Cybersecurity / Data Security

On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are still digesting the CCPA and draft proposed regulations, and taking steps to meet the CCPA’s myriad compliance obligations.

Confusion persists about how businesses can comply with certain provisions of the CCPA. In October 2019, the California Attorney General issued proposed regulations that provide guidance on a number of key areas, but the regulations are not yet final. If adopted, violations of the proposed regulations will be treated the same as violations of the CCPA itself, with the same penalties. We have summarized the proposed regulations in previous alerts:

Comments on the proposed regulations can be viewed here.Continue Reading California’s Landmark Privacy Law Now in Effect

Consent is only one of the six legal grounds for processing personal data under the GDPR, but it is certainly the most well-known. While it might look safe and solid at first sight, it is becoming the weakest link of the GDPR compliance chain.

First, consent can be withdrawn at any time, and the process

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).

Following a request for preliminary ruling from the German Federal Court of Justice, the Bundesgerichtshof, the CJEU interpreted the consent requirement of Directive 2002/58/EC, as amended by Directive 2009/136/EC (hereafter the “e-Privacy Directive”) in light of former Directive 95/46/EU (hereafter the “Data Protection Directive”) as well as in light of its successor – the General Data Protection Regulation (GDPR).

The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.

Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”

Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third party access to those cookies.

The factsContinue Reading Court of Justice of the European Union Finds that Pre-Ticked Checkboxes Are Not Valid Consents under GDPR

Executive summary

On September 17, 2019, the Belgian Data Protection Authority (DPA) issued a fine of EUR 10,000 for a breach of the General Data Protection Regulation’s (GDPR). The case related to a merchant who required the use of an electronic identity card as the sole means for the issuance of loyalty cards.

The DPA found that this practice did not comply with GDPR’s standards on (a) data minimization, as the electronic identity card contains much more information about the holder than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid.

The DPA also found that the merchant had not done enough to inform customer about its data processing activities, and thereby violated its information duties under the GDPR.

The facts Continue Reading Belgian Data Protection Authority Finds Merchant Violated GDPR by Requiring Customers to Provide Electronic ID to Receive Loyalty Card

On 29 July 2019, the Court of Justice of the European Union (CJEU) issued a decision in the Fashion ID case, a case referred to it by a German court. In this blog post we will focus on what this case means with regard to joint controllership when you have social media plug-ins on your

On August 8, 2019, the U.S. Court of Appeals for the Ninth Circuit issued yet another decision adopting relaxed standing requirements in privacy litigation, this time in a decision permitting a plaintiff to pursue claims under Illinois’s Biometric Information Privacy Act (BIPA). In Patel v. Facebook, the Ninth Circuit rejected arguments from Facebook Inc. (Facebook) that claims under the BIPA require assertions of real-world harm, and that BIPA claims only apply to conduct within Illinois. The ruling creates a circuit split on the standard for establishing Article III standing in BIPA litigation, which could prompt the U.S. Supreme Court to take up the issue.

BackgroundContinue Reading Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

The National Institute of Standards and Technology (“NIST”) has extended the comment period on its recently released draft documents, NIST SP 800-171 Revision 2 and NIST SP 800-171B. The comment period for both NIST SP 800-171 Revision 2 and NIST SP 800-171B was initially open until July 19, 2019. It was recently extended to

Oregon has recently passed a new cybersecurity statute, joining California in requiring manufacturers of “connected devices” to equip qualifying technology with “reasonable security features.” The new law will go into force on January 1, 2020. For further analysis, visit our recent client alert.

As the country’s new Congress settles into its term, several technology issues are coming to the forefront. A number of Senators recently questioned the Department of Justice over how it is collecting cellphone-location data in the wake of the Supreme Court’s landmark Carpenter decision. Carpenter v. United States, 138 S. Ct. 2206 (2018). The House of Representatives is considering a renewed version of legislation that would strengthen the security of “Internet of Things” technologies used by the federal government. And politicians and pundits throughout Capitol Hill are asking whether this will be the year that comprehensive federal privacy legislation becomes law. As it turns out though, some of the nation’s top courts are already tackling these tough issues. In fact, the Seventh Circuit’s opinion last year in Naperville Smart Meter Awareness v. City of Naperville, 900 F.3d 521 (7th Cir. 2018), has received relatively little reporting, but its impact will be broad when it comes to how courts interpret the Fourth Amendment in the era of big data.

In Naperville, the Seventh Circuit heard an appeal concerning the city’s “smart meter” program. Without residents’ permission, Naperville had been replacing traditional energy meters on its grid with “smart meters” for homes. Each smart meter collected thousands of readings a month, as opposed to just the previous single monthly readings. According to the plaintiffs, the repeated readings of the smart meters collected data at such a granular level that they revealed what appliances were present in homes and when they were used. Considering the potential privacy impact, the Seventh Circuit found that Naperville’s collection of smart meter data from residents’ homes constituted a “search” under the Fourth Amendment.
Continue Reading Seventh Circuit Wades into Big Data Case Law

The Department of Defense recently released a memorandum directing the Defense Contract Management Agency (DCMA) to implement and assess company-wide cyber compliance with the DFARS Safeguarding Clause and related security standard, NIST SP 800-171.  For further analysis, visit our Government Contracts Legal Forum blog post.