Privacy & Information Security Law Blog

On November 20, 2024, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements was published in the Official Journal of the EU.

Coming on the heels of its Social Media Data Practices report, the FTC announced that it will hold a virtual workshop on February 25, 2025 examining “The Attention Economy: Monopolizing Kids’ Time Online.” The event will convene researchers, technologists, child development and legal experts, consumer advocates and industry professionals to discuss design features that keep children and teens engaged online. 

On September 18, 2024, the National Technical Committee 260 on Cybersecurity Standardization Administration of China released the Cybersecurity Standard Practice Guideline – Sensitive Personal Information Identification Guideline.

Last week, the House Energy and Commerce Committee advanced the Kids Online Safety Act (H.R. 7891) and the Children and Teen’s Online Privacy Protection Act (H.R. 7890).

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

On September 10, 2024, the U.S. District Court for the District of Utah issued an Order granting a Motion for a Preliminary Injunction, prohibiting the Utah Attorney General from implementing and enforcing the Utah Minor Protection in Social Media Act, which was set to take effect October 1, 2024.

On August 1, 2024, the Office of the New York State Attorney General released two Advanced Notices of Proposed Rulemaking (“ANPRM”) for the SAFE for Kids Act and the Child Data Protection Act.

On August 2, 2024, the U.S. sued ByteDance, TikTok and its affiliates for violating the Children’s Online Privacy Protection Act of 1998 and the Children’s Online Privacy Protection Rule.

On July 22, 2024, Google announced that the company is scrapping its plans to phase out the use of third-party cookies in its Chrome browser. Google previously announced plans in 2020 to phase out third-party cookies, a digital advertising tool that tracks consumers’ Internet activity across websites. The company intended to replace third-party cookies with privacy-protective APIs through its Privacy Sandbox initiative.

On July 23, 2024, the Federal Trade Commission announced that it had launched a study of eight companies’ “surveillance pricing” practices. According to the FTC, “the orders are aimed at helping the FTC better understand the opaque market for products by third-party intermediaries that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service.”

On July 22, 2024, Google announced that the company had scrapped its plan to phase out the use of third-party cookies in its Chrome browser.

On July 2, 2024, the French Data Protection Authority (the “CNIL”) published a new set of guidelines addressing the development of artificial intelligence (“AI”) systems from a data protection perspective (the “July AI Guidelines”).

On June 20, 2024, the U.S. District Court for the Northern District of Texas Fort Worth Division ruled that guidance issued by the U.S. Department of Health and Human Services (“HHS”) relating to online tracking technologies exceeded HHS’ authority and ordered that it be vacated. 

On June 20, 2024, New York Governor Kathy Hochul signed into law Senate Bill S7694, the Stop Addictive Feeds Exploitation (“SAFE”) for Kids Act. The Act is the first of its kind to regulate the provision of addictive social media feeds to minors.

On June 7, 2024, following a public consultation, the French Data Protection Authority published the final version of the guidelines addressing the development of AI systems from a data protection perspective.

On June 7, 2024, the New York legislature passed a bill (S.B. S7694A), the Stop Addictive Feeds Exploitation (SAFE) for Kids Act, addressing children’s use of social media platforms. The bill is pending Governor Kathy Hochul’s signature.

On April 17, 2024, the European Data Protection Board adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, stating that such models generally are not compliant with the GDPR, though their use should be considered on a case-by-case basis.

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of the Interactive Advertising Bureau Europe (“IAB Europe”) in the processing operations associated with its Transparency and Consent Framework (“TCF”) and further developed CJEU case law on the concept of personal data under the EU General Data Protection Regulation (“GDPR”).

On February 12, 2024, a federal court in the Southern District of Ohio issued an order granting a Motion for a Preliminary Injunction, prohibiting the Ohio Attorney General from implementing and enforcing the Parental Notification by Social Media Operators Act, Ohio Rev. Code § 1349.09(B)(1) (the “Act”).

