Cybersecurity

CJEU Advocate General Opinion Calls for Active and Separate Cookie Consents

By Cédric Burton, Christopher Olsen & Elli Laine on April 9, 2019

Posted in Cybersecurity, European Union, Privacy

On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case^[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive.

In particular, the AG opines that: 1) a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent; 2) consent for cookies should not be bundled with other consents; and 3) users must be informed about the cookies’ lifespan and the third parties accessing the cookies. AG opinions are not binding on the CJEU, but are often influential. If the CJEU follows the AG Opinion, it will likely impact widely-adopted cookie consent practices in the EU and underlying business models that rely on such consent.
Continue Reading CJEU Advocate General Opinion Calls for Active and Separate Cookie Consents

Brexit and Its Implications for Data Protection

By Cédric Burton & Lore Leitner on April 5, 2019

Posted in Cybersecurity, European Union, Privacy

On March 20, 2019, WSGR partner Cédric Burton and Of Counsel Lore Leitner hosted a webcast, “Brexit and Its Implications for Data Protection.” In this webcast, Burton and Leitner break down the potential far-reaching effects…
Continue Reading Brexit and Its Implications for Data Protection

EDPB Opinion on Consent and Legal Basis in Clinical Trials

By Cédric Burton, Jan Dhont, Lore Leitner & Elli Laine on February 6, 2019

Posted in Clinical Trial, Cybersecurity, European Union, Regulatory

On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.

In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials

Vermont Enacts Groundbreaking Data Broker Regulation

By Libby Weingarten on October 8, 2018

Posted in Cybersecurity, Privacy, Regulatory

Recently, Vermont became the first state to enact legislation that regulates data brokers who buy and sell personal information. Under the new law, data brokers in Vermont will now have to register with the state, adopt standard security measures, and provide information to the state regarding their data collection practices. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices.
Continue Reading Vermont Enacts Groundbreaking Data Broker Regulation

Key Developments in Internet of Things Law

By Brett Weinstein on October 8, 2018

Posted in Cybersecurity, Privacy, Regulatory

California Signs the First IoT Security Bill into Law, and the FTC Submits Comments to the Consumer Product Safety Commission Regarding the IoT

California’s New IoT Law

On September 28, 2018, California Governor Jerry Brown signed into law a cybersecurity bill governing Internet of Things (IoT) devices, the first law of its kind in the nation. SB 327 requires manufacturers of internet-connected, or “smart” devices, to ensure the devices have “reasonable” security features by January 1, 2020.

The law applies to any “device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” This definition is broad and includes not only smart TVs, smart speakers, and other smart home devices, but also computers (laptops and desktops), connected cars, smartphones, smartwatches, and many other modern electronics.

The law does not contemplate further rulemaking, and it is unclear whether revisions to the law will be sought.
Continue Reading Key Developments in Internet of Things Law

France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

By Cédric Burton & Rossana Fol on October 8, 2018

Posted in Cybersecurity, European Union, Privacy

In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo¹ and Fidzup²—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.³ The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,⁴ as it considered that its updated practices now comply with the GDPR.⁵ The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR.
Continue Reading France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

The Data Advisor

Cybersecurity

Vermont Enacts Groundbreaking Data Broker Regulation

Key Developments in Internet of Things Law

ABOUT OUR DATA, PRIVACY, AND CYBERSECURITY PRACTICE