September 2019

Yesterday, the Federal Trade Commission (“FTC”) and the New York Attorney General’s office (“NYAG”) settled allegations against Google LLC and its subsidiary YouTube, LLC claiming violations of the Children’s Online Privacy Protection Act and its implementing rule (together, “COPPA”).  The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to the NYAG for a total penalty almost 30 times higher than the largest COPPA penalty previously imposed.

Overview of the Complaint and Order

The joint FTC-NYAG complaint alleged that Google and YouTube collected personal information from children under 13 online and used that information to deliver online behavioral advertising, without first providing notice or obtaining verifiable parental consent as required by COPPA.  More specifically, the complaint alleged that Google and YouTube had actual knowledge that certain YouTube channels were child-directed but nevertheless collected persistent identifiers in the form of cookie and advertising identifiers to serve behavioral advertising to viewers of those channels.

In addition to requiring the $170 million total civil penalty and enjoining future COPPA violations, the settlement order requires “fencing-in” relief—which is relief in the form of injunctive provisions that go beyond what is required under existing law.  The order requires that YouTube and Google establish a system on YouTube that requires channel owners to self-designate whether the content they upload is child-directed.  For videos designated as child-directed, YouTube will not collect persistent identifiers for behavioral advertising.  The order further requires that Google and YouTube implement a training program for employees about the system and about COPPA’s requirements overall.  Finally, it imposes compliance reporting and recordkeeping requirements.

The settlement is notable both for what it does—and doesn’t—establish:
Continue Reading FTC and New York Attorney General Reach $170 Million Settlement Against Google and YouTube for Alleged Children’s Privacy Violations

On June 27, 2019, the High Court of Frankfurt decided that a consent for data processing tied to a consent for receiving advertising can be considered as freely given under the GDPR.

The case concerned an electricity company that relied on consent obtained by another company to advertise its products
Continue Reading German court decides that GDPR consent can be tied to receiving advertising

Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.
Continue Reading Round-Up of Recent Changes to U.S. State Data Breach Notification Laws