Provides Detailed Specifications Both for Information Security Program and Third-Party Assessments

On June 12, 2019, the Federal Trade Commission (FTC) announced it had reached a proposed settlement with LightYear Dealer Technologies, LLC (doing business as “DealerBuilt”) over allegations that the automobile software provider’s inadequate data security practices had resulted in a data breach in 2016.1

This consent order deserves a close read because the FTC has imposed data security obligations on DealerBuilt that go further than any previous settlement, and the FTC is likely to seek to impose these requirements in future settlements.2 Specifically, the FTC has mandated DealerBuilt to implement an information security program with more detailed specifications than appear in earlier settlements. These modifications are consistent with the FTC’s recent proposed amendments to the Safeguards Rule (a rule that guides FTC implementation of the Gramm-Leach-Bliley Act (GLBA)).3 The FTC has also imposed more specific requirements with regards to third-party security assessments.
Continue Reading FTC Data Security Settlement with Auto Dealer Software Provider Goes Further than Ever Before

On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than the CCPA in many respects. Here are the key takeaways from the law:
Continue Reading Nevada Follows California in Enacting New Privacy Law Giving Consumers the Right to Opt Out of Certain Data Sales

On May 22, 2019, a federal district court largely denied a facial challenge by Disney, Viacom, and several online advertising networks to claims alleging these defendants violated the privacy rights of children by collecting data through online gaming apps.

In McDonald v. Kiloo APS,[1] the defendants consisted of two groups: the developers who created the gaming apps and made them available for download, and the mobile advertising and app monetization companies who provided software code inserted into the gaming apps to collect user data for advertising purposes. The defendants allegedly collected a variety of data from the children’s devices without appropriate consent, including the IP address; the specific device name; IDs for Apple and Android devices; the device’s International Mobile Equipment Identity; the timestamp at which an advertising event was recorded; and device fingerprint data (the user’s language, time zone, country, and mobile network).Continue Reading Federal Court Allows Children’s Online Privacy Claims Against Disney, Viacom, and Online Ad Networks That Collected Data from Gaming Apps to Go Forward

On May 22, 2019, WSGR and the Future of Privacy Forum (FPF) co-hosted an event focusing on advertising technology and how to overcome the challenges of complying with evolving global privacy requirements.

Jules Polonetsky from FPF opened the program, focusing on the evolution of online advertising, from contextual to programmatic behavioral advertising. WSGR attorneys Lydia Parnes, Cédric Burton, Libby Weingarten, and Lore Leitner discussed the legal regime that applies to this technology: new legal requirements, recent case law, and data protection authorities’ decisions affecting the ad tech ecosystem, as well as the differences between EU and U.S. legislation applying to ad tech.Continue Reading WSGR Event Recap: Online Advertising and Privacy—An Overview of Global Legal Developments

On May 8, 2019, the Brussels Court of Appeal referred the Belgian Data Protection Authority’s (DPA) case against Facebook to the European Court of Justice (CJEU) to address jurisdictional issues regarding which DPA is competent to bring enforcement actions against Facebook. The case deals with Facebook’s collection of individuals’ data through cookies stored in Facebook’s social plugins. The Belgian DPA alleges that Facebook’s data collection is unlawful as it lacks valid consent and does not provide appropriate notice to individuals. Several courts in Belgium have already examined the issues, but it now reaches a new phase as the Brussels Court of Appeal Court referred critical questions to the CJEU dealing with the interpretation of the concept of “Lead Supervisory Authority” under the General Data Protection Regulation (GDPR). 
Continue Reading Belgian Facebook Case Referred to the European Court of Justice

On May 1, 2019, WSGR convened a panel of regulators and experts to discuss recent developments in European data protection law. The panel, moderated by Cédric Burton, featured Bruno Gencarelli, head of the International Data Flows and Protection Unit of the European Commission, Isabelle Vereecken, head of the Secretariat of the European Data Protection Board (EDPB), and Dr. Christopher Kuner, senior privacy counsel at WSGR.
Continue Reading WSGR Event Recap: The State of Play in European Data Protection Law