data security

CCPA Update: California Attorney General Issues Modifications to Proposed CCPA Regulations

By Edward Holman & Megan Kayo on February 13, 2020

Updates to Compliance Likely Required

On February 10, 2020, the California Attorney General issued the proposed text of modified regulations implementing the California Consumer Privacy Act (CCPA). This draft is a correction of a version that the California Attorney General issued on February 7, 2020. While the California Attorney General previously indicated that major changes to the proposed CCPA regulations were not anticipated, these modifications are likely to have a significant impact on CCPA compliance efforts, particularly regarding privacy notices, agreements between businesses and service providers, and policies on handling consumer requests.
Continue Reading CCPA Update: California Attorney General Issues Modifications to Proposed CCPA Regulations

CJEU Advocate General Confirms Validity of EU Data Transfer Tools

By Laura Brodahl, Laura De Boel, Cédric Burton & Jan Dhont on February 5, 2020

Posted in Cybersecurity, European Union, Privacy

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II^[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.

At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools

Proposed CCPA Regulations: Clarity or Confusion?

By Edward Holman & Mariam Abdel-Malek on October 22, 2019

Posted in Cybersecurity, Privacy

On October 10, 2019, the California Attorney General’s office issued the proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. Accompanying the Regulations are the Attorney General’s Initial Statement of Reasons, which provide the justifications for each requirement.
Continue Reading Proposed CCPA Regulations: Clarity or Confusion?

ECJ: Cookies Require Active Opt-In Consent

By Bastiaan Suurmond, Josephine Jay & Christopher Foo on October 9, 2019

Posted in Privacy

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis.
Continue Reading ECJ: Cookies Require Active Opt-In Consent

Greece Publishes Draft Legislation for Implementing GDPR

By Nikolaos Theodorakis on August 20, 2019

Posted in European Union, Privacy, Regulatory

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.

As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:

Age of Consent

The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.Continue Reading Greece Publishes Draft Legislation for Implementing GDPR

Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button

By Cédric Burton, Jan Dhont, Rossana Fol, Christopher Olsen & Bastiaan Suurmond on July 30, 2019

Posted in Cybersecurity, Privacy

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins.
Continue Reading Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button

The Data Advisor

data security

CCPA Update: California Attorney General Issues Modifications to Proposed CCPA Regulations

Proposed CCPA Regulations: Clarity or Confusion?

ECJ: Cookies Require Active Opt-In Consent

ABOUT OUR PRIVACY & DATA PROTECTION PRACTICE