Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

The Supreme Court’s recent decision in Barr v. American Association of Political Consultants held the government-debt exception of the TCPA unconstitutional under the First Amendment’s Free Speech Clause.  This means that going forward, companies that make “debt-collection” calls on behalf of the federal government can only do so with the prior express written consent of the called individuals.…
The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S..  As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies…
U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield…
NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.…
Maine’s internet privacy law has survived its first challenge from internet service providers earlier this month. As we previously discussed, here, this law prohibits the sale of certain information about customers’ internet use by internet service providers and went into effect on July 1, 2020.…
On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.…
HyperBeard, the makers of several children’s mobile apps (including KleptoCats), recently settled with the FTC over failure to obtain verifiable parental consent before collecting children’s personal information online, in violation of COPPA. In its complaint, the FTC argued that the HyperBeard apps were clearly directed to children. The apps contained brightly-colored animated characters, kid-friendly language, games that were easy to play, and were promoted on kids’ websites and publications.…
As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of…