Photo of Céline Guillou

Céline Guillou is a member of Hopkins & Carley’s Corporate Practice and focuses on data privacy law and compliance.  Céline holds the certificate for Certified Information Privacy Professional Europe (CIPP/E) from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

As we (remotely) head back to school, we thought it timely to post our “annual” reminder that collecting, using and/or disclosing children’s personal information comes with some restrictions (see last year’s post here). With this unprecedented back-to-school season, nearly all children’s activities, products and services are moving online for the foreseeable future. As such, now more than ever organizations should really take the time to determine whether they collect any data from children (or have actual knowledge of doing so), and ensure that they are taking the proper steps to comply with applicable rules.
Continue Reading Children’s Privacy Check-Up

As we all know, the EU-U.S. Privacy Shield framework, the cross-border transfer mechanism relied upon by over 5,000 U.S. entities until just over a month ago, was recently invalidated by the CJEU in the Schrems II case (see here for our last post following the ruling). So what next?
Continue Reading Addressing Cross-Border Transfers from the EU Following the Schrems II Ruling

With the Covid-19 crisis, many companies that may have traditionally only done business offline are transitioning and expanding into e-commerce. Others are starting new businesses and innovating new technologies and platforms. There are a multitude of considerations that go into these new ventures, an important one of which is security.
Continue Reading Data Security and the New York SHIELD Act: Going Beyond New York Companies

During a recent keynote presentation with the IAPP following the July 1 enforcement deadline of the CCPA, Stacey Schesser, Supervising Deputy Attorney General for the State of California (“Deputy AG”), provided a bit of a roadmap for CCPA enforcement actions from the California Attorney General (“AG”) that are both currently underway and expected in the near future.
Continue Reading CCPA Enforcement: What to Expect Next

Despite three annual reviews by European Union Commissioners, the European Court of Justice (CJEU) invalidated the Privacy Shield and called into question many transfers of personal data pursuant to the Standard Contractual Clauses on July 16.  At stake are transfers of EU personal data to thousands of U.S. companies that rely on personal data being transferred from the EU. The case is colloquially known as “Schrems II” as it is the second case involving Maximillian Schrems (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems). Mr. Schrems’ first case resulted in an invalidation of the EU-US Safe Harbor, the Privacy Shield’s predecessor in 2015.
Continue Reading Schrems II: EU Personal Data Transfers to the U.S. and the Invalidation of the Privacy Shield

The California Attorney General’s final proposed regulations under CCPA (“Regulations”) have been submitted, and pending approval by the California Office of Administrative Law, will soon become enforceable by law. One often overlooked requirement of the CCPA is the obligation of covered businesses to provide notices that are “reasonably accessible.” All drafts of the Regulations have provided more detail about the accessibility requirement contained in the CCPA, and the final Regulations make clear that for notices provided online, businesses must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 (WCAG) from the World Wide Web Consortium. While companies have largely focused on updating the language or substance of their notices to comply with CCPA, this requirement as to form has, by and large, slipped through the cracks, but is certain to generate some discussion (if not litigation) in coming months.

By way of background, the Americans with Disabilities Act (ADA) requires, among other things, that places of “public accommodation” remove barriers to access for individuals with disabilities. While this has long been considered the rule for physical establishments, including privately-owned, leased or operated facilities like hotels, restaurants, retail merchants, health clubs, sports stadiums, movie theaters, and so on, virtual accessibility has been much less consistent, and generally the exception rather than the norm. In fact, web accessibility hardly ever appears on businesses’ radars, due perhaps to a very short-sighted perception of what, in fact, qualifies as a disability as well as a lack of overall guidance.

Web accessibility means ensuring that websites, mobile applications, and other virtual platforms can be used by everyone, including those with disabilities, such as impaired vision. However, what exactly is required is a source of confusion. In 2019, the Department of Justice (DOJ), which is responsible for establishing regulations pursuant to the ADA, withdrew regulations that had been drafted for website accessibility, and has since yet to promulgate any such regulations. This has left courts with the task of determining how and to what extent web accessibility is required under the ADA when it comes to businesses that offer goods and services online, with varying results.
Continue Reading CCPA and Web Accessibility

At the Worldwide Developers Conference on June 23, Apple announced an assortment of new privacy features – some quite significant for developers – that will be included as part of iOS 14. Some of the new privacy features include added protections against user tracking on apps and websites, as well as transparency measures to prevent apps from using cameras or microphones without a user’s knowledge. How location data is collected will also be impacted: iOS already enables users to block specific apps from collecting data about their location, but now users will be able to share approximate location data.

One very significant change is that app developers will now be required to disclose the types of data that their app collects, and importantly, call out specific information that could be used to track users across platforms. Inspired by nutrition labels that are typically affixed to food products, these new disclosure mandates from Apple will require developers to complete a specific form (showcased at the Worldwide Developers Conference). When users search for an app, the summary of collected data will appear alongside other information about the app.
Continue Reading Apple’s iOS 14 Transformative Privacy Announcements

As cities and states gradually open up, companies have begun to assess under what circumstances they can re-open the workplace – and in particular, what health-related personal information can and should be collected. When it comes to monitoring employees, generally speaking, privacy and employment law are increasingly overlapping as more stringent laws are adopted, and COVID-19 has brought this overlap to the forefront. Our employment team at Hopkins & Carley has provided a number of resources and webinars on the employment-related issues of COVID-19 and what can and cannot be done (available here). Here we will focus on the intertwined privacy implications of allowing individuals – employees and non-employees – back into offices and facilities, particularly with respect to the California Consumer Privacy Act (CCPA).

What are the CCPA’s notice requirements?
Continue Reading Returning to Work: CCPA Considerations

I recently co-wrote the following client alert with one of my colleagues, Monique Jewett-Brewster. Monique advises creditors, commercial landlords and tenants, and asset purchasers in business bankruptcies and in all other aspects of insolvency law.


As we move closer to a global recession caused by the current pandemic, some companies will find themselves in the unfortunate position of having to seek bankruptcy relief. This may have some important and often overlooked privacy implications. There is no question that in this day and age, one of a business’ most valuable assets is the personal information that it has collected from its customers and/or end-users – often more so than any of its tangible assets. Increasingly, as business shifts online, this is true not only of technology companies but also of “brick and mortar” companies.

However, when a business becomes a debtor, the sale of personal information can be problematic. Section 363(b) of the US Bankruptcy Code provides that a debtor that has a privacy notice prohibiting the transfer of personally identifiable information (“personal information”) may not use, sell or lease such information other than in the ordinary course of business unless (1) the use, sale or lease is consistent with the terms of the privacy notice or (2) after the appointment of a consumer privacy ombudsman (“CPO”) the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable non-bankruptcy law. These restrictions only apply if the debtor disclosed to its customers a privacy notice prohibiting the transfer of personal information to persons not affiliated with the debtor and the policy was in effect on the date of the bankruptcy filing.
Continue Reading Privacy Issues in Bankruptcy Sales

As businesses struggle to navigate the new reality created by Covid-19, there are a few things to keep in mind both in the short and long term, when it comes to privacy and security.

Security & WFH.

With employees working remotely, now more than ever organizations are at risk of cybersecurity incidents. Malicious players will seek to exploit increased vulnerabilities in this age of WFH, and with IT teams scrambling to ensure that all of their employees can connect remotely and remain productive, some of the most obvious risks should not be overlooked:

  • A large number of organizations had not anticipated the need for laptops or other devices for ALL of their employees. As such, many workers across the country are now using their personal devices to perform their jobs, which may include handling proprietary and/or personal information. However, a number of these personal devices will not only lack some of the basic security tools and software (e.g., firewalls or antivirus software) and controls on what can be downloaded, but may also already contain some unsavory software or applications that increase the risk or malware distribution. In fact, some personnel may shortcut and use personal email accounts to transfer documents, which adds yet another level of risk, as further noted below. Add to this mix the exchange, transfer, and processing of proprietary and personal information, and this could lead to some very problematic unintended or unauthorized disclosures.
  • To connect and get work done, workers need a WiFi network, and unfortunately, some employees may be using unsecured WiFi networks. This could potentially be a very big problem if employees are accessing information via an unsecured or vulnerable WiFi network – such as a neighbor’s unsecure network. Some of the many risks of using unsecured WiFi networks include eavesdropping – which enables malicious players to access and capture everything remote workers are doing online including login credentials, emails, and other or proprietary information – as well as exposure to malicious attacks. No doubt, it is important to ensure that employees are using secure WiFi networks coupled with company VPN’s to prevent any malicious scanning activity.
  • Many organizations lack specific policies that specifically warn employees NOT to use personal email or messaging applications lacking encryption when they exchange the organization’s confidential information. Some of these policies, also commonly referred to as “BYOD” policies, are intended to inform workers of what they can and cannot do with their devices. Consider Bob sending a personal email to a friend and colleague that Mike in marketing tested positive for COVID-19 (i.e., sensitive health information) or an employee transferring customer lists with personal data via unencrypted messages. WFH devices aside, employees should also be reminded not to toss confidential documents in household garbage bins, to turn off smart devices that are voice-activated, and to take calls that involve confidential information in a “private area” of the home. Failing to clarify policies with personnel is very risky. Now would be a good time to remind employees of how they should minimize these risks.

Ensuring that your organization’s  IT and legal teams are working closely together to develop policies and procedures will help identify and minimize these increasing cybersecurity risks.
Continue Reading SHORT AND LONG TERM PRIVACY CONSIDERATIONS TO NAVIGATE OUR NEW REALITY