Privacy & Information Security Law Blog

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 23, 2022, the European Commission announced that the European Parliament and EU Member States had reached consensus on the Digital Services Act (“DSA”), which establishes accountability standards for online platforms regarding illegal and harmful content.

On April 19, 2022, the California state legislature and an industry self-regulatory group each separately took steps to enhance online privacy protections for children who are not covered by the Children’s Online Privacy Protection Act (“COPPA”), which applies only to personal information collected online from children under the age of 13.

On March 25, 2022, the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. The plaintiffs sued TikTok in 2019, alleging that TikTok did not seek verifiable parental consent prior to collecting personal information of children under 13 on the popular video platform in violation of the Children’s Online Privacy Protection Act. The complaint further alleged that TikTok disclosed and sold user data, including lip-syncing videos created by children who used a TikTok-affiliated app called Musical.ly, to third parties, without parental consent. The $1.1 million settlement will be distributed among class members, who consist of U.S. users who, prior to the settlement’s effective date and while under the age of 13, registered for or used TikTok or Musical.ly.

On March 24, 2022, the European Union unveiled the final text of the Digital Markets Act (the “DMA”). The final text of the DMA was reached following trilogue negotiations between the European Commission, European Parliament and EU Member States (led by the French Presidency at the European Council). The final text retains essentially the same features as the previous draft text but does include some notable changes.

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 18, 2022, the Texas Attorney General’s Office (the “Texas AG”) announced that it had issued two Civil Investigative Demands (“CIDs”) to TikTok Inc. The Texas AG’s investigation focuses on TikTok’s alleged violations of children’s privacy and facilitation of human trafficking, along with other potential unlawful conduct.

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

On January 4, 2022,  the Federal Trade Commission published a blog post reminding companies that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” in response to Log4Shell’s public disclosure of the Log4j vulnerability. The blog post also calls for companies to take immediate steps to reduce the likelihood of harm to consumers that could result from the exposure of consumer data as a result of Log4j or similar known vulnerabilities.

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

On January 24, 2022, a group of state attorneys general (Indiana, Texas, D.C. and Washington) (the “State AGs”) announced their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data. The State AGs created a plan to initiate lawsuits alleging that consumers of certain online services are falsely led to believe that they can prevent the collection of their location data by changing their account and device settings, when the online services do not, in fact, honor such settings. The State AGs have alleged that this practice constitutes a deceptive and unlawful trade practice under applicable state consumer protection law. The State AGs’ announcement highlights the underlying concern that consumers may be provided with a choice to opt out of location tracking but still have their location data made accessible to certain online service providers.

Organizations increasingly use artificial intelligence- (“AI”) driven solutions in their day-to-day business operations. Generally, these AI-driven solutions require the processing of significant amounts of personal data for the AI model’s own training, which often is not the purpose for which the personal data originally was collected. There is a clear tension between such further use of vast amounts of personal data and some of the key data protection principles outlined in EU privacy regulations. On the occasion of Data Privacy Day 2022, Hunton privacy attorneys ...

On January 5, 2022, the New York Office of the Attorney General (“NY AG”) announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” (the “Guide”) detailing the attacks and providing tips for businesses to protect themselves.

On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps available for download in the Apple App Store and Google Play Store, respectively. As described further below, Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022.

On November 2, 2021, Facebook parent Meta Platforms Inc. announced in a blog post that it will shut down its “Face Recognition” system in coming weeks as part of a company-wide move to limit the use of facial recognition in its products. The company cited the need to “weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.”

On September 14, 2021, the Securities and Exchange Commission (“SEC”) announced that analytics firm, App Annie Inc., and its co-founder and former CEO and Chairman Bertrand Schmitt, agreed to pay approximately $10 million to settle securities fraud charges for engaging in deceptive practices and making material misrepresentations about “alternative data” sold by the company. Notably, this is the SEC’s first enforcement action charging an alternative data provider with securities fraud.

On September 29 and 30, 2021, the U.S. Senate Committee on Commerce, Science and Transportation convened hearings on how to better protect consumer and children’s privacy.

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

On July 31, 2021, Zoom Video Communications, Inc. (“Zoom” or the “Company”) agreed to pay $85 million to settle a class action suit that alleged the Company violated users’ privacy rights by misleading consumers about encryption security, sharing data through third-party integrations without adequate notice or consent, and failing to protect private meetings from being disturbed by “zoombombings.” Class members would be eligible to receive payment, regardless of whether they paid for a Zoom account.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

On June 3, 2021, Google informed app developers that beginning in late 2021, when Android 12 OS users opt out of personalized ads, the advertising ID provided by Google Play services (the Google Ad ID, or “GAID”) will not be made available to app developers for any purpose.

