Last July you will recall that in the Schrems II Case (“Schrems”) the Court of Justice of the European Union (“CJEU”) invalidated the European Union/United States (“EU/US”) Privacy Shield framework, while also reiterating that companies could rely on the standard contractual clauses (“SCC”s).  However, the CJEU also made clear that transfers of personal data from the European Economic Area (“EEA”) to non-adequate countries were not always permissible, requiring supplemental measures and in some cases transfer impact assessments.

In order to address the Schrems II holding and to improve ill-adapted SCCs that pre-dated the General Data Protection Regulation (“GDPR”) amid an exponential increase in cross-border transfers, the European Commission adopted two new sets of SCCs June 4, 2021:  Third Country Transfer SCCs and Controller-Processor SCCs.  As detailed below, these new SCCs must be used commencing September 27, 2021, for all new data transfers.  Companies have until December 27, 2022 to amend contracts for data transfers that previously were made under the old SCCs.
Continue Reading Addressing Data Transfers from the European Union Starting September 27, 2021

In April, Rob Bonta became the new California Attorney General. In swift form, and not taking any summer break, he has made it clear that privacy and CCPA compliance is a priority, and that enforcement won’t be limited to a handful of requirements under the CCPA, as many previously believed.

First, the Attorney General posted several examples of enforcement actions, including those addressing the following issues:
Continue Reading The Summer of CCPA Enforcement

Organizations large and small across all industries collect and process personal information, be it user information, customer information or employee information. Some of this information may be sensitive, other information may be subject to stricter laws in other countries. In our practice, among the many data protection requirements to which an organization may be subject

In recent months, there has been increased chatter about “dark patterns” in user interfaces, and it’s only getting louder. When we think of dark patterns, we often think of features that make it more difficult to cancel subscriptions, or that (mis)lead us to sign up for a product or service despite our best intentions. However, dark patterns also impact data privacy in a number of ways.
Continue Reading How Dark Patterns May be Chipping Away at Your Company’s Privacy Compliance Efforts

The Commonwealth of Virginia is on the verge of becoming the second state with a consumer data protection law. The Consumer Data Protection Act (“CDPA”), which awaits signature by Governor Northam (who is expected to sign the bill into law), would go into effect on January 1, 2023. Like California’s CCPA (and CPRA, also set to take effect January 1, 2023), the CDPA establishes a “comprehensive” framework for the collection and use of personal data of Virginia residents while also (and ironically) not applying to companies across the board. The CDPA would apply “to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Unlike CCPA, the CDPA does not contain an “annual revenue” threshold.
Continue Reading States Are “Stepping Up” to the Privacy Plate. Who’s Next? Virginia.

Online advertising – or “adtech”, as it is often referred to – does not mix well with many privacy laws, beginning with the GDPR. In recent years since GDPR went into effect, privacy advocates have increased their demands on EU regulators to more deeply scrutinize targeting practices and how data is shared within the advertising ecosystem, in particular when it comes to real-time bidding (RTB). Complaints have been filed by many privacy-minded organizations, and all of them allege that, by its very nature, RTB constitutes a “wide-scale and systemic” breach of Europe’s privacy laws. This is because RTB relies on the massive collection, accumulation and dissemination of detailed behavioral data about individuals who use the internet.
Continue Reading Key Takeaways from the Recent Grindr Decision and “Tentative” $11M Fine

Happy new year from our team at Hopkins & Carley! With each new year comes a host of bright new intentions. As each of us knows all too well, some will stick and others will quickly be forgotten. As a reminder to stay the course when it comes to data privacy and security, this year we kick off our 2021 to-do (and not-to-do) list. Rather than focus on privacy and security predictions for 2021, we wanted to share a list of action items based on some of the hard-learned lessons from 2020, as well as trends that we expect to continue into 2021. 2020 was a very busy and tumultuous year in the privacy and security world, and this will certainly also be the case in 2021. Companies that handle personal information must juggle an increasing number of laws, regulations, business-mandated requirements and risks. With that, here are a few things to keep in mind as we enter 2021:
Continue Reading Our Privacy & Security 2021 To-Do (and Not-To-Do) List: Lessons Learned From a Year Like No Other

We saw a few developments on the privacy and security front these past few weeks, so rather than our usual approach of focusing on one issue, this post will highlight a few noteworthy stories.

Cookies

France’s data protection regulator (CNIL) slapped Google and Amazon with fines for dropping tracking cookies without users’ prior consent, as required under the ePrivacy Directive incorporated into France’s Data Protection Act. Google was fined €100 million while Amazon received a €35 million fine – both in connection with their French (.fr) domains. In investigating the websites, the CNIL found that in both instances, tracking cookies were automatically dropped when a user visited the domains in violation of the Data Protection Act. As a high-level reminder, EU law mandates that non-essential cookies not be dropped by a website operator until and unless a user consents to those cookies – meaning that having a banner merely informing visitors that they “agree to the use of cookies” is in violation of the law. Such was the case with Amazon’s banner, despite its use of tracking cookies (i.e., non-essential) cookies. Moreover, transparency is required as to the use of cookies, and in both cases, the CNIL found violations as to transparency (or lack thereof) in addition to improper consent mechanisms and implementation. Finally, with respect to Google, the CNIL also found that even when a user deactivated all personalized advertising, one remained in violation of the law, highlighting the often overlooked importance of ensuring that language (and choice) are aligned with technical implementation.
Continue Reading Cookies, Opt-Out Choices, IoT Security: Recent Developments in Data Protection

Data retention. It’s not something that excites and invigorates businesses. But it is a necessary cost of doing business, not only to ensure one retains certain data for as long as each applicable law requires, but also as an increasingly important risk mitigation strategy.

Determining how long to retain a type of data or record depends on several factors. Various laws and regulations mandate that businesses retain certain records and data for minimum time periods. Statutes of limitation on certain types of claims also guide businesses as to how long to retain certain data. Conversely, privacy laws have always included a component of data minimization requiring businesses not to “hoard” data. Taken as a whole, these different rules require businesses to strike the right balance between retaining data for at least the properly mandated period and not retaining it for longer than necessary. Now, getting this right is even more important with the increasing risks of class action lawsuits for data security breaches. Quite simply, the more data you have, the more data you can lose. Having bastions of data will further complicate the tracking of data that may have been accessible to or taken by an unauthorized third party. This is one reason why, despite requirements to promptly notify individuals that their data was accessed in a security breach, businesses may take months to provide the notifications to individuals.
Continue Reading Data Retention – More than Meets the Eye

Consistent with California’s history of prioritizing consumer privacy protections, Proposition 24 (full text here), a.k.a the California Privacy Rights Act (“CPRA”), was placed on the November ballot and handily approved by voters last week. The measure’s background itself indicates that the CPRA was being put forward to make privacy more transparent to users, similar to “ingredient labels on foods.” Background information also indicates a willingness to strengthen privacy rights over time rather than diluting them (particularly as regards to children), and in fact this push for increased transparency and protection is consistent with how certain platforms are requiring clearer policies (we discuss Apple’s new requirements here). While the CPRA will be fully effective and enforceable January 1, 2023, certain provisions take effect earlier and have a look-back provision. Businesses should start to familiarize themselves with the new or updated definitions and additional requirements contained in the CPRA.
Continue Reading Voters Approve the California Privacy Rights Act: What Businesses Need to Know