ECJ: Cookies Require Active Opt-In Consent

Bastiaan SuurmondJosephine JayBy Bastiaan Suurmond, Josephine Jay and Christopher Foo on Posted in Privacy

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis. Continue Reading

Greece Publishes Draft Legislation for Implementing GDPR

Nikolaos TheodorakisBy Nikolaos Theodorakis on Posted in European Union, Privacy, Regulatory

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.

As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:

  1. Age of Consent

The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.

Continue Reading

Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button

Cédric BurtonJan DhontRossana FolChristopher OlsenBastiaan SuurmondBy Cédric Burton, Jan Dhont, Rossana Fol, Christopher Olsen and Bastiaan Suurmond on Posted in Cybersecurity, Privacy

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins. Continue Reading

The ICO Issues Its Cookies Guidance: Clarified Stance and Enforcement Priorities

Josephine JayLore LeitnerJan DhontBy Josephine Jay, Lore Leitner and Jan Dhont on Posted in Cybersecurity, Privacy

On July 5, 2019, the UK’s Data Protection Authority (ICO) issued its “Guidance on the use of cookies and similar technologies” (the Guidance) along with a brief explanatory blog post. At the same time the ICO updated its own website cookie notice and consent, leading by example. The ICO’s blog post makes clear that cookie compliance will increasingly be a regulatory priority, and that companies should start working towards compliance now. Continue Reading

FTC Seeks Public Comment on Children’s Online Privacy Protection Rule

Libby WeingartenBy Libby Weingarten on Posted in Cybersecurity, Privacy

In a notice issued July 17, 2019, the Federal Trade Commission (FTC) is seeking public comment on a wide range of issues related to the Children’s Online Privacy Protection Act and implementing Rule (COPPA). The FTC has also announced a public workshop to review the COPPA Rule, to be held on October 7, 2019. Continue Reading

The CNIL Sharpens Requirements on Deployment of Tracking Technologies

Rossana FolJan DhontBy Rossana Fol and Jan Dhont on Posted in Privacy

On July 18, 2019, the French Data Protection Authority (CNIL) issued new guidance on the use of cookies and similar tracking technologies (collectively referred to as “cookies” below).[1] The guidance clarifies the instances in which companies must obtain consent for the use of cookies and specifies the requirements for obtaining consent. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree