Photo of Céline Guillou

Céline Guillou is a member of Hopkins & Carley’s Corporate Practice and focuses on data privacy law and compliance.  Céline holds the certificate for Certified Information Privacy Professional Europe (CIPP/E) from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

If it’s not already, security should be a top priority for all companies that collect and hold personal data. Companies subject to the California Consumer Privacy Act (CCPA), effective since January 1, should be even more concerned given the new consumer right of action in the event of certain security incidents, and the increase in class actions to which this will inevitably lead (more on that below).

And yet…

During a recent discussion with friends in the hospitality/travel industry, I was surprised to hear of shockingly poor security practices when they described how travelers’ information was shared and transmitted on a daily basis. I learned, for instance, that travelers’ information – especially when it comes to groups – is often sent in unprotected, unencrypted documents, such as excel spreadsheets or pdfs, to equally insecure email addresses, with multiple recipients copied. These documents, which circulate freely among various players in the ecosystem, contain hyper-sensitive information, such as passport numbers, credit card information, location, and travel dates and addresses. We are not talking about a name and a device ID, here, but troves of data that hackers would love to get their hands on.
Continue Reading Staying on Top of Security Practices

The new decade started off with a flurry of emails informing us of updated privacy notices being posted on websites in response to the California Consumer Privacy Protection Act (“CCPA”). While most people began their new year resolutions or happily watching football on January 1, 2020, some of us were busy peeling through these updated privacy notices. What our review reveals is that companies are handling the CCPA in many different ways. Some take a strict approach to the letter of the law and proposed regulations, while others outright challenge the CCPA’s broad definitions and sweeping requirements by flouting language suggesting that their original privacy policy already disclosed everything it needed to, but, paraphrasing, “we now also have to disclose the same thing this way just because of CCPA.”
Continue Reading CCPA Is Here: What Does It Look Like So Far?

The California Consumer Privacy Act (CCPA) goes live in six weeks. While many companies have been working on mapping their data for some time, others are just getting started. Some of the issues left open by the language of the CCPA and the proposed regulations have yet to be resolved, but there is no question

As part of our blog, from time to time we will share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the first FAQ in our series.

What’s the Deal with the Data Protection Officer?

Not to be confused with a CPO (Chief Privacy Officer) or EU Representative, the role of data protection officer (DPO) has specific legal meaning under the GDPR. The primary role of a DPO is to ensure that the organization to which it is appointed processes the personal data of its staff, customers or any other individuals (i.e., data subjects) in accordance with applicable data protection rules. Many, but not all organizations subject to GDPR, are required to appoint a DPO, but given the unique nature of the DPO, the why, when and how of this topic is definitely at the top of our US clients’ FAQs.
Continue Reading Privacy FAQ #1