On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.
Amidst significant economic and legal concerns, on February 12, 2021, the Maryland Senate joined the House in voting to override Republican Gov. Larry Hogan’s veto of House Bill 732 (HB 732) to adopt a Digital Advertising Gross Revenues Tax (Tax), the nation’s first tax targeting digital advertising. The override was successful despite significant pushback from a coalition of more than 200 businesses and Republican legislators who sought to sustain the veto. HB 732 is intended to provide significant revenues to support education reforms in the state.
The Tax is likely to affect large technology-based and online companies that derive revenue from advertisements on their websites and platforms (rather than companies deriving their revenues entirely from subscription services). Thus such companies, as well as their owners and sponsors, should carefully consider the information below and the impact of the Tax on their business models.
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.
On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.
On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.
Summarised below are the key takeaways from the Draft Code: (more…)
Ever since the D.C. Circuit struck down the FCC’s overbroad rule defining “auto-dialers” under the Telephone Consumer Protection Act, district courts have debated the scope of the D.C. Circuit’s ruling: Did it effectively strike down earlier FCC pronouncements on what qualifies as an auto-dialer? In a carefully reasoned opinion, a district court judge in Chicago held last week that it did. (more…)
*This article originally appeared in the FinTech Law Report, Volume 19, Issue 2 for March/April 2016.
On November 18, 2015, the Federal Trade Commission (FTC) issued final amendments to the Telemarketing Sales Rule (TSR) banning payment methods that the FTC believes are disproportionately used by scammers (Final Rule). The Final Rule was published in the Federal Register on December 14, 2015.
On April 24, 2015, China amended its Advertising Law for the first time since its initial promulgation in 1994. The amended Advertising Law (the “Amended Law”) will take effect on September 1, 2015. In the absence of a comprehensive data protection law in China, the Amended Law introduces certain provisions addressing data and privacy issues, in addition to existing data privacy rules which are scattered in various laws and regulations.
An already active TCPA class action bar is sure to become even more active after a significant Declaratory Ruling and Order from the FCC that, among other points, broadened what technologies may be considered autodialers, gave further strength to class actions based on reassigned cell numbers, and muddied the waters for constructing compliance mechanisms to support consumer revocation of consent.
On July 10, 2015, the Federal Communications Commission issued a declaratory ruling to resolve various concerns raised by 21 petitions regarding the Commission’s implementation of the Telephone Consumer Protection Act, which carries a $500 penalty for each call or text in violation.
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.