On April 22, 2021, the Belgian Constitutional Court annulled (in French) the framework set forth by the Law of 29 May 2016 (the “Law”) requiring telecommunications providers to retain electronic communications data in bulk.

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On February 24, 2021, the Federal Trade Commission announced that it will hold a workshop on digital dark patterns on April 29, 2021. The workshop will aim to understand the ways in which user interfaces can have the effect, intentionally or unintentionally, of obscuring, subverting or impairing consumer autonomy, decision-making or choice.

On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.

On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).

The Federal Trade Commission issued a call for presentations on consumer privacy and data security research for its sixth annual PrivacyCon, which is to be held on July 27, 2021. The call for presentations asks for empirical research and demonstrations, including economic analyses, with implications for privacy and data security policy and law.

On December 14, 2020, the Federal Trade Commission announced that it had issued orders to nine social media and video streaming companies, requesting information on how the companies collect, use and present personal information, their advertising and user engagement practices and how their practices affect children and teens. The orders will assist the FTC in conducting a study of these policies, practices and procedures. The FTC issued the orders pursuant to Section 6(b) of the FTC Act, which allows the agency to undertake broad studies separate from its law enforcement activities.

On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

On June 18, 2020, Senator Sherrod Brown (OH) released a discussion draft of a privacy bill entitled the Data Accountability and Transparency Act of 2020 (“the Bill”). The Bill would provide individuals with several new rights regarding their personal data; implement rules limiting how personal data is collected, used or shared; and establish a new federal agency called the Data Accountability and Transparency Agency to protect individuals’ privacy and enforce those rules.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill, 2020 (the “Bill”) and launched a public consultation regarding the same. The public consultation period will end on May 15, 2020. The Bill, which applies to “any person who processes” or “has control over or authorizes the processing of” any personal data, if the data subject, the controller or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. In addition, under the Bill, the federal government would, within six months of coming into force, establish a Personal Data Protection Authority of Pakistan with rulemaking authority to enforce the act.

On April 30, 2020, the French Data Protection Authority (the “CNIL”) published guidance on the extraction of web users’ personal data from online public spaces by web scraping tools and re-use of such data for direct marketing (the “Guidance”). The Guidance was issued following inspections carried out by the CNIL in 2019.

On April 9, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released guidance and a set of frequently asked questions (“FAQs”) regarding the use of cookies and other tracking technologies.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

On February 19, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft AI auditing framework guidance for organizations (“Guidance”). The Guidance is open for consultation until April 1, 2020 and responses can be submitted via the ICO’s online survey.

On January 27, 2020, CISCO released its 2020 Data Privacy Benchmark Study entitled “From Privacy to Profit: Achieving Positive Returns on Privacy Investments” (the “Study”). The Study explores the return on investing in privacy compliance for organizations, examines how such return correlates with an organization’s accountability level and details the value of privacy certifications in the buying process. To measure organizations’ accountability level, CISCO used the CIPL Accountability Wheel, a privacy accountability framework developed by the Centre for Information Policy Leadership. More than 2,500 respondents took part in the Study from across 13 countries.

On February 7, 2020, the California Attorney General (“AG”) issued modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial draft regulations about which we previously reported.  According to the AG’s website, the modified draft regulations are subject to another public comment period. The deadline to submit written comments is February 24, 2020, at 5:00 p.m. (PST).

Facebook disclosed on January 29, 2020, that it has agreed to pay $550,000,000 to resolve a biometric privacy class action filed by Illinois users under the Biometric Information Privacy Act (“BIPA”). BIPA is an Illinois law enacted in 2008 that governs the collection, use, sharing, protection and retention of biometric information. In recent years, numerous class action lawsuits have been filed under BIPA seeking statutory damages ranging from $1,000 per negligent violation to $5,000 per reckless or intentional violation.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

On January 14, 2020, the French Data Protection Authority (the “CNIL”) published its draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”). The CNIL also published a set of questions and answers on the Recommendations (“FAQs”).

As reported on our Hunton Retail Law Resource blog, on January 7, 2020, the Federal Trade Commission announced a settlement with Mortgage Solutions FCS, Inc., d/b/a Mount Diablo Lending, and its sole principal, Ramon Walker, to resolve allegations that the lender violated the FTC Act, the Fair Credit Reporting Act (“FCRA”) and the Gramm-Leach-Bliley (“GLB”) Act, by improperly disseminating consumers’ personal information on Yelp in response to consumers’ negative reviews posted to that site.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy. Specifically, the Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

• data portability;
• the ability to withdraw, remove and erase basic personal data from a platform;
• the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
• the ability to review and challenge the amount of personal data that a company or government has collected;
• proactive data security requirements;
• the ability to be informed when personal data is breached with appropriate compensation; and,
• the ability to be free from online discrimination including bias and harassment.

