On January 14, 2020, the French Supervisory Authority (“CNIL”) published a new draft guidance on the use of cookies and similar technologies on websites and applications (see here, in French). The draft guidance is open for public consultation until February 25, 2020.
In its nine articles, the guidance sets out how to properly inform users and collect their consent in this context. For each requirement, the guidance provides examples and best practices.
While all eyes are on California following the implementation of the California Consumer Privacy Act (“CCPA”) earlier this month and the start of enforcement later this year, other states are off to the privacy races already. On Monday, Washington State became the latest entrant with the introduction of a revised Washington Privacy Act.
From the proposals introduced so far this year in Washington, Virginia, New Hampshire, Illinois, and Nebraska, it is clear that states will continue to follow last year’s trend of varied approaches to state privacy legislation. While there are variations in state proposals, many of the bills seem to fall into three molds.
CCPA Copycats
The first category of proposals closely track the CCPA. Some of these bills, like last year’s Mississippi Consumer Privacy Act, are essentially identical to the CCPA or have minor changes. These bills may lack changes made by the September amendments to the CCPA. For example, the CCPA originally regulated as personal information all information “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household. The September amendments also eliminated limitations on the scope of publicly available information and added exceptions for employment or business-to-business related data. These differences were notable in the New Hampshire legislation recently introduced, which was otherwise in line with the CCPA. Continue Reading
In a recent blog post, the Federal Trade Commission highlighted three key changes it made in 2019 in its approach to issuing orders in data security enforcement matters. As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, in the blog post, the agency intends for these changes to strengthen consumer protections while providing companies with more specific and actionable guidance about how to improve their data security practices. However, the FTC’s shift in approach may also have an impact on how companies view risks associated with FTC enforcement, as the changes could result in additional obligations for a company and members of its senior leadership team. Continue Reading
On December 12, 2019, the European Parliament endorsed a non-binding resolution on enabling the digital transformation of health and care. The resolution calls on the European Commission to take a number of actions to foster the development of digital health systems in Europe to improve patient care and support research efforts — particularly those using innovative technologies such as AI.
While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680. The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here). It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights (or opt-into-sale rights for minor consumers) with respect to their personal information.
Notably, NH HB 1680 does not reflect several of the amendments which partially mitigated the constitutional and operational concerns raised by the CCPA. For example, it regulates as personal information all information “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household. The NH legislation retains limitations on the scope of publicly available information that is excluded from the definition of personal information. By way of other examples, NH HB 1680 does not provide exceptions for employment or business-to-business related data. Continue Reading
In late December 2019, the Court of The Hague (Netherlands) published a preliminary reference procedure (see here, in Dutch). The Court was asked to decide on the scope of the right of access under the GDPR.
The defendant in this case was a bailiff involved in the bankruptcy procedure. The individual who was target of the bankruptcy procedure requested access to his/her data and a copy of several e-mails. In response, the bailiff only offered an overview of the e-mails concerned and the personal data they contained, but refused to provide a copy.
The Court decided in favor of the bailiff. The Court indicated that the right of access under the GDPR is not materially different than under the prior Data Protection Directive, so any precedent under the prior regime was still relevant. The Court also pointed out that the GDPR does not grant a right to obtain a copy of documents; it only grants a right to obtain a copy of personal data. The information provided should be sufficient to allow the data subject to verify the correctness of the data and its lawful processing.
In relation to documents that do not contain much personal information, such as the e-mails in question, the court held that it suffices to describe the data they contain. It is not necessary to provide a copy of the e-mails, although the Court acknowledged that this approach may be less practical for documents that contain higher volumes of personal data. The Court did not accept the individual’s argument that this does not allow him/her to verify that the documents do not contain more personal data than indicated by the bailiff, as there was no indication from the documents provided that they might contain more data.
In addition, the Court highlighted derogations under Dutch law to the right of access, for example, in the context of judicial procedures. Moreover, the Court noted that the request for access appeared to be triggered by a desire to know the origin of the e-mails rather than to verify the personal data they contained.
In many respects, this decision mirrors earlier guidance from German authorities on which we reported previously (see our prior blog post here).
Heading into the new year, California Consumer Privacy Act (“CCPA”) readiness remains top of mind for many businesses, especially as continued developments, such as the California Attorney General’s forthcoming implementing regulations, may implicate compliance efforts. State legislation will likely move forward in 2020. At the same time, however, companies should not lose sight of legislative proposals at the federal level, which have the potential to reshape the privacy landscape in the United States and even preempt state laws such as the CCPA. The question of whether a federal privacy bill can pass in 2020 remains an open one. But regardless of whether a bill will actually pass, the legislative proposals that are emerging this year likely will shape the contours of federal legislation that could move toward becoming law.
Although the issues of preemption and a private right of action dominated the federal privacy conversation last year, four legislative trends emerged in 2019 that also may become key components of a federal privacy framework: Continue Reading
On January 6, 2020, the Federal Trade Commission (FTC) sued a California-based mortgage broker for allegedly disclosing the personal information of customers who left negative Yelp reviews, and filed a settlement of the claims.
According to the complaint, Ramon Walker is the owner and operator of Mortgage Solutions FCS, Inc., a broker connecting residential mortgage lenders with prospective borrowers. In providing its services, Mortgage Solutions allegedly obtains personal information directly from its customers and from their credit reports.
In response to negative customer reviews on Yelp, Walker allegedly posted comments that disclosed many reviewers’ personal information. The complaint explains that Walker’s comments, publicly available on Yelp, discussed the reviewers’ “sources of income, debt-to-income ratios, credit history, taxes, family relationships, and health.” For example, one comment disclosed a reviewer’s missed and late payments to banks, and publicly stated, “[a]ll of these late payments are having an enormous negative impact on your credit score.” Continue Reading
On December 17, 2019, the Belgian Supervisory Authority (“SA”) imposed a fine of € 15,000 on an SME operating a legal information website that welcomes approximately 35,000 unique visitors a month. Interestingly, in the apparent absence of any actual complaints submitted to the SA, it carried out this enforcement action on its own initiative.
In a 43-page decision, the SA explained that the company in question was fined because:
In press reports, the SA confirmed that its intent in this enforcement action was to set an example, pointing to the exemplary role that a legal information website should play and recognizing that most websites are unlikely to be complying with the rules as enforced by the SA in this case.
On December 19, 2019, Advocate General (“AG”) Henrik Saugmandsgaard Øe handed down his Opinion in Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The AG’s Opinion provides non-binding guidance to the Court of Justice of the EU (“CJEU”) on how to decide the case.
In brief, the AG recommended that the CJEU find that Decision 2010/87 (setting out standard contractual clauses for controller to processor transfers) should not be invalidated. The Opinion also concluded that the Court did not need to rule on the validity of the EU-U.S. Privacy Shield to decide Schrems II.
