concern over the privacy implications of mergers upon becoming aware of the intention of Google LLC to acquire Fitbit Inc. The board is primarily concerned that this may put a major tech company in the position to acquire even more sensitive personal data about people in Europe, and this could cause a high level risk to the fundamental rights to privacy and the protection of personal data. The EDPB has stated before that it is imperative that we assess longer-term implications of significant mergers like this, on consumer rights and data protection. In the statement, the EDPB reminds the parties of this proposed merger to assess and mitigate any possible risks of this merger to the rights to privacy and data protection before notifying the European Commission of the proposed merger.

“The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger” The board will itself consider the implications that this merger may have for the Protection of personal data in the European Economic Area and, while remaining vigilant on this and similar cases in the future, stands ready to contribute its advice on the proposed merger to the Commission if so requested.

In a 2018 statement, considering the acquisition of Shazam by Apple, the EDPB warned that increased concentration in digital markets could potentially threaten the level of data protection and freedom enjoyed by digital consumers, and advise that independent data protection authorities may aid in the assessment of such an impact on the consumer or society. They also added that “This assessment, as well as the identification of conditions or remedies for mitigating negative impacts on privacy and other freedoms, may be separate to and independent from, or integrated into, the analysis carried out by competition authorities during their assessment under competition law. “

When it comes to sharing customers’ data in this context, margers might be the suitable way to go, because they imply that the controller entity does not change. All other ways would need to be extremely transparent and give the involved users a chance to object. However, if the controller becomes part of a corporate group, the data could be shared within the group subject to a legitimate interest assessment (LIA). This should be done on a case-by-case basis anyway, as the LIA might not pass the proportionality test always.

According to Cristina Contero Almagro, Aphaia’s Partner, “the assessment of the data protection requirements and privacy implications of the merger should cover, as one of its main elements, a full evaluation of the security measures that are in place in the other company, not only the current ones, but also those implemented during the previous years. The data breach suffered by Marriott last year is a good example that shows the relevance of properly checking and monitoring the security measures before going ahead with an acquisition or a merger”.

Do you have questions about how a merger or an acquisition may impact data protection in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Impersonation feature on company platforms

The Reality of the Impersonation Feature on Company Platforms.

Many company platforms and apps include an impersonation feature which allows administrative users to access accounts as though they were logged in as the users themselves.

Imagine knowing that by simply having an account with a company, you are unknowingly granting access to this company’s everyday employees to access your data in just the same way that you would, had you logged in with your username and password. Such is, or has been the case with many companies that we all use on a regular basis. The truth is that there are “user impersonation” tools built into the software of many tech companies like Facebook and Twitter, which not only allow employees to access your account as though they have logged in as you, but also this could be happening without your knowledge. The account holder, or user is typically not notified when this happens, nor is their consent needed in order for this to happen. According to a recent article on OneZero, “…these tools are generally accepted by engineers as common practice and rarely disclosed to users.” The problem is that these tools can be, and have been misused by employees to access users’ private information and even track the whereabouts of users of these companies’ platforms.

The Fiasco Surrounding Uber’s “God mode” Impersonation Feature.

In recent years, the popular transport company, Uber has come under fire for its privacy policies, and in particular, its questionable impersonation features, known as “God mode”. Using the feature, the company’s employees were able to track the whereabouts of any user. Uber employees were said to have been tracking the movements of all sorts of users from famous politicians to their own personal relations. After being called to task by US lawmakers, the company apologized for the misuse of this feature by some of its executives and stated that it’s policies have since been updated to avoid this issue in the future. Uber is not unique to this sort of privacy breach. Lyft is also known to have comparable tools, along with several other companies.

Impersonation Features Form Part of Most Popular Programming Tools.

Impersonation Feature use is much more widespread than just a few known companies. Popular programming languages like Ruby on Rails and Laravel offer this feature, which has been downloaded several million times. The impersonation tools offered by these services do not usually require users’ permission, nor do they notify users that their account has been accessed. It is pretty common for developers to simply white list users with administrator access giving them access to impersonator mode, thereby allowing them to access any account as though they were logged in as that user.

How Impersonation Features Can Be Made Safer.

Some companies have made changes to their policies and procedures in order to make impersonation features safer for customers. For example Uber, following their legal troubles over the ‘ God mode’ feature, have made it necessary for their employees to request access to accounts through security. Other companies have resolved to require the user to specifically invite administrators in order to grant them access.

According to Dr Bostjan Makarovic, Aphaia’s Managing Partner, “Whereas there may be legitimate reasons to view a profile through the eyes of the user to whom it belongs, such as further app development and bug repair, GDPR requires that such interests are not overridden by the individual’s privacy interests. This can only be ensured by means of an assessment that is carried out prior to such operations.”

Does your company use impersonation features and want to be sure you are operating within GDPR requirements? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

European Supermarket Chain may face inspection over new fingerprinting system

Belgian data protection authority, Gegevensbeschermingsautoriteit, may launch an investigation into supermarket chain Carrefour’s fingerprint payment system.


Theres no denying that we currently live in a fast paced, highly technological era. One which constantly ushers in new means of identifying individuals and processing digital paymentsall geared towards increased convenience. At this stage, thanks to mobile phone advances, fingerprinting may very well be one of the more widely used means of identification but its uses are certainly not confined merely to mobile devices. In fact just this week, one of Europes largest supermarket chains, Carrefour, announced that it will organise a pilot project allowing clients to pay for their groceries with their fingerprints in a store in the centre of Brussels.  



A report from the Brussels Times explains that the Carrefour pilot project will enable clients to pay by scanning their finger at the cash register, after which the money will disappear from their bank account. And while this may result in faster check out times and a more convenient means of shopping there are undoubtedly privacy and security risksrisks which the Belgian data Protection authority would not only like consumers to be aware of but which may warrant and lead to an investigation by the DPA.


Referencing a report from De Standaard,  the Brussels Times presented the following comment from David Stevens, president of the GBA;


We asked Carrefour a few questions and discovered that a test had already taken place . . . It turned out that Carrefour had already collected fingerprints. Now that weve heard the news about the new experiment with fingerprint payments, theres a good chance well send our inspectors. I cannot yet formally confirm that we will do that, but I think there is a good chance.


….that is more than just a signature on paper. Customers really have to understand the risks. If, through hacking, your password falls into the wrong hands, you can replace it. But you cannot just change your fingerprint, face or the iris of your eye. Hence the strict rules,Stevens is further reported to have said.


Fingerprint risks are covered by GDPR Article 30, which generically refers to online identifiers, which means data protection rules directly apply to fingerprint. This is because fingerprinting constitutes the use of biometric datai.e a way to measure a persons physical characteristics to verify their identity. Biometric data is therefore personal data which must be processed on a lawful basis in compliance with GDPR and the UKs Data Protective Act.


Does your company utilize biometric data such as fingerprinting, voiceprinting and facial recognition? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.