UK Supreme Court Grants Google Permission to Appeal Class Action Claim in Lloyd vs Google LLC
The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in the case of Lloyd v Google LLC ([2019]) EWCA Civ 1599). The class action brought against Google by Richard Lloyd, the former editor of consumer protection rights group “Which?”, relates to the alleged tracking of personal data by Google of 4.4 million iPhone users and subsequent selling of the users’ data to advertisers, without the users’ knowledge and consent. Google is now appealing the Court of Appeal’s decision granting Mr Lloyd permission to serve his representative action on Google. This landmark case is of particular importance as it has the potential to significantly widen the scope for claims to be brought in respect of a failure to protect data under the GDPR.
French Council of State Partially Annuls CNIL Cookie Guidelines on Use of Cookie Walls
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.
French Council of State Upholds €50m CNIL Fine against Google
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.
CCPA Enforcement Date Rapidly Approaching: California Attorney General Proposes Regulations for Final Review With July 1, 2020 Less Than One Month Away
On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”). This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019. If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.
Chambers 2020 Global Practice Guides for Data Protection & Privacy and Cybersecurity Available
The updated 2020 Chambers Global Practice Guides for Data Protection & Privacy and Cybersecurity, edited by Alan Charles Raul, are available, covering important developments across the globe and bringing expert legal commentary for businesses. Read the intros to each Guide here and here.
French CNIL Publishes Draft Guidance on Cookie Consent
On January 14, 2020, the French data protection authority, the CNIL, proposed a consultation on its draft recommendations on practical ways to collect website user consent for cookies and similar technologies (the “Recommendations”). The Recommendations follow the publication in July 2019 of updated guidance on cookies, including requirements for obtaining GDPR-standard consent, by various European data protection authorities, including the CNIL and the ICO (the latter guidance was reported by Data Matters here). The CNIL has since undertaken a consultation to develop practical methods to obtain user consent.
A February 2020 Surprise: California Attorney General Proposes Significant Revisions to CCPA Regulations
Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.
UK ICO Releases Draft Direct Marketing Code of Practice for Public Consultation
On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.
Summarised below are the key takeaways from the Draft Code: (more…)
Breaking Down Brazil’s 1st Data Protection Law
*This article first appeared in Law360 on January 14, 2020.
After two years in the Brazilian Congress, the General Law of Data Protection was signed on Aug. 18, 2018, by then Brazilian President, Michel Temer, who also signed an executive order (Medida Provisória n. 869, from Dec. 27, 2018).
URGENT: CFTC Warns Registrants of Cyber Threats and Requests Information by January 10 and/or January 20
On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.