Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Subscribe
Visit Blog
By: Sheppard, Mullin, Richter & Hampton LLP

Blog Authors

Aaron George
Anna McLean
Andrea Ramos*
Alyssa Shauer
Amber Thomson
Brian Anderson
Craig Cardon
Christine Couvillon
Curtis Dombek
Christopher Bosch
Carrie Ross
David Cannon
David Myers
David Poell
Drew Svor
Dave Thomas
Elizabeth Balfour
Elizabeth Barcohana
Fatema Merchant
Greg Berk
Genevieve Perez
James Chadwick
John Chierichella
James Gatto
Jeff Kern
Jonathan E. Meyer
Jay Ramsey
Kristi Kung
Kayla Page
Kari Rollins
Lindsay Colvin Stone
Liisa Thomas
Liên Payne
Lai Yip
Mercedes Cook
Megan Grant
Melinda Biancuzzo
Matthew Shatzkes
Matthew Turetzky
Pavel Sternberg
Paul Werner
Robert Friedman
Rachel Tarko Hudson
Raymond Marshall
Reid Whitten
Sarah Aberg
Sheppard Mullin
Snehal Desai
Shanna Pearce
Shannon Petersen
Townsend Bourne
Ted Max
Yaniss Aiche

Latest from Eye On Privacy

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from…
The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 US presidential election, something the ICO is otherwise investigating. In this case, the ICO accused AggregateIQ of failing to…
California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of information collected. The security measures should also guard against breaches. Reasonable measures include, where appropriate, having a unique, preprogrammed password…
The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed…
apps2
As Apple recently reminded developers, starting on October 3, 2018 it will require all apps being submitted for distribution through its app store, or for testing by its TestFlight service, to have a publicly posted privacy policy. This requirement was incorporated into Apple’s App Store Review Guidelines and will apply to all new apps, as well as all updated versions of existing apps. Previously only those apps that collected user information had to have a…
Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations.  These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April 2018, in preparation for the national implementation of the new law, the Office of the Privacy Commissioner of Canada (OPC), with authority to issue…
The UK’s data protection authority, the ICO, recently fined marketing firm Everything DM Ltd for sending almost 1.5 million marketing emails without obtaining sufficient consent as required by the UK’s Privacy and Electronic Communications Regulations. In particular, the company sent messages on its clients behalf, the messages appeared to the recipient to come from the client, not Everything DM Ltd, yet Everything DM could not establish for the ICO that either it or its clients…
In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing company), and Moosejaw (an active outdoor retailer)—and against a marketing company named NaviStone. NaviStone offers computer code that allows e-commerce…
Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use.…
On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the…