Posted in Compliance and risk management
On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely to require many organisations to make changes to their current cookies practices. Continue reading
Posted in Compliance and risk management
The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly advisable to structure M&A deals as share deals when selling the target together with customer data databases relating to individuals. Continue reading
Posted in Data breach, Enforcement
Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management. Continue reading
Posted in Compliance and risk management, General
This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.
As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month when the California Labor Federations announced its opposition. Three other proposed amendments are set for a hearing on July 9, including AB 1355, which will hopefully clean up several drafting errors. See below for a brief summary of the latest on “what’s cooking” in Sacramento. Continue reading
Posted in Cybersecurity, Data breachOn June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.
The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts between personal data transferors and overseas recipients, and protective measures to be adopted by PRC authorities.
Posted in Data breach
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.
Below is a roundup of recent and significant changes.
Cookies Are One Piece of a Larger Puzzle
There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as well. Continue reading
Posted in Compliance and risk managementOn 20 June, the UK’s Information Commissioner (the ICO) published a report setting out its views on adtech, specifically the use of personal data in “real time bidding”, and the key privacy compliance challenges arising from it. Continue reading
The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted. While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum. Continue reading
This is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.
On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the California Consumer Privacy Act (“CCPA”). The bill is being held in committee and under submission, which means the bill has been blocked and is likely dead. Continue reading