In November 2023, the UK Information Commissioner’s Office (“ICO”) wrote to organizations operating 53 of the UK’s biggest websites regarding their compliance with data protection laws when using cookies.  On January 31, 2024, the ICO released a statement on such action noting that it received “an overwhelmingly positive response” with 38 of those organizations having changed their cookie banners in order to come into compliance. Others have either committed to ensuring compliance within a month, or are exploring other solutions such as contextual advertising.

On January 9, 2024, an Ohio federal judge placed a temporary restraining order on Ohio’s Parental Notification by Social Media Operators Act, Ohio Rev. Code § 1349.09(B)(1) (the “Act”), which was approved in July 2023 and was set to go into effect on January 15,2024. Under the Act, parents must provide consent for children under 16 to set up an account on social media and online gaming platforms. The platform operators must also provide parents with a list of content moderation features.

On January 18, 2024, the UK Information Commissioner’s Office (“ICO”) published an updated Opinion on age assurance for the Children’s Code (the “Opinion”). The Children’s Code is a statutory code of practice setting out how information society services likely to be accessed by children should protect children’s information rights online.

On December 8, 2023, the European Parliament and the Council reached a political agreement on the EU’s Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”).

The AI Act will introduce a risk-based legal framework for AI. Specifically, the AI Act will state that: (1) certain AI systems are prohibited as they present unacceptable risks (e.g., AI used for social scoring based on social behavior or personal characteristics, untargeted scraping of facial images from the Internet or CCTV footage to create facial recognition databases, etc.); (2) AI systems presenting a high-risk to the rights and freedoms of individuals will be subject to stringent rules, which may include data governance/management and transparency obligations, the requirement to conduct a conformity assessment procedure and the obligation to carry out a fundamental rights assessment; (3) limited-risk AI systems will be subject to light obligations (mainly transparency requirements); and (4) AI systems that are not considered prohibited, high-risk or limited-risk systems will not be under the scope of the AI Act.

On November 21, 2023, the UK Information Commissioner’s Office (“ICO”) issued a statement explaining that it has recently written to companies operating some of the UK’s most visited websites regarding their compliance with data protection laws when using cookies. The ICO noted that certain websites are not providing users with fair choices as to whether or not they are tracked for personalized marketing purposes, and referred to its guidance on making it simple for users to “Reject All” advertising cookies. 

On October 30, 2023, the Federal Trade Commission announced that it is sending nearly $100 million in refunds to consumers who were harmed as a result of internet phone service provider Vonage’s alleged use of dark patterns and other obstacles that made it difficult for users to cancel their service.

On July 5, 2023, Ohio Governor, Mike DeWine, signed into law House Bill 33, which includes the Social Media Parental Notification Act (“Act”).

On February 14, 2023, the Digital Advertising Alliance (“DAA”) announced the creation of the CMP Complement, billed as a uniform approach for brands and publishers to offer privacy controls on sites and apps through Consent Management Platforms (CMPs) and the AdChoices program. The CMP Complement integrates the AdChoices Icon into participating CMPs’ user flows and provides easier user access to both CMP-specific controls and other interest-based advertising choice tools offered through the DAA’s portals.

On November 3, 2022, the Federal Trade Commission announced a proposed order to settle an action against an internet phone service provider, Vonage, that would require Vonage to pay $100 million in refunds to customers harmed by its practices, which the FTC alleged included “dark patterns” that made it difficult for customers to cancel their service. The order also would require Vonage to not use dark patterns and provide a simple and transparent way for customers to cancel their service. 

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

On October 4, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper outlining 10 key recommendations for regulating artificial intelligence (“AI”) in Brazil (the "White Paper"). CIPL prepared the White Paper to assist the special committee of legal experts established by Federal Senate of Brazil (the “Senate Committee”) as it works towards an AI framework in Brazil.

On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On September 6, 2022, the California legislature presented Assembly Bill 2392 to Governor Gavin Newsom. AB-2392, which has not yet been signed by Governor Newsom, would allow Internet-connected device manufacturers to satisfy existing device labeling requirements by complying with National Institute of Standards and Technology (“NIST”) standards for consumer Internet of Things (“IoT”) products.

