Privacy Law Blog

Category Archives: Online Privacy

Subscribe to Online Privacy RSS Feed

FTC: LabMD Tests Positive for “Unfair” Security Practices

LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the … Continue Reading

Are Dynamic IP Addresses Personal Data? A Primer

Last month, one of the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”), Manuel Campos Sánchez-Bordona, issued an opinion suggesting that dynamic IP addresses should be recognized as “personal data” under EU law. If the CJEU adopts this reasoning, it would represent a landmark decision that would resolve a contentious … Continue Reading

Regulators Offer Guidance on Privacy and Security for Health App Developers

This month, the Federal Trade Commission (FTC) issued guidance on privacy and security best practices for health-related mobile apps, such as fitness apps connected with wearables, diet and weight loss apps, and health insurance portals.  At the same time, the FTC unveiled an interactive tool designed to direct health app developers to federal laws and … Continue Reading

French Data Protection Wants to Force Google to Extend the Right To Be Delisted to All the Search Engine’s Extensions

Co-authored by Geoffrey Roche   On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions.… Continue Reading

Fiduciary Access to Digital Assets and Accounts: Revised Model Statute Adopted in Oregon

Oregon became the first state to adopt the Revised Uniform Fiduciary Access to Digital Assets Act (“Revised UFADAA”) when Governor Kate Brown signed Oregon Senate Bill 1554 into law on March 3, 2016.  The law will become effective on January 1, 2017.… Continue Reading

Privacy Advocates and ISPs Spar over Targeted Ads

The Federal Communication Commission’s (the “FCC”) landmark decision last year to reclassify Internet service providers (“ISPs”) as common carriers under Title II of the Communications Act of 1934 implicates policy issues that extend well beyond net neutrality.  Perhaps chief among them is the treatment of customer proprietary network information (“CPNI”) by broadband access providers.  The … Continue Reading

Delaware Enacts Comprehensive Online Privacy Protection Law

On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) will go into force, a law that provides strong online privacy protection for its residents.  The new law targets three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users … Continue Reading

California Gives the Fourth Amendment a 21st Century Makeover

The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in … Continue Reading

The European Commission Issues Guidance on Alternative Cross-Border Data Transfer Tools

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with … Continue Reading

Google Declares “Non!” to French Privacy Regulator’s Demands that Google Apply the “Right to be Forgotten” Worldwide

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide. We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that … Continue Reading

Connecticut Joins States That Protect Personal Online Accounts of Employees

Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation … Continue Reading

Native Advertisers Face Closer Scrutiny From Industry Self-Regulatory Bodies

With paywalls and premium subscriptions finding only modest success, paid advertisements remain the primary means of generating revenue from online content. Native advertising has emerged as a leader in the competition for ad impressions and brand engagement. Expected to grow from $7.9 billion in spending this year to $21 billion by 2018, native advertising is … Continue Reading

From the Right to be Forgotten to the Right to an “e-Reputation’’: First Enforceability Ordered by French Court under Penalty

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google … Continue Reading

Fiduciary Access to Digital Assets and Accounts

Traditionally, a person’s most valuable assets to be distributed upon death consisted of tangible items such as real property, cash, jewelry and personal effects of sentimental value like photographs and letters.  However, the advent of the digital age has brought a shift from file cabinets, mailmen and photo albums to cloud storage, e-mail accounts and … Continue Reading

No Class: Hulu Users Lose Certification Motion

After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a … Continue Reading

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € … Continue Reading

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, … Continue Reading

New California Law Impacts Use of Information from Minors, Offers Right to Delete

Law Targets Sites and Mobile Apps Directed to Minors, Offers “Online Eraser”      Likely to Have Nationwide Effect On July 1st of this year, new amendments to the Children’s Online Privacy Protection Act Rule (COPPA Rule) came into effect, with perhaps the most pronounced changes being the expansion of COPPA to apply to geolocation … Continue Reading

White House Posts Preliminary Cybersecurity Incentives

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water, … Continue Reading

Honoring Do-Not-Track Browser Signals

We’re all familiar with the ads that pop up on the side of our browsers, personalized to highlight things we might be interested in based on our web browsing activity.  Marketers and advertisers regularly track consumers’ online activities, interests and preferences and use the information they collect to create targeted ads, meant to appeal to … Continue Reading

In France, Are Employers Entitled to Access Their Employees’ Personal Emails?

In France, the guiding principle is that emails received or sent by an employee through the employer’s company email account are considered “professional”, which means that the employer can access and read them.  However, French employers must be cautious before accessing their employees’ professional emails because they are not permitted to access emails that have … Continue Reading

Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules

As a growing number of states pass legislation which will protect individuals’ social media accounts from employer scrutiny, they have encountered a surprising adversary – FINRA and other securities regulators. To date, at least six states have enacted social media employee privacy laws (which were blogged about here, here, here, and here) and upwards of … Continue Reading

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal … Continue Reading

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013” (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a … Continue Reading