On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.
On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.
On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.
Summarised below are the key takeaways from the Draft Code: (more…)
Ever since the D.C. Circuit struck down the FCC’s overbroad rule defining “auto-dialers” under the Telephone Consumer Protection Act, district courts have debated the scope of the D.C. Circuit’s ruling: Did it effectively strike down earlier FCC pronouncements on what qualifies as an auto-dialer? In a carefully reasoned opinion, a district court judge in Chicago held last week that it did. (more…)
*This article originally appeared in the FinTech Law Report, Volume 19, Issue 2 for March/April 2016.
On November 18, 2015, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (Final Rule). The Final Rule was published in the Federal Register on December 14, 2015.
On April 24, 2015, China amended its Advertising Law for the first time since its initial promulgation in 1994. The amended Advertising Law (the “Amended Law”) will take effect on September 1, 2015. In the absence of a comprehensive data protection law in China, the Amended Law introduces certain provisions addressing data and privacy issues, in addition to existing data privacy rules which are scattered in various laws and regulations.
An already active TCPA class action bar is sure to become even more active after a significant Declaratory Ruling and Order from the FCC that, among other points, broadened what technologies may be considered autodialers, gave further strength to class actions based on reassigned cell numbers, and muddied the waters for constructing compliance mechanisms to support consumer revocation of consent.
On July 10, 2015, the Federal Communications Commission issued a declaratory ruling to resolve various concerns raised by 21 petitions regarding the Commission’s implementation of the Telephone Consumer Protection Act, which carries a $500 penalty for each call or text in violation.
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
Under the requirements of Singapore’s Personal Data Protection Act 2012 (PDPA), the Personal Data Protection Commission (PDPC) is the enforcement agency tasked with the responsibility of monitoring compliance with the PDPA.
California has been experiencing a wave of putative class actions under the California Invasion of Privacy Act (“CIPA”). A decision this week by a federal court judge in California could halt new case filings and lay the groundwork for the dismissal of pending actions.