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).

On October 30, 2019, Facebook reached a settlement with the UK Information Commissioner’s Office (“ICO”) under which it agreed to pay (without admission of liability) the £500,000 fine imposed by the ICO in 2018 in relation to the processing and sharing of its users’ personal data with Cambridge Analytica.

On May 30, 2019, the UK Information Commissioner’s Office (“ICO”) published its reflections on the year that has passed since the implementation of the EU General Data Protection Regulation (“GDPR”), together with a blog post by Elizabeth Denham, the UK Information Commissioner.

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.

On May 28, 2019, a federal jury returned a verdict awarding $1,000 to each of the roughly 68,000 class members whose criminal history was made publicly available online. The jury found that Bucks County willfully violated Pennsylvania’s Criminal History Records Information Act (“CHRIA”) and awarded the statutory minimum to each of the class members. As a result, Bucks County could pay up to $68 million in punitive damages.

On May 29, 2019, Nevada’s governor approved SB 220 (the “Amendment Bill”), which provides amendments to an existing law that requires operators of websites and online services (“Operators”) to post a notice on their website regarding their privacy practices. The Amendment Bill will require Operators to establish a designated request address through which a consumer may submit a verified request directing the Operator not to make any “sale” of covered information collected about the consumer. Pursuant to the Amendment Bill, Operators must respond to a verified opt-out request within 60 days of receipt.

On April 25, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published its Annual Activity Report for 2018 (the “Annual Report”), highlighting the main developments and accomplishments of the past year.

On April 15, 2019, the UK Information Commissioner’s Office (the “ICO”) issued for public consultation a draft code of practice, “Age Appropriate Design,” that will regulate the provision of online services likely to be accessed by children in the UK. Given the extraterritorial reach of the UK Data Protection Act 2018, organizations based outside of the UK may be subject to the code, which is expected to take effect by the end of 2019. The deadline for responding to the public consultation is May 31, 2019.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

On April 9, 2019, the UK Information Commissioner’s Office (the “ICO”) levied one of its most significant fines under the Data Protection Act 1998 (the “DPA”) against pregnancy and parenting club Bounty (UK) Limited (“Bounty”), fining the company GBP 400,000. Bounty, which provides new and expectant mothers with information and offers for products and services, collects personal data online, via an app, and offline through hard copy cards. The company also offered a data broking service. Bounty came to the attention of the ICO as a “significant supplier” of personal data in the context of the ICO’s wider and ongoing investigation into the data broking industry.

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information or data” of a Utah resident, including (1) location information, stored data or transmitted data of an electronic device, and (2) data that is stored with a “remote computing service provider” (i.e., data stored in digital devices or servers).  The law provides for situations in which law enforcement may obtain such information without a warrant.

As we previously reported, the California Consumer Privacy Act of 2018 (“CCPA”) delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. The California Department of Justice anticipates publishing a Notice of Proposed Regulatory Action concerning the CCPA in Fall 2019.

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity ...

The California Department of Justice will host six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) to provide the general public an opportunity to participate in the CCPA rulemaking process. Individuals may attend or speak at the events or submit written comments by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

On December 4, 2018, the New York Attorney General (“NY AG”) announced that Oath Inc., which was known as AOL Inc. (“AOL”) until June 2017 and is a subsidiary of Verizon Communications Inc., agreed to pay New York a $4.95 million civil penalty following allegations that it had violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting and disclosing children’s personal information in conducting online auctions for advertising placement. This is the largest-ever COPPA penalty.

On September 28, 2018, California Governor Jerry Brown signed into law two identical bills regulating Internet-connected devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”), aimed at the “Internet of Things,” require that manufacturers of connected devices—devices which are “capable of connecting to the Internet, directly or indirectly,” and are assigned an Internet Protocol or Bluetooth address, such as Nest’s thermostat—outfit the products with “reasonable” security features by January 1, 2020; or, in the bills’ words: “equip [a] device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure[.]”

On September 26, 2018, the U.S. Senate Committee on Commerce, Science, and Transportation convened a hearing on Examining Consumer Privacy Protections with representatives of major technology and communications firms to discuss approaches to protecting consumer privacy, how the U.S. might craft a federal privacy law, and companies’ experiences in implementing the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. 

The Information Commissioner’s Office (“ICO”) in the UK has issued the first formal enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) on Canadian data analytics firm AggregateIQ Data Services Ltd. (“AIQ”). The enforcement action, in the form of an Enforcement Notice served under section 149 of the DPA, requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”

On August 30, 2018, Apple Inc. announced a June update to its App Store Review Guidelines that will require each developer to provide its privacy policy as part of the app review process, and to include in such policy specific content requirements. Effective October 3, 2018, all new apps and app updates must include a link to the developer’s privacy policy before they can be submitted for distribution to users through the App Store or through TestFlight external testing.

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

On August 29, 2018, Bloomberg Law reported that four Senate Commerce Committee members are discussing a potential online privacy bill. The bipartisan group consists of Senators Jerry Moran (R-KS), Roger Wicker (R-MS), Richard Blumenthal (D-CT) and Brian Schatz (D-HI), according to anonymous Senate aides.

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA ...

On July 19, 2018, the French Data Protection Authority (“CNIL”) announced that it served a formal notice to two advertising startups headquartered in France, FIDZUP and TEEMO. Both companies collect personal data from mobile phones via software development kit (“SDK”) tools integrated into the code of their partners’ mobile apps—even when the apps are not in use—and process the data to conduct marketing campaigns on mobile phones.

On July 31, 2018, the Supreme Court of Ireland granted Facebook, Inc.’s (“Facebook”) leave to appeal a lower court’s ruling sending a privacy case to the Court of Justice of the European Union (the “CJEU”). Austrian privacy activist Max Schrems challenged Facebook’s data transfer practices, arguing that Facebook’s use of standard contractual clauses failed to adequately protect EU citizens’ data. Schrems, supported by Irish Data Protection Commissioner Helen Dixon, argued that the case belonged in the CJEU, the EU’s highest judicial body. The High Court agreed. Facebook’s request to appeal followed.

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information.

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information; (2) notify affected Chicago residents and the City of Chicago in the event of a data breach; (3) register with the City of Chicago if they qualify as “data brokers”; (4) provide specific notification to mobile device users for location services; and (5) obtain prior express consent to use geolocation data from mobile applications.

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

• Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
• Definition of “Brokered Personal Information.” “Brokered personal ...

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face ...

On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).

On May 14, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a study on how the ePrivacy Regulation will affect the design and user experiences of digital services (the “Study”). The Study was prepared by Normally, a data product and service design studio, whom CIPL had asked for an independent expert opinion on user experience design.

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”  

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible.

On February 6, 2018, the Federal Trade Commission (“FTC”) released its agenda for PrivacyCon 2018, which will take place on February 28. Following recent FTC trends, PrivacyCon 2018 will focus on privacy and data security considerations associated with emerging technologies, including the Internet of Things, artificial intelligence and virtual reality. The event will feature four panel presentations by over 20 researchers, including (1) collection, exfiltration and leakage of private information; (2) consumer preferences, expectations and behaviors; (3) economics, markets and experiments and (4) tools and ratings for privacy management. The FTC’s press release emphasizes the event’s focus on the economics of privacy, including “how to quantify the harms that result when companies fail to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.”

On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date.

On January 28, 2018, Facebook published its privacy principles and announced that it will centralize its privacy settings in a single place.

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

On December 18, 2017, the French data protection authority (“CNIL”) publicly announced that it served a formal notice to WhatsApp regarding the sharing of WhatsApp users’ data with Facebook Inc. (“Facebook”). This decision, dated November 27, 2017, follows the CNIL’s investigations regarding Facebook’s 2014 acquisition of WhatsApp. In 2016, WhatsApp updated its Terms of Service and Privacy Policy to reflect the sharing of information with Facebook. Following this update, the Article 29 Working Party (“Working Party”) requested explanations from WhatsApp on its data processing practices and data sharing, and asked the company to stop sharing data for targeted advertising purposes. The Working Party also gave a mandate to its subgroup in charge of the cooperation on investigations and sanctions to coordinate actions of the relevant national data protection authorities. It is in that context that the CNIL started its investigation of WhatsApp’s data processing practices.

Recently, the FTC and FCC announced their intent to enter into a Memorandum of Understanding (“MOU”) under which the agencies would coordinate their efforts following the adoption of the Restoring Internet Freedom Order (the “Order”). As we previously reported, if adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services. 

Recently, FCC Chairman Ajit Pai released a draft of the Restoring Internet Freedom Order (the “Order”). If adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services.

Recently, the Federal Trade Commission released the final agenda for a workshop being held on December 12, 2017, that will address the various consumer injuries that result from the unauthorized access to or misuse of consumers’ personal information.