Privacy

Subscribe to Privacy via RSS

On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member states plus Iceland, Liechtenstein, and Norway, to allow the transfer of personal data to the United States and other countries outside the EEA.
Continue Reading And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield

On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification). The Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance.

In addition, the Cybersecurity Act provides for a new permanent mandate for the EU Agency for Cybersecurity (ENISA) with new responsibilities.
Continue Reading The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.

Background

When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. Both the GDPR and PECR govern how data is collected and further processed in the online advertising industry, including requiring notice and a legal basis for processing. The PECR specifically applies to the use of cookies and similar technologies and sets out the rules for consent to use these technologies.Continue Reading The ICO Publishes Its Stance on Adtech and Real-Time Bidding

Provides Detailed Specifications Both for Information Security Program and Third-Party Assessments

On June 12, 2019, the Federal Trade Commission (FTC) announced it had reached a proposed settlement with LightYear Dealer Technologies, LLC (doing business as “DealerBuilt”) over allegations that the automobile software provider’s inadequate data security practices had resulted in a data breach in 2016.1

This consent order deserves a close read because the FTC has imposed data security obligations on DealerBuilt that go further than any previous settlement, and the FTC is likely to seek to impose these requirements in future settlements.2 Specifically, the FTC has mandated DealerBuilt to implement an information security program with more detailed specifications than appear in earlier settlements. These modifications are consistent with the FTC’s recent proposed amendments to the Safeguards Rule (a rule that guides FTC implementation of the Gramm-Leach-Bliley Act (GLBA)).3 The FTC has also imposed more specific requirements with regards to third-party security assessments.
Continue Reading FTC Data Security Settlement with Auto Dealer Software Provider Goes Further than Ever Before

On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than the CCPA in many respects. Here are the key takeaways from the law:
Continue Reading Nevada Follows California in Enacting New Privacy Law Giving Consumers the Right to Opt Out of Certain Data Sales

On May 22, 2019, a federal district court largely denied a facial challenge by Disney, Viacom, and several online advertising networks to claims alleging these defendants violated the privacy rights of children by collecting data through online gaming apps.

In McDonald v. Kiloo APS,[1] the defendants consisted of two groups: the developers who created the gaming apps and made them available for download, and the mobile advertising and app monetization companies who provided software code inserted into the gaming apps to collect user data for advertising purposes. The defendants allegedly collected a variety of data from the children’s devices without appropriate consent, including the IP address; the specific device name; IDs for Apple and Android devices; the device’s International Mobile Equipment Identity; the timestamp at which an advertising event was recorded; and device fingerprint data (the user’s language, time zone, country, and mobile network).Continue Reading Federal Court Allows Children’s Online Privacy Claims Against Disney, Viacom, and Online Ad Networks That Collected Data from Gaming Apps to Go Forward