On August 23, 2022, the Federal Trade Commission announced it is seeking additional public comment on “how children are affected by digital advertising and marketing messages that may blur the line between ads and entertainment” in conjunction with its “Protecting Kids from Stealth Advertising in Digital Media” event on October 19, 2022. The event will focus on manipulative marketing practices targeted towards children, particularly those related to influencer marketing and online games.

On July 27, 2022, Google announced that it is delaying its plans to phase out third-party cookies in the Chrome web browser. Google’s Vice President of Privacy Sandbox, Anthony Chavez, announced the company is extending the full deprecation of third-party cookies to “the second half of 2024,” to continue the testing window for the Privacy Sandbox.

On April 28, 2022, India issued new guidance relating to “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.” Notably, the guidance requires “service providers, intermediary, data centre, body corporate and Government organizations” to report cyber incidents to India's Computer Emergency Response Team (“CERT-In”) within six hours of noticing such incidents or being notified about such incidents. Before this guidance, notification of a cyber incident was required "within a reasonable time” after occurrence or discovery.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 23, 2022, the European Commission adopted a Proposal for a Regulation designed to harmonize rules on the fair access to and use of data generated in the EU across all economic sectors (the “Data Act”). The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.” Importantly, the Data Act applies to all data generated in the EU, not only personal data, which is regulated by the General Data Protection Regulation (“GDPR”).

On November 8, 2021, New York Governor Kathy Hochul signed into law A.430/S.2628 (the “Act”), which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer.

The FTC will hold a virtual open meeting on Thursday, October 21, 2021, at 1pm ET to present the agency’s findings on evidence gathered pursuant to the FTC’s issuance of 6(b) orders in 2019 to six Internet Service Providers and three of their advertising affiliates regarding the parties’ privacy practices. Public release of the FTC Staff report is subject to a vote by the Commission. The presentation of findings will be followed by a verbal public comment period where commenters can share feedback on the FTC’s work and bring matters to the Commission’s attention ...

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On September 14, 2021, the Federal Trade Commission authorized new compulsory process resolutions in eight key enforcement areas: (1) Acts or Practices Affecting United States Armed Forces Members and Veterans; (2) Acts or Practices Affecting Children; (3) Bias in Algorithms and Biometrics; (4) Deceptive and Manipulative Conduct on the Internet; (5) Repair Restrictions; (6) Abuse of Intellectual Property; (7) Common Directors and Officers and Common Ownership; and (8) Monopolization Offenses.

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

On June 29, 2021, the UK Department for Digital, Culture, Media and Sport (“DCMS”) published guidance for businesses on child online safety, which includes guidance on data protection and privacy, age-appropriate content, positive user interactions, and protecting children from online sexual exploitation and abuse.

On July 22, 2021, the Dutch Data Protection Authority (“Dutch DPA”) announced that it had imposed a €750,000 fine on TikTok for violating the privacy of young children namely for the company’s alleged lack of transparency.

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

On June 2, 2021, Nevada’s governor approved SB 260 (the “Amendment Bill”), which expands on the previously amended Nevada Privacy of Information Collected on the Internet from Consumers Act (the “Act”). Specifically, the Amendment Bill broadens the definition of key terms along with providing several new exemptions.

On April 22, 2021, the Belgian Constitutional Court annulled (in French) the framework set forth by the Law of 29 May 2016 (the “Law”) requiring telecommunications providers to retain electronic communications data in bulk.

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On February 24, 2021, the Federal Trade Commission announced that it will hold a workshop on digital dark patterns on April 29, 2021. The workshop will aim to understand the ways in which user interfaces can have the effect, intentionally or unintentionally, of obscuring, subverting or impairing consumer autonomy, decision-making or choice.

On February 16, 2021, the New York Department of Financial Services (“NYDFS”) issued a Cyber Fraud Alert (the “Alert”) to regulated entities in light of a growing campaign to steal Nonpublic Information (“NPI”), as defined under New York law, from public-facing websites that provide instant quotes for products like auto insurance (“Instant Quote Websites”).

On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.

On February 10, 2021, representatives of the EU Member States reached an agreement on the Council of the European Union’s (the “Council’s”) negotiating mandate for the draft ePrivacy Regulation, which will replace the current ePrivacy Directive. The text approved by the EU Member States was prepared under Portugal’s Presidency and will form the basis of the Council’s negotiations with the European Parliament on the final terms of the ePrivacy Regulation.

