privacy

Subscribe to privacy via RSS

The year 2020 promises to be an interesting one for privacy and data protection in Europe. In this post, we highlight four of the most important developments to watch this year: 1) we expect that European Union (EU) regulators will ramp up GDPR enforcement across the board, and with a particular focus on AdTech, cookies, and children’s data; 2) legislators and regulators are looking to take concrete measures on AI; 3) the Standard Contractual Clauses will likely have to undergo major reform to escape the same fate as the now-defunct Safe Harbor Framework; and 4) we expect that the proposed ePrivacy Regulation will move forward or be withdrawn altogether.
Continue Reading European Privacy Landscape: What to Expect in 2020

Given Broad Definitions, the Law Could Apply to Businesses That Do Not Consider Themselves Data Brokers

While amending the California Consumer Privacy Act of 2018 (CCPA) last term, the California legislature also passed a CCPA-related privacy bill that applies to “data brokers.” Assembly Bill 1202 (AB 1202) requires businesses that qualify as data brokers to register, pay a fee, and provide certain information to the California attorney general. Because AB 1202 relies on the CCPA’s broad definitions of “sell” and “personal information,” many businesses that might not otherwise consider themselves to be data brokers may fall within the data broker definition.
Continue Reading Data Brokers Must Register with California Attorney General by January 31

On October 10, 2019, the California Attorney General’s office issued the proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. Accompanying the Regulations are the Attorney General’s Initial Statement of Reasons, which provide the justifications for each requirement.
Continue Reading Proposed CCPA Regulations: Clarity or Confusion?

On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis.
Continue Reading ECJ: Cookies Require Active Opt-In Consent

On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.

As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:

  1. Age of Consent

The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.Continue Reading Greece Publishes Draft Legislation for Implementing GDPR

On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins.
Continue Reading Website Operator Jointly Liable for Data Collection and Transmission Through Facebook “Like” Button