Closing Bell: California Legislature Passes Numerous CCPA Amendments and Other Privacy Bills on Final Day of 2019 Session

The last day of California’s 2019 legislative session on Sept. 13, 2019 saw a flurry of legislative activity as numerous CCPA amendments passed in the Assembly, after being amended in the Senate, and were sent to the governor for his consideration. The more substantial amendments sought by industry groups—including those […]

UPDATE: Brazil’s Data Protection Law Moves Forward

The final version of Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), was approved by the Brazilian Federal Senate in May 2019 and sanctioned by President Jair Bolsonaro in July. The LGPD is now scheduled to become effective in August 2020. When the LGPD was first approved […]

New York State Toughens Data Security Laws

On July 25, 2019, New York enacted a pair of data security laws. First, the Stop Hack and Improve Electronic Data Security Act (SHIELD Act) updates New York’s data security requirements. Second, the Identity Theft Prevention and Mitigating Services Act imposes obligations on credit reporting agencies that experience a breach […]

Fashion ID Case: CJEU Rules on Plug-ins and Joint Controllership

On 29 July 2019, the Court of Justice of the European Union handed down its decision in the Fashion ID case, dealing with alleged unlawful data collection through the Facebook Like button and the controllership of said data. In short, the CJEU held that websites containing embedded third-party content can […]

Effort to Exempt “HR Data” from CCPA Falters

Labor groups concerned about employee privacy have succeeded in slowing the effort to pass legislation exempting employer-held information from the California Consumer Privacy Act (“CCPA”).  Thanks to their intervention, the proposed legislation – AB 25 – has been revised to provide that the CCPA will apply to personal information of […]

UK ICO Cites Inadequate M&A Data Protection Due Diligence as a Factor in Proposing $125M Breach Fine

On July 9, 2019, the UK Information Commissioner’s Office (ICO) publicly announced its intent to impose a £99M (approximately $123M) GDPR fine on Marriott in connection with the discovery and notification of a data breach at Starwood. Among its justifications for the record fine, the ICO cited inadequate data protection […]

Standing to be Dismissed – The U.S. D.D.C. Weighs in on “Actual Damage” in Data Breach Litigation

In Attias v. CareFirst, Inc., the U.S. District Court for the District of Columbia (D.D.C.) jumpstarted the debate concerning the harm plaintiffs must allege to move forward with data breach class action litigation.  In recent years, courts across the country have disagreed about what constitutes an “injury-in-fact” when an individual’s […]

Will BA, Marriott Have to Pay UK ICO’s Huge Breach Fines? We Look at What’s Next.

The UK Information Commissioner’s Office (ICO) has issued Notices of Intent (NOI) to fine British Airways (for £183m) and US hotel group Marriott (for £99m) for breaches of the EU General Data Protection Regulation (GDPR). Assuming that fines are ultimately issued, these will be the first fines to be issued […]

At GDPR’s One Year Mark, Continued Compliance Efforts are Key and Can Help with CCPA Compliance

With the EU General Data Protection Regulation (the “GDPR”) now over a year old, companies may feel that their data privacy challenges have settled down and that their GDPR work is complete.  While that may be true for some companies, the reality for most is that their GDPR compliance efforts […]

GDPR: Looking to the Year Ahead

On 30 May 2019, the UK data protection regulator, the Information Commissioner’s Office (ICO) published a report, reflecting on its experiences over the year since the introduction of the General Data Protection Regulation (2016/679) (GDPR) and sharing its learnings.