Imagine you receive an inquiry from a state Attorney General (AG) about your privacy or security practices, and you aren’t sure what to do next. Maybe it’s because you have been concentrating on compliance efforts related to the California Privacy Rights Act (CPRA) and other new state privacy laws coming into effect, and you haven’t … Continue Reading
So you’re a fintech startup, buying a fintech company, or expanding the technical capabilities of your financial business. Or you’re a tech company that is getting into the payments space. Where do you start when it comes to figuring out what consumer protection laws apply to you? You should be aware that, for the past … Continue Reading
The U.S. Supreme Court’s April 2021 decision in the AMG matter significantly limited the Federal Trade Commission’s (FTC’s) ability to seek monetary redress for consumers under the FTC Act, relief the FTC had successfully obtained for over four decades. Since the Supreme Court announced its decision, the FTC has been deploying new strategies to return money to … Continue Reading
On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.… Continue Reading
FTC Activities in 2021 and Likely Trends for 2022 2021 saw the kickoff of the Khan era at the Federal Trade Commission (FTC). During FTC Chair Lina Khan’s first nine months on the job, she has announced privacy and security initiatives that offer important insights into her priorities. Companies should pay close attention to FTC … Continue Reading
On November 10, 2021, the UK Supreme Court ruled[1] that class representatives in data privacy class action suits need to prove damage or distress suffered to be successful. Compensation cannot be granted simply by virtue of proving that a company violated the law. The case was heard under the UK’s pre-2018 data protection law, but … Continue Reading
On November 26, 2021, the Court of Justice of the European Union (CJEU) held[1] that the display of advertising messages in an email inbox, in a form similar to an email, constitutes direct marketing and requires users’ consent under the ePrivacy Directive.[2] The CJEU also held that this practice constitutes ‘persistent and unwanted solicitations’ under … Continue Reading
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer … Continue Reading
On October 27, 2021, the Federal Trade Commission (FTC) released a final rule that updates the Safeguards Rule of the Gramm-Leach-Bliley Act (Final Rule). This Final Rule comes after the FTC sought comment on proposed changes to the Safeguards Rule in 2019 and held a public workshop in 2020.… Continue Reading
On October 13, 2021, the French data protection authority (the CNIL) issued a short note (the “Note,” in French) on technologies such as fingerprinting, unique identifiers, and cohort-targeting, developed to replace traditional third-party cookies. While the CNIL acknowledges that some of these technologies are less privacy invasive than third-party cookies, it stresses that the consent … Continue Reading
As of September 27, 2021, companies relying on Standard Contractual Clauses (SCCs) to transfer personal data outside the European Union (EU) must use the new Standard Contractual Clauses (New SCCs) when signing data processing agreements. As a result, it is time to update template data processing agreements to ensure that your company can meet this … Continue Reading
On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.… Continue Reading
Recently, the Office of the Attorney General of California announced three major updates that 1) added to the California Consumer Privacy Act’s (CCPA) opt-out rules related to the sale of personal information, 2) made it easier for consumers to participate in enforcing the CCPA, and 3) unveiled other focus areas of CCPA enforcement activities.… Continue Reading
Overview On June 25, 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, which held that even when a statute has been violated, and that statute provided a private right of action, plaintiffs still need a concrete injury in fact to have standing to bring a lawsuit in federal court. In this case, the statutory framework … Continue Reading
On May 20, 2021, the Belgian Supervisory Authority (Belgian SA) approved the EU Cloud Code of Conduct (EU Cloud CoC).[1] This is the first time that a Supervisory Authority has approved a transnational, industry-wide code of conduct under the General Data Protection Regulation (GDPR).[2] Cloud service providers (CSPs) will be able to rely on their … Continue Reading
On June 4, 2021, the European Commission published its long awaited new set of Standard Contractual Clauses for outsourced data processing (DPA SCCs). These DPA SCCs are a contract template that organizations can use to comply with the General Data Protection Regulation’s (GDPR) rules on outsourced data processing.… Continue Reading
On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch … Continue Reading
On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The … Continue Reading
The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available … Continue Reading
On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.… Continue Reading
Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect … Continue Reading
On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document … Continue Reading
On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines). The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of … Continue Reading
On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information … Continue Reading
We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.
