Tag Archives: Personal Information

Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification

Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of … Continue Reading

CFPB Issues $100,000 Fine in First-Ever Data Security Enforcement Action

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1) … Continue Reading

UK Supreme Court Will Hear Google’s Appeal in Important Privacy Case

The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311. Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences of … Continue Reading

European Consumer Legislation and Online Privacy Policies: Opening Pandora’s Box?

Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies.  In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation.  As the below examples from France and Germany show, some courts or … Continue Reading

Data Breach Notification Bills Introduced in House and Senate

By Caleb Skeath Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives.  The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as … Continue Reading

House Debates Federal Data Breach Legislation

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in … Continue Reading

New Jersey Legislature Considers Additional Protections for Car “Black Box” Data

By Caleb Skeath You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you? New Jersey legislators are debating two identical bills that would provide additional safeguards … Continue Reading

Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy

Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information.  Among the fourteen education tech companies … Continue Reading

California Amends Data Breach Legislation

Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy: 1.  Requires Companies that Maintain Personal Information to Implement … Continue Reading

Ponemon Institute Releases Second Annual Study on Data Breach Preparedness

The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise. Ponemon Institute conducts independent research on privacy, data protection, and information security policy.  For the September 2014 study, Is … Continue Reading

FTC Settlement Requires Fandango and Credit Karma to Establish Comprehensive Security Programs to Protect Consumers’ Sensitive Personal Information

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately … Continue Reading

Revised OECD Privacy Guidelines Strengthen Accountability Principle

The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the … Continue Reading

Data Breach Notification within 24 hours in the Electronic Communication Sector – An Example to Follow in the Reform of the EU Data Protection Directive?

Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member … Continue Reading

British Fraud Investigator Admits on Chinese State TV to Illegally Purchasing and Selling Personal Information

By Eric Carlson & Scott Livingston On August 27, 2013, state-run China Central Television broadcast a taped confession of detained British fraud investigator Peter Humphrey confessing to having used “illegal means” to obtain the personal information of Chinese citizens.  This highly unusual broadcast of a confession made by a foreigner in China, along with other … Continue Reading

China Issues Comprehensive Regulation on Collection and Use of Personal Information by Websites and Telecommunication Service Providers

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of … Continue Reading

Proposed California “Right to Know” Act Would Require Broad Disclosures To CA Residents

A bill titled the “Right to Know Act of 2013” (AB 1291), which was first introduced by Assembly Member Bonnie Lowenthal this past February, continues to gather momentum in the California legislature.  The Right to Know Act would repeal and re-write Cal. Civ. Code § 1798.83 (often referred to as the California Shine the Light law) … Continue Reading

CA Supreme Court Holds That Song-Beverly Does Not Apply To Online Purchases For Electronic Downloads

On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete … Continue Reading

China Releases National Standard for Personal Information Collected Over Information Systems; Industry Self-Regulatory Organization Established

China’s Standardization Administration recently released a long-awaited national standard related to personal information.  Entitled Information Security Technology — Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013.  The Guidelines are voluntary and lack the force of law.  They nevertheless clarify key … Continue Reading

Dun & Bradstreet Reportedly Fined RMB $1 Million for Illegally Obtaining Personal Information in China; Four Employees Imprisoned

A recent decision by a Shanghai court sheds new light onto a vague provision of the PRC Criminal Law and highlights the challenges faced by foreign companies overseeing local operations in China. On September 28, 2012, Dun & Bradstreet’s local operating subsidiary Shanghai Roadway D&B Marketing Services Co., Ltd. (“Roadway”) was charged by the Shanghai … Continue Reading

European Data Protection Supervisor Calls For Clearer and More Privacy-Friendly Rules On Internet Intermediary Liability

The European Data Protection Supervisor (EDPS), Peter Hustinx, recently published a response to a European Commission consultation on reform of the “notice-and-action” (“N&A”) procedure rules — i.e., the legal regime that requires Internet intermediaries to remove hosted content when they are notified that such content is illegal.  As set out in more detail below, the … Continue Reading

FTC Approves MySpace Settlement

Yesterday, the Federal Trade Commission (“FTC”) approved an agreement with MySpace to settle charges that the company misrepresented the extent to which it shared personal information with third-party advertisers.  MySpace’s privacy policy suggested that it would not share personally identifiable information (“PII”) with third parties without the user’s permission, but the Commission alleged that this … Continue Reading

Canadian Privacy Commissioner Issues Guidance under PIPEDA

Last week, the Office of the Privacy Commissioner in Canada (OPC) issued important guidance under Canada’s national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  The guidance highlights various scenarios in which PIPEDA applies based on judicial opinions and previous OPC interpretations.  In general, PIPEDA applies to the personal information that an … Continue Reading
LexBlog