FTC Seeks Public Comment on Children’s Online Privacy Protection Rule

In a notice issued July 17, 2019, the Federal Trade Commission (FTC) is seeking public comment on a wide range of issues related to the Children’s Online Privacy Protection Act and implementing Rule (COPPA). The FTC has also announced a public workshop to review the COPPA Rule, to be held on October 7, 2019. Continue Reading

The CNIL Sharpens Requirements on Deployment of Tracking Technologies

On July 18, 2019, the French Data Protection Authority (CNIL) issued new guidance on the use of cookies and similar tracking technologies (collectively referred to as “cookies” below).[1] The guidance clarifies the instances in which companies must obtain consent for the use of cookies and specifies the requirements for obtaining consent. Continue Reading

Looking Back: The ICO’s Busy Year and Its Record-Breaking Fines

The UK Supervisory Authority (the ICO) has had a headline-busting month. On July 9, 2019, the ICO announced its intention to fine Marriott International more than £99 million under the GDPR (General Data Protection Regulation) for a data breach which took place last year,[1] a figure that would have been record breaking had the ICO not announced its intention to fine British Airways £183 million 24 hours earlier.[2] While it is clear that both of these hefty penalties relate to deficiencies in security practices, the actions that paved the way for such draconian fines are yet to be made public (see “Massive GDPR Fine Proposed by UK ICO Confirms Trend of Increased Focus on EU Data Breaches.”) Continue Reading

The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.


When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.

Continue Reading

Massive GDPR Fine Proposed by UK ICO Confirms Trend of Increased Focus on EU Data Breaches

On July 8, 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways GBP 183.39 million over a data breach in which the personal data of approximately 500,000 customers was compromised.[1] If made final, the fine—equivalent to approximately U.S. $230 million—would be the biggest fine ever issued by the ICO as well as any Supervisory Authority (SA) in the European Union. Continue Reading

And Then There Were None: Or How Schrems 2.0 May Invalidate the Standard Contractual Clauses and the Privacy Shield

On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member states plus Iceland, Liechtenstein, and Norway, to allow the transfer of personal data to the United States and other countries outside the EEA. Continue Reading


We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree