On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.

Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces

To add to the growing number of bills that would amend or revoke Section 230 of the Communications Decency Act, last month Senator Amy Klobuchar (D-MN) introduced the Health Misinformation Act of 2021 (S.2448).  Senator Ben Lujan (D-NM) cosponsored the bill.

The bill would amend Section 230 to revoke the Act’s liability shield

Last week, the Ninth Circuit ruled in Lemmon v. Snap, Inc., No. 20-55295 (May 4 2021), that 47 U.S.C. § 230 (“Section 230”) did not bar a claim of negligent product design against Snap, Inc., reversing and remanding a lower court ruling.
Continue Reading Ninth Circuit Denies Section 230 Defense in Products Liability Case

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French).  In particular, the employee in this case posted a photograph of a new clothing collection of the employer on

FCC Chairman Pai announced today that the FCC will move forward with a rulemaking to clarify the meaning of Section 230 of the Communications Decency Act (CDA).  To date, Section 230 generally has been interpreted to mean that social media companies, ISPs, and other “online intermediaries” have not been subject to liability for their users’ actions.
Continue Reading FCC Announces Section 230 Rulemaking

On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.

Continue Reading EDPB Publishes Draft Guidelines on the Targeting of Social Media Users

On May 25, 2020, the second anniversary of the GDPR, the Belgian Supervisory Authority (“SA”) released an overview of its first full year of activity (available in French here, and in Dutch here).  To be clear, this was not a delay in reporting, but rather shows that the Belgian legislature was late in creating its oversight and enforcement authority for data protection.

According to the activity overview, the SA has received over 900 security breach notifications and around 350 complaints.  It has performed over 100 inspections and imposed 59 sanctions, 9 of which resulted in fines for a total of €189,000.  In fact, the SA has imposed the bulk of these fine amounts only in the last two months.

Continue Reading Belgian Supervisory Authority’s GDPR Track Record So Far

Just before the Thanksgiving holiday, the Federal Trade Commission (“FTC”) announced the issuance of consent orders involving Creaxion Corporation and Inside Publications, LLC to settle allegations that the companies misrepresented paid endorsements as independent opinions, and misrepresented paid commercial advertising as independent editorial content.  As a result, these companies and their principals are now prohibited from making misrepresentations about the status of their endorsers, required to clearly and conspicuously disclose material connections with such endorsers, and are required to monitor their endorsers.

Continue Reading FTC Settles with PR Firm and Publisher Over Social Media Endorsements

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.

Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case