Are social media companies based in the United States subject to European data privacy laws? Two recent judicial decisions – one in France and the other in Germany – arrived at different answers. The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading
Category Archives: Data Privacy Laws
Subscribe to Data Privacy Laws RSS FeedShine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act
Posted in California, Data Privacy Laws, Online PrivacyCalifornia Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a… Continue Reading
Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy
Posted in Behavioral Marketing, Data Privacy Laws, European Union, International, Online Privacy, Privacy LitigationThe French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).
Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”
Posted in Data Privacy LawsIn a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is… Continue Reading
President Obama Signs Executive Order on Cybersecurity
Posted in Data Breaches, Data Privacy Laws, National Security, Online PrivacyAs announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity. The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading
China Introduces New Data Privacy Law
Posted in Data Privacy Laws, Online PrivacyOn December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China. According to the Decision, these principles were passed in order to protect network information security, protect… Continue Reading
California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions
Posted in California, Data Privacy Laws, Financial Privacy, Online PrivacyThe California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097,… Continue Reading
Massachusetts AGO Enters Into Another Settlement For Data Security Violations
Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical PrivacyFor the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations. On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading
The UK Information Commissioner’s Office Seeks Views on Privacy Seals
Posted in Data Privacy LawsThe European Commission’s revised data protection framework proposals include provisions intended to encourage the use of data protection privacy seals, certification mechanisms and trust marks. These provisions would allow data subjects to instantly assess the privacy standards applied by data controllers and processors, thereby providing the comfort that data subjects often seek. The UK Information… Continue Reading
Alternative Trading System Agrees to Pay $800K for Failure to Protect Confidential Information
Posted in Data Privacy Laws, Financial PrivacyEarlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC. eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading
New Jersey Legislature Amends Stored Value Card Abandonment Law
Posted in Data Privacy LawsOn June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).
European Data Protection Authorities Publish Guidelines Clarifying Exemptions to Cookie Consent Requirement
Posted in Data Privacy Laws, European UnionOn June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58… Continue Reading
Connecticut Amends Data Breach Notification Law
Posted in Data Privacy LawsOn the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.
Is data breach notification compulsory under French law?
Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification LawsOn May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers. The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading
Vermont Amends Security Breach Notification Law
Posted in Data Privacy LawsOn May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.
Massachusetts AGO Stresses the Importance of Encryption
Posted in Data Breaches, Data Privacy LawsThe Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading
Smart Grid Technology Implicates New Privacy Concerns
Posted in Data Privacy LawsThe smart grid is an advanced metering infrastructure made up of “smart meters” capable of recording detailed and near-real time data on consumer electricity usage. That data would then be sent to utilities through a wireless communications network. In recent years, utilities have increased the pace of smart meter deployment—smart meters are expected to be… Continue Reading
The White House Proposes New Consumer Privacy Bill of Rights
Posted in Data Privacy LawsOn February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s… Continue Reading
R-E-S-P-E-C-T, Cross-Border E-discovery
Posted in Data Privacy Laws, InternationalLitigants navigating the conflict between U.S. discovery obligations and foreign data protection laws have a new ally, the American Bar Association (“the ABA”). The ABA recently passed Resolution 103, which “urges” that: [W]here possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the… Continue Reading
Illinois Attorney General Issues Information Security and Security Breach Notification Guidance
Posted in Data Privacy LawsThe Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach. Recently, the Office of Illinois Attorney General Lisa Madigan issued guidance that provides tools to assist entities in… Continue Reading
EC Proposal For New Data Protection Regulation
Posted in Data Privacy Laws, European UnionThe European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe’s digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27… Continue Reading
Massachusetts Data Security Regulations: Deadline To Update Service Provider Contracts Is Fast Approaching
Posted in Data Privacy LawsThe deadline for compliance with a key requirement of the Massachusetts Data Security Regulations is only a month away. By March 1, 2012, contracts must require that certain service providers implement and maintain appropriate security measures to protect personal information. This alert summarizes the requirements that will become effective as of March 1, 2012. Read… Continue Reading
Massachusetts Federal Judge Says ZIP Code is Definitely Maybe “Personal Identification Information” . . . Implores Parties to Seek State Court Certification.
Posted in Data Privacy LawsIn an extension of the spate of litigation surrounding California’s Song-Beverly Credit Card Act and other laws like it, the U.S. District Court for the District of Massachusetts in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012), followed the California Supreme Court’s lead in ruling that ZIP codes are “personal identification information” within the meaning of Mass. Gen. Laws, ch. 93, § 105(a). The court nonetheless dismissed the plaintiff’s putative class action because she failed to allege any legally cognizable harm as a result of Michaels’ collection of her ZIP code in connection with a credit card transaction. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!
Do I really have to obtain consent from all my customers to make a change to my privacy policy?
Posted in Data Privacy Laws, FTC Enforcement, Online Privacy"Do I really have to obtain consent from all my customers to make a change to my privacy policy? No one else seems to be following that rule." We get this question all the time. It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent… Continue Reading