Update: UK’s Age Appropriate Design Code

On January 21, 2020, the Information Commissioner’s Office (ICO) published its final version of its Age Appropriate Design Code of Practice (the code). The code will be submitted to Parliament in the coming days, and, assuming there is no objection, will become effective approximately two months later.

This blog post follows our previous update on the ICO’s draft Age Appropriate Design Code. The current code was produced following extensive industry and consumer engagement. It adopts the maximum transition period of 12 months to allow companies to make meaningful and thoughtful changes to how they operate.  Continue Reading

European Privacy Landscape: What to Expect in 2020

The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether. Continue Reading

Data Brokers Must Register with California Attorney General by January 31

Given Broad Definitions, the Law Could Apply to Businesses That Do Not Consider Themselves Data Brokers

While amending the California Consumer Privacy Act of 2018 (CCPA) last term, the California legislature also passed a CCPA-related privacy bill that applies to “data brokers.” Assembly Bill 1202 (AB 1202) requires businesses that qualify as data brokers to register, pay a fee, and provide certain information to the California attorney general. Because AB 1202 relies on the CCPA’s broad definitions of “sell” and “personal information,” many businesses that might not otherwise consider themselves to be data brokers may fall within the data broker definition. Continue Reading

UK’s Age Appropriate Design Code Pending

The Information Commissioner’s Office (ICO) has confirmed that by November 23, 2019, it will present its Age Appropriate Design Code of Practice to the UK Parliament for approval. Unless Parliament objects, this mandatory code will be issued and in force (albeit with a transition period) as early as January 2020.

The final code has been hotly anticipated since the call for input on the issue of age appropriate design in June 2018. Since then, the ICO has worked with a large number of stakeholders to understand the key challenges when designing child-accessible services. In that context, it published its draft iteration of the code for consultation earlier this year (the Draft Code). This Draft Code sets out 16 standards (the Standards) which must be followed when designing online services accessible to children under 18. In an August update, the ICO recognized that the code will cause shifts in the design processes for online services which make use of children’s data, such as the tech, e-gaming and interactive entertainment industries. In light of this the ICO, as well as providing clearer guidelines in the code itself, will provide additional guidance for designers and engineers. The ICO adds, however, that non-compliance is not an option, stressing that “[t]here is no room for companies who decide children’s privacy is a problem that’s simply too hard to solve.” Continue Reading

Proposed CCPA Regulations: Clarity or Confusion?

On October 10, 2019, the California Attorney General’s office issued the proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. Accompanying the Regulations are the Attorney General’s Initial Statement of Reasons, which provide the justifications for each requirement. Continue Reading

ECJ: Cookies Require Active Opt-In Consent

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree