On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins. Continue Reading
In a notice issued July 17, 2019, the Federal Trade Commission (FTC) is seeking public comment on a wide range of issues related to the Children’s Online Privacy Protection Act and implementing Rule (COPPA). The FTC has also announced a public workshop to review the COPPA Rule, to be held on October 7, 2019. Continue Reading
The UK Supervisory Authority (the ICO) has had a headline-busting month. On July 9, 2019, the ICO announced its intention to fine Marriott International more than £99 million under the GDPR (General Data Protection Regulation) for a data breach which took place last year, a figure that would have been record breaking had the ICO not announced its intention to fine British Airways £183 million 24 hours earlier. While it is clear that both of these hefty penalties relate to deficiencies in security practices, the actions that paved the way for such draconian fines are yet to be made public (see “Massive GDPR Fine Proposed by UK ICO Confirms Trend of Increased Focus on EU Data Breaches.”) Continue Reading
On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.
When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.