Sephora Settles with California AG for $1.2M for Alleged CCPA Violations Relating to Third-Party Cookies and User-Enabled Opt-Out Signals

Share

On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”

Continue reading “Sephora Settles with California AG for $1.2M for Alleged CCPA Violations Relating to Third-Party Cookies and User-Enabled Opt-Out Signals”

Zombie PHR Breach Rule Rises From the Dead

Share

If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

Continue reading “Zombie PHR Breach Rule Rises From the Dead”

New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses

Share

The European Commission recently adopted a new set of Standard Contractual Clauses (SCCs) for organizations to use in compliance with the EU General Data Protection Regulation requirements for transfers of personal data from the European Economic Area. The previous SCCs were outdated and did not cover many common data processing scenarios. Organizations will have an 18-month transition period to adopt the new SCCs, but many parties will need this time to re-examine their dataflows and review their internal compliance procedures to meet the exacting new standards.

Continue reading “New Tools for International Data Transfers: European Commission Adopts New Standard Contractual Clauses”

Draft Standard Contractual Clauses Released by European Commission: New Clause Cause for Applause?

Share

Following on from last week’s big announcement by the European Data Protection Board (EDPB) on its expectations for international data transfers after the European Court of Justice’s July 16 Schrems II decision, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation. The draft documents are now available for public consultation, and both the EDPB and the European Data Protection Supervisor will be asked for their opinions on the documents. Following the Schrems II decision, many organizations have been waiting for guidance on additional safeguards and for the (long overdue) arrival of updated Standard Contractual Clauses. While the last few days have seen some welcome developments after a period of hiatus, organizations will likely need some time to assess the practical implications before making radical changes to international data transfer arrangements.

For the full alert, visit the Faegre Drinker website.

European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries

Share

A pair of highly anticipated guidance documents outline the European Data Protection Board’s (EDPB) expectations for organizations transferring data out of the EU. While the detailed process for evaluating data transfers brings welcomed guidance and clarity, some aspects of the EDPB’s framework present significant obstacles for those working with non-EU service providers or moving data for routine business purposes.

For the full alert, visit the Faegre Drinker website.

Here Come the Proposed CCPA Regulations We’ve All Been Waiting For

Share

After a long wait, the California Attorney General’s (AG) office held a news conference on October 10, 2019, and published proposed regulations implementing the California Consumer Privacy Act (CCPA). Companies gearing up for CCPA’s January 1, 2020, effective date should quickly review and assess the proposed regulations’ potential effects on their operations and consider attending upcoming public hearings or submitting public comments by December 6, 2019.

Continue reading “Here Come the Proposed CCPA Regulations We’ve All Been Waiting For”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy