Header graphic for print
Privacy Law Blog

Category Archives: Data Privacy Laws

Subscribe to Data Privacy Laws RSS Feed

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

Posted in Data Privacy Laws, European Union, International, Online Privacy

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

Posted in California, Data Privacy Laws, Online Privacy

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a… Continue Reading

Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy

Posted in Behavioral Marketing, Data Privacy Laws, European Union, International, Online Privacy, Privacy Litigation

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”

Posted in Data Privacy Laws

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is… Continue Reading

President Obama Signs Executive Order on Cybersecurity

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading

China Introduces New Data Privacy Law

Posted in Data Privacy Laws, Online Privacy

On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China.  According to the Decision, these principles were passed in order to protect network information security, protect… Continue Reading

California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions

Posted in California, Data Privacy Laws, Financial Privacy, Online Privacy

The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097,… Continue Reading

Massachusetts AGO Enters Into Another Settlement For Data Security Violations

Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical Privacy

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading

The UK Information Commissioner’s Office Seeks Views on Privacy Seals

Posted in Data Privacy Laws

The European Commission’s revised data protection framework proposals include provisions intended to encourage the use of data protection privacy seals, certification mechanisms and trust marks.  These provisions would allow data subjects to instantly assess the privacy standards applied by data controllers and processors, thereby providing the comfort that data subjects often seek.  The UK Information… Continue Reading

Alternative Trading System Agrees to Pay $800K for Failure to Protect Confidential Information

Posted in Data Privacy Laws, Financial Privacy

Earlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC.  eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading

New Jersey Legislature Amends Stored Value Card Abandonment Law

Posted in Data Privacy Laws

On June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).

European Data Protection Authorities Publish Guidelines Clarifying Exemptions to Cookie Consent Requirement

Posted in Data Privacy Laws, European Union

  On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58… Continue Reading

Is data breach notification compulsory under French law?

Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification Laws

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading

Vermont Amends Security Breach Notification Law

Posted in Data Privacy Laws

On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.

Massachusetts AGO Stresses the Importance of Encryption

Posted in Data Breaches, Data Privacy Laws

 The Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading

Smart Grid Technology Implicates New Privacy Concerns

Posted in Data Privacy Laws

The smart grid is an advanced metering infrastructure made up of “smart meters” capable of recording detailed and near-real time data on consumer electricity usage.  That data would then be sent to utilities through a wireless communications network.  In recent years, utilities have increased the pace of smart meter deployment—smart meters are expected to be… Continue Reading

The White House Proposes New Consumer Privacy Bill of Rights

Posted in Data Privacy Laws

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s… Continue Reading

R-E-S-P-E-C-T, Cross-Border E-discovery

Posted in Data Privacy Laws, International

Litigants navigating the conflict between U.S. discovery obligations and foreign data protection laws have a new ally, the American Bar Association (“the ABA”). The ABA recently passed Resolution 103, which “urges” that: [W]here possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the… Continue Reading

Illinois Attorney General Issues Information Security and Security Breach Notification Guidance

Posted in Data Privacy Laws

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in… Continue Reading

EC Proposal For New Data Protection Regulation

Posted in Data Privacy Laws, European Union

The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe’s digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27… Continue Reading

Massachusetts Data Security Regulations: Deadline To Update Service Provider Contracts Is Fast Approaching

Posted in Data Privacy Laws

The deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is only a month away. By March 1, 2012, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information. This alert summarizes the requirements that will become effective as of March 1, 2012. Read… Continue Reading

Massachusetts Federal Judge Says ZIP Code is Definitely Maybe “Personal Identification Information” . . . Implores Parties to Seek State Court Certification.

Posted in Data Privacy Laws

In an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Posted in Data Privacy Laws, FTC Enforcement, Online Privacy

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule." We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent… Continue Reading