Header graphic for print
Privacy Law Blog

Category Archives: Data Privacy Laws

Subscribe to Data Privacy Laws RSS Feed

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

Posted in Data Privacy Laws, European Union, Online Privacy

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of €… Continue Reading

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

Posted in Data Privacy Laws, European Union, Legislation, Online Privacy

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law,… Continue Reading

California Amends Data Breach Notification Law

Posted in California, Data Privacy Laws

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question… Continue Reading

White House Posts Preliminary Cybersecurity Incentives

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infastructure Systems such as the electric grid, drinking water,… Continue Reading

In France, Are Employers Entitled to Access Their Employees’ Personal Emails?

Posted in Data Privacy Laws, Online Privacy, Workplace Privacy

In France, the guiding principle is that emails received or sent by an employee through the employer’s company email account are considered “professional”, which means that the employer can access and read them.  However, French employers must be cautious before accessing their employees’ professional emails because they are not permitted to access emails that have… Continue Reading

California Court of Appeal Says Chevron Can Collect ZIP Code Information for Pay-at-the-Pump Transactions

Posted in California, Data Privacy Laws, Identity Theft, Privacy Litigation

On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No…. Continue Reading

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

Posted in Data Privacy Laws, European Union, International, Online Privacy

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

Posted in California, Data Privacy Laws, Online Privacy

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a… Continue Reading

Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy

Posted in Behavioral Marketing, Data Privacy Laws, European Union, International, Online Privacy, Privacy Litigation

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”

Posted in Data Privacy Laws

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is… Continue Reading

President Obama Signs Executive Order on Cybersecurity

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading

China Introduces New Data Privacy Law

Posted in Data Privacy Laws, Online Privacy

On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China.  According to the Decision, these principles were passed in order to protect network information security, protect… Continue Reading

California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions

Posted in California, Data Privacy Laws, Financial Privacy, Online Privacy

The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097,… Continue Reading

Massachusetts AGO Enters Into Another Settlement For Data Security Violations

Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical Privacy

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading

The UK Information Commissioner’s Office Seeks Views on Privacy Seals

Posted in Data Privacy Laws

The European Commission’s revised data protection framework proposals include provisions intended to encourage the use of data protection privacy seals, certification mechanisms and trust marks.  These provisions would allow data subjects to instantly assess the privacy standards applied by data controllers and processors, thereby providing the comfort that data subjects often seek.  The UK Information… Continue Reading

Alternative Trading System Agrees to Pay $800K for Failure to Protect Confidential Information

Posted in Data Privacy Laws, Financial Privacy

Earlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC.  eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading

New Jersey Legislature Amends Stored Value Card Abandonment Law

Posted in Data Privacy Laws

On June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).

European Data Protection Authorities Publish Guidelines Clarifying Exemptions to Cookie Consent Requirement

Posted in Data Privacy Laws, European Union

  On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58… Continue Reading

Connecticut Amends Data Breach Notification Law

Posted in Data Privacy Laws

On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law. The amended law will take effect on October 1, 2012.

Is data breach notification compulsory under French law?

Posted in Data Breaches, Data Privacy Laws, Electronic Communications, European Union, Security Breach Notification Laws

On May 28th, the Commission nationale de l’informatique et des libertés (“CNIL”), the French  authority responsible for data privacy, published guidance on breach notification law affecting electronic communications service providers.   The guidance was issued with reference to European Directive 2002/58/EC, the e-Privacy Directive, which imposes specific breach notification requirements on electronic communication service providers. French legislator recently amended… Continue Reading

Vermont Amends Security Breach Notification Law

Posted in Data Privacy Laws

On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.

Massachusetts AGO Stresses the Importance of Encryption

Posted in Data Breaches, Data Privacy Laws

 The Massachusetts Attorney General’s Office ("AGO") has entered into an Assurance of Discontinuance (the "Settlement") with a Massachusetts company after allegations that the company failed to adequately protect personal information of Massachusetts residents. The AGO alleged that an employee of Maloney Properties, Inc. ("MPI") stored unencrypted personal information on a company laptop, and failed to… Continue Reading

Smart Grid Technology Implicates New Privacy Concerns

Posted in Data Privacy Laws

The smart grid is an advanced metering infrastructure made up of “smart meters” capable of recording detailed and near-real time data on consumer electricity usage.  That data would then be sent to utilities through a wireless communications network.  In recent years, utilities have increased the pace of smart meter deployment—smart meters are expected to be… Continue Reading

The White House Proposes New Consumer Privacy Bill of Rights

Posted in Data Privacy Laws

On February 23, 2012, the White House issued a proposal to adopt a Consumer Privacy Bill of Rights. The new proposal is part of the Administration’s efforts to adopt a comprehensive consumer data privacy framework that applies to all personal data, defined as any data that can be linked to a specific individual or device. The Administration’s… Continue Reading