On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).

The Federal Trade Commission issued a call for presentations on consumer privacy and data security research for its sixth annual PrivacyCon, which is to be held on July 27, 2021. The call for presentations asks for empirical research and demonstrations, including economic analyses, with implications for privacy and data security policy and law.

The global privacy and cybersecurity team at Hunton Andrews Kurth has authored multiple chapters of the 2021 Data Protection & Privacy guide by Lexology’s Getting the Deal Through. Partner Aaron P. Simpson and practice chair Lisa J. Sotto served as contributing editors of the ninth edition of the annual guide, which provides summary and analysis in key areas of law, practice and regulation for 150 jurisdictions across the globe.

On November 27, 2020, New Mexico Attorney General Hector Balderas filed a notice of appeal to the U.S. Court of Appeals for the Tenth Circuit in the lawsuit it brought against Google on February 20, 2020, regarding alleged violations of the federal Children’s Online Privacy Protection Act (“COPPA”) in connection with G-Suite for Education (“GSFE”). As we previously reported, the U.S. District Court of New Mexico had granted Google’s motion to dismiss, in which it asserted that its terms governed the collection of data through GSFE and that it had complied with COPPA by using schools both as “intermediaries” and as the parent’s agent for parental notice and consent, in line with Federal Trade Commission Guidance.

On October 21, 2020, China issued a draft of Personal Information Protection Law (“Draft PIPL”) for public comments. The Draft PIPL marks the introduction of a comprehensive system for the protection of personal information in China.

On October 1, 2020, the French Data Protection Authority (the “CNIL”) published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a set of questions and answers on the Recommendations (“FAQs”).

On September 25, 2020, the District Court of New Mexico granted Google’s motion to dismiss a lawsuit filed on February 20, 2020, by New Mexico Attorney General Hector Balderas alleging, among other claims, that the company violated the federal Children’s Online Privacy Protection Act (“COPPA” or the “Act”) by using G Suite for Education to “spy on New Mexico students’ online activities for its own commercial purposes, without notice to parents and without attempting to obtain parental consent.”

On September 18, 2020, the U.S. Department of Commerce (“Commerce”) announced detailed sanctions relating to the mobile applications WeChat and TikTok. These prohibitions were issued in accordance with President Trump’s Executive Orders issued on August 6, 2020, imposing economic sanctions against the platforms under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.). These orders, if they become fully effective, will (1) prohibit mobile app stores in the U.S. from permitting downloads or updates to the WeChat and TikTok mobile apps; (2) prohibit U.S. companies from providing Internet backbone services that enable the WeChat and TikTok mobile apps; and (3) prohibit U.S. companies from providing services through the WeChat mobile app for the purpose of transferring funds or processing payments to or from parties. The sanctions do not target individual or business use of the applications but are expected to degrade the ability of persons in the United States to use the apps for the purposes they were designed to serve.

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

The Age Appropriate Design Code (the “code”) created by the UK Information Commissioner’s Office (the “ICO”) has completed the Parliamentary process and was issued by the ICO on August 12, 2020. It will come into force on September 2, 2020, with a 12-month transition period for online services to conform to the code.

On August 6, 2020, President Trump signed executive orders imposing new economic sanctions under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.) against TikTok, a video-sharing mobile application, and WeChat, a messaging, social media and mobile payments application. The orders potentially affect tens of millions of U.S. users of these applications and billions of users worldwide.

On April 30, 2020, the French Data Protection Authority (the “CNIL”) published guidance on the extraction of web users’ personal data from online public spaces by web scraping tools and re-use of such data for direct marketing (the “Guidance”). The Guidance was issued following inspections carried out by the CNIL in 2019.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

On October 21, 2019, the Federal Trade Commission took action against two companies alleged to have engaged in the business of false online reviews and social media influence. In the first case, the FTC entered into a consent decree with cosmetics marketer Sunday Riley, LLC, and the company’s owner, who sell products at Sephora stores and online at Sephora.com. According to the FTC’s complaint, disguised as ordinary consumers, Sunday Riley employees and Ms. Riley herself posted fake 5-star reviews of the company’s products on Sephora’s website. Under the terms of the FTC’s agreement, the company and its principal are barred from posting fake reviews, must clearly identify endorsers, and must instruct staff on their disclosure obligations. The FTC vote on the action was 3-2, with Commissioners Chopra and Slaughter dissenting on the grounds that the settlement did not include a monetary payment or an admission of guilt.

