Tag archives: Privacy

Navigating Virginia’s new privacy law

Photo of Steve Roosa (US)Photo of Daniel Rosenzweig (US)By Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key.

Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The law also requires controllers to conduct a data protection assessment and implement technical data security practices.

NT Analyzer is equipped to provide organizations with a solution to meet this requirement. Read more about this new law and our solution on Continue Reading

Virginia’s new Consumer Data Protection Act

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023.

But first, you need to determine whether the law applies to your business. The law begins:

This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of … Continue Reading

US banking regulators propose a rule for 36-hour notice of breach

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Data breach
US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that … Continue Reading

NT Analyzer Webinar: Solving Apple’s new app privacy requirement

By NRF Digital Team on Posted in Cybersecurity, NT Analyzer Blog Series, Vendor management and transactions
Solving Apple's New App Privacy Requirement

Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue Reading

Germany’s Federal Supreme Court provisionally confirms Facebook’s use of personal data is alleged abuse of dominant market position

Photo of Christoph Ritzer (DE)Photo of Tim SchaperBy Christoph Ritzer (DE) and Tim Schaper on Posted in Cybersecurity

Facebook’s extensive collection of user-related data must be put on hold in Germany for the time being following a decision of Germany’s Federal Supreme Court on June 23, 2020. In summary proceedings, the Federal Supreme Court overturned an earlier order of the Higher Regional Court of Düsseldorf that – pending the outcome of an appeal by Facebook – had suspended the effect of a prohibition order issued by Germany’s Federal Cartel Office (FCO) in 2019 restricting Facebook’s collection of data. The FCO’s prohibition order will therefore be effective during Facebook’s ongoing appeal.

The case concerns the terms of use that … Continue Reading

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

Photo of Ekin Inal (TR)Photo of Ece Sürmen (TR)Photo of Ecem Naz Boyacıoğlu (TR)By Ekin Inal (TR), Ece Sürmen (TR) and Ecem Naz Boyacıoğlu (TR) on Posted in Regulatory response

The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:

  • Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
  • Data controllers located abroad.
Continue Reading

Mic Drop: California AG releases long-awaited CCPA Rulemaking

Photo of David Kessler (US)Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)Photo of Anna Rudawski (US)Photo of Max Kellogg (US)By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US), Anna Rudawski (US) and Max Kellogg (US) on Posted in CCPA, Compliance and risk management
Data Protection Report - digital privacy, CCPA and cybersecurity

On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).

The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA.  In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with  groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”… Continue Reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Photo of Ekin Inal (TR)By Ekin Inal (TR) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

Cyber law firm of the year nomination

Photo of Chris Cwalina (US)Photo of Ffion Flockhart (UK)Photo of Steven Hadwin (UK)By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on Posted in General
Norton Rose Fulbright - Data Protection Report blog

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading

FTC to levy unprecedented $US5bn fine against Facebook

Photo of Andrea D'Ambra (US)Photo of Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose Fulbright

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Photo of Nadège Martin (FR)Photo of Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

Photo of Steve Roosa (US)By Steve Roosa (US) on Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series
NT Analyzer blog series, cookie

Cookies Are One Piece of a Larger Puzzle

There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies.  Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as … Continue Reading

ICO’s draft Age Appropriate Design Code could seriously impact processing of under 18’s personal data

Photo of Fiona Bundy-Clarke (UK)By Fiona Bundy-Clarke (UK) on Posted in Regulatory response
Data Protection Report - digital privacy, CCPA and cybersecurity

On 15 April 2019, the ICO opened a public consultation on a draft code of practice titled Age Appropriate Design (the “Code”).  The Code will remain open for public consultation until 31 May 2019.

The consultation document is described as a “code of practice for online services likely to be accessed by children.”  However, its potential impact is in fact wider, and is perhaps better described as applying to all online services that are not demonstrably unlikely to be accessed by children, which it controversially defines as individuals under 18.  For this reason, the Code in its current form … Continue Reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Photo of Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Photo of Cécile Auvieux (FR)Photo of Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Dispute resolution and litigation, Enforcement
Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations.… Continue Reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Photo of Lara White (UK)Photo of Marcus Evans (UK)Photo of Sven Jacobs (DE)By Lara White (UK), Marcus Evans (UK) and Sven Jacobs (DE) on Posted in Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’… Continue Reading

Companies’ right to privacy

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Dispute resolution and litigation
Data Protection Report - Norton Rose Fulbright

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city. The court granted the preliminary injunction on the basis that the city’s broad requirement that the services turn over detailed customer information on a monthly basis likely violated the Fourth Amendment to the U.S. Constitution—infringing the privacy rights of the companies, rather than the users. In contrast, the court ruled that the companies’ Stored Communications Act claim did not meet the standard for a … Continue Reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Photo of Jeewon Kim Serrato (US)Photo of Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in CCPA, Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s seventh blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney … Continue Reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.… Continue Reading

LexBlog