While businesses rightfully have been focused on preparing for the California Consumer Privacy Act (“CCPA”), the Nevada and Maine Legislatures have moved forward with legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data. The Nevada bill, which was signed into law on May 29 and amends an existing
On April 23, the California Assembly’s Committee on Privacy and Consumer Protection held a hearing to discuss a number of proposed amendments to the California Consumer Privacy Act (CCPA). Here are some of the key bills the Committee voted to move forward:
- Assembly Bill 25: seeks to amend the definition of a “consumer” to
On Tuesday, the California Senate Judiciary Committee will hold a hearing to discuss SB-753, which, if adopted, would carve out from the California Consumer Privacy Act (CCPA)’s definition of “sale” certain data sharing for purposes of delivering advertising. As we’ve previously noted, the CCPA is intended to afford consumers the right to know…
The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.
In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete…
FTC Chairman Joe Simons recently acknowledged the Commission’s plan to use its authority under Section 6(b) of the FTC Act to examine the data practices of large technology companies. In written responses to questions from members of the U.S. Senate Commerce Committee following in-person testimony in November 2018, Chairman Simons confirmed that plans were underway…
This week, President Trump signed an executive order outlining a national plan to promote the development and adoption of artificial intelligence (AI) technologies. The order serves as the official launch of the “American AI Initiative,” which includes five areas of focus:
- Invest in AI R&D – Prioritize AI investment in Federal agencies’ R&D missions
Last week, five advertising and marketing trade associations jointly filed comments with the California Attorney General seeking clarification on provisions within the California Consumer Privacy Act (CCPA).
While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the…
On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR). The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.
How Does Google Violate GDPR, According to CNIL?
- Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
- Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
- Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
- Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
- Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
- Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
- Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
- Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
What Does This Mean for Other Companies?
Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness. According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications…
On April 8, 2015, the Federal Communications Commission (FCC) Enforcement Bureau announced that AT&T has agreed to a $25 million consent decree to resolve an FCC investigation into alleged consumer privacy violations at AT&T call centers in Mexico, Columbia, and the Philippines. According to the FCC, AT&T violated Section 222 of the Communications Act (the…