Privacy

LabMD: The End of the FTC in Cyber or Just a New Path?

Written by

The U.S. Court of Appeals for the Eleventh Circuit recently issued its opinion in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission (FTC) order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which time LabMD became defunct—and its holding, which has called into question the FTC’s authority to impose wide-ranging, comprehensive cybersecurity plans. The LabMD matter dates to 2005, when LimeWire file sharing software was installed on a company computer, [...] Read more

Landmark New Privacy Law in California to Challenge Businesses Nationwide

Written by

Following our June 4 and July 2, 2018 blog posts tracking California's November 2018 ballot measure turned hastily enacted new California privacy law titled The California Consumer Privacy Act of 2018 (CCPA), Alston & Bird's Privacy & Data Security Group released a more detailed "first look" review of California’s sweeping new law.  The advisory provides an overview of the new law, which establishes an array of privacy rights for state residents and worries for businesses nationwide, and concludes with key initial takeaways for business. Read the advisory here. [...] Read more

California Approves the California Consumer Privacy Act in Response to Consumer Privacy Ballot Initiative

Written by

As discussed in this blog’s June 4, 2018 blog post, a group called Californians for Consumer Privacy gathered enough signatures for a new measure called the Consumer Right to Privacy Act to qualify for the November 2018 ballot.  With momentum building for passage of that ballot measure, various stakeholders met with California legislators to devise a bill that could be passed in place of the measure (and to the satisfaction of the measure’s backers).  The legislature and governor had until last Thursday, June 28 – the deadline for the measure’s backers to remove it from the November’s [...] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

Supreme Court Recognizes Reasonable Expectation of Privacy in Historical Cell-Site Location Information

Written by and

The Supreme Court recently held in Carpenter v. United States that an individual has a reasonable expectation of privacy in historical cell-site location information (CSLI) that provides a comprehensive view of the individual’s movement. A 5-4 decision, Carpenter marks a significant development for both the third-party doctrine and in the privacy space more generally. Carpenter signals a change in the Court’s traditional view of the third-party doctrine and highlights the ubiquity and all-encompassing nature of CSLI in the process. The petitioner, Timothy Carpenter, was convicted for his [...] Read more

GDPR Fragmentation May Appear More Significant than Intended

Written by

With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. [...] Read more

Privacy Activist Challenges Data Collection for Internet Businesses

Written by

Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria.  These “Day 1” complaints could have a definite impact on ad-supported online businesses. The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis [...] Read more

Chicago City Council Considers Data Collection and Protection Legislation

Written by

Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications. Consent requirements The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

Momentum Building for California’s Consumer Right to Privacy Act Ballot Initiative

Written by

In early May, a group called Californians for Consumer Privacy gathered enough signatures for the Consumer Right to Privacy Act (CRPA) to qualify for the November 2018 ballot. The ballot initiative builds on existing California laws directed at protecting the privacy of California consumers’ personal information, including the Shine the Light law (Civil Code §1798.83) and the California Online Privacy Protection Act (CalOPPA, Business & Professions Code §§22575-22579).    The CRPA sets forth a statutory framework that: 1) gives consumers the right to know what categories of personal [...] Read more