Several states have proposed new privacy bills since their sessions began.  Some of the proposed bills carry over or re-introduce bills drafted in previous legislative sessions, while others are introducing firstin-time omnibus privacy bills.  In the high-level chart below, we compare five of the key state privacy frameworks: the CPRA, VCDPA (which we blogged about here), the NYPA, the general privacy provisions of the Washington Privacy Act, and the newly introduced Washington People’s Privacy Act (HB 1433)

Continue Reading 2021 State Privacy Legislation Roundup: California, Virginia, New York, and Washington

On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here).  To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its oversight and enforcement authority for data protection.

According to the activity overview, the SA has received over 900 security breach notifications and around 350 complaints.  It has performed over 100 inspections and imposed 59 sanctions, 9 of which resulted in fines for a total of €189,000.  In fact, the SA has imposed the bulk of these fine amounts only in the last two months.


Continue Reading Belgian Supervisory Authority’s GDPR Track Record So Far

On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill.  The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy.  Rep. Cathy McMorris-Rodgers (R-Wash.) and Rep. Jan Schakowsky (D-Ill.) have been particularly involved in working on the bill.

“We welcome input from all interested stakeholders and look forward to working with them going forward,” an Energy and Commerce spokesperson told The Hill.  “This draft seeks to protect consumers while also giving data collectors clear rules of the road.  It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”

The draft bill echoes many of the provisions in the Consumer Online Privacy Rights Act (COPRA) introduced last month by Democratic senators.  However, unlike COPRA, the bill is silent on two notable issues: whether individuals have a private right of action to assert violations and whether the bill would preempt state laws. 
Continue Reading House Energy and Commerce Committee Circulates Draft Privacy Bill Expanding FTC Authority

On October 16, 2019, the body of German Supervisory Authorities known as the Datenschutzkonferenz (“DSK”) released a document proposing a model for calculating fines under the GDPR.  The DSK indicated that this model is subject to change and will be superseded by any method put forward in guidance issued by the European Data Protection Board.

Back in 2013, we published a blog post entitled, “European Regulators and the Eternal Cookie Debate” about what constitutes “consent” for purposes of complying with the EU’s cookie rules.  The debate continues…  Yesterday, the ICO published new guidance on the use of cookies and a related “myth-busting” blog post.  Some of the

On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify

On March 26, 2019, the Polish Supervisory Authority (“SA”) issued a fine of around €220,000 against a company that processed contact data obtained from publicly available sources without informing the individuals concerned (decision in Polish here and English summary here). Article 14 of the GDPR requires data controllers, who do not obtain personal data

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for