On October 1, 2019, the Court of Justice of the European Union (“CJEU”) issued its decision in an important case involving consent for the use of cookies by a German business called Planet49. Importantly, the Court held that (1) consent for cookies cannot be lawfully established through the use of pre-ticked boxes, and (2) any consent obtained regarding cookies cannot be sufficiently informed in compliance with applicable law if the user cannot reasonably comprehend how the cookies employed on a given website will function.

On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).

On July 29, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV. The Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) requested a preliminary ruling from the CJEU on several provisions of the former EU Data Protection Directive of 1995, which was still applicable to the case since the court proceedings had started before the implementation of the EU General Data Protection Regulation (“GDPR”).

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.

To mark the GDPR’s one-year anniversary, the European Commission recently published the results of two surveys meant to illuminate the public’s awareness of the GDPR and its practical applications.

On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.

On May 28, 2019, a federal jury returned a verdict awarding $1,000 to each of the roughly 68,000 class members whose criminal history was made publicly available online. The jury found that Bucks County willfully violated Pennsylvania’s Criminal History Records Information Act (“CHRIA”) and awarded the statutory minimum to each of the class members. As a result, Bucks County could pay up to $68 million in punitive damages.

On May 29, 2019, Nevada’s governor approved SB 220 (the “Amendment Bill”), which provides amendments to an existing law that requires operators of websites and online services (“Operators”) to post a notice on their website regarding their privacy practices. The Amendment Bill will require Operators to establish a designated request address through which a consumer may submit a verified request directing the Operator not to make any “sale” of covered information collected about the consumer. Pursuant to the Amendment Bill, Operators must respond to a verified opt-out request within 60 days of receipt.

On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.

On April 11, 2019, the People’s Republic of China’s Network Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institution of the Ministry of Public Security jointly released a “Guide to Protection of Security of Internet Personal Information (the “Guide”). The Guide presents itself as a reference, rather than a legally-enforceable regulation, but how it will interact with cybersecurity-related law, regulations and standards in practice remains to be seen.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information or data” of a Utah resident, including (1) location information, stored data or transmitted data of an electronic device, and (2) data that is stored with a “remote computing service provider” (i.e., data stored in digital devices or servers).  The law provides for situations in which law enforcement may obtain such information without a warrant.

On March 21, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the Case C-673/17 of Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (i.e., the Federation of German Consumer Organizations, the “Bundesverband”), which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views on how to obtain valid consent to the use of cookies in the case.

The Belgian Data Protection Authority (the “Belgian DPA”) recently published the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

On January 10, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.

On December 4, 2018, the New York Attorney General (“NY AG”) announced that Oath Inc., which was known as AOL Inc. (“AOL”) until June 2017 and is a subsidiary of Verizon Communications Inc., agreed to pay New York a $4.95 million civil penalty following allegations that it had violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting and disclosing children’s personal information in conducting online auctions for advertising placement. This is the largest-ever COPPA penalty.

The U.S. Department of Commerce’s National Institute of Standards and Technology recently announced that it is seeking public comment on Draft NISTIR 8228, Considerations for Managing Internet of Things (“IoT”) Cybersecurity and Privacy Risks (the “Draft Report”). The document is to be the first in a planned series of publications that will examine specific aspects of the IoT topic.

The Federal Trade Commission announced the opening dates of its Hearings on Competition and Consumer Protection in the 21st Century, a series of public hearings that will discuss whether broad-based changes in the economy, evolving business practices, new technologies or international developments might require adjustments to competition and consumer protection law, enforcement priorities and policy. The FTC and Georgetown University Law Center will co-sponsor two full-day sessions of hearings on September 13 and 14, 2018, to be held at the Georgetown University Law Center facility.