On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance. Background When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining…

On July 8, 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways GBP 183.39 million over a data breach in which the personal data of approximately 500,000 customers was compromised.[1] If made final, the fine—equivalent to approximately U.S. $230 million—would be the biggest fine ever issued by the ICO as well as any Supervisory Authority (SA) in the European Union.…

On July 9, 2019, the European Court of Justice (ECJ)—the highest court of the European Union—will hear oral arguments in the Schrems 2.0 case relating to the validity of two key data transfer mechanisms: the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield. Both of these mechanisms are widely used by companies in the European Economic Area (EEA), which comprises the 28 EU member states plus Iceland, Liechtenstein, and Norway, to allow the transfer…

On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification). The Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance. In addition, the Cybersecurity Act provides for a new…

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space. Background When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data.…

Provides Detailed Specifications Both for Information Security Program and Third-Party Assessments On June 12, 2019, the Federal Trade Commission (FTC) announced it had reached a proposed settlement with LightYear Dealer Technologies, LLC (doing business as “DealerBuilt”) over allegations that the automobile software provider’s inadequate data security practices had resulted in a data breach in 2016.1 This consent order deserves a close read because the FTC has imposed data security obligations on DealerBuilt that go…

On May 29, 2019, in the midst of the legislative amendment process taking place in Sacramento for the California Consumer Privacy Act (CCPA), Nevada has passed its own CCPA-like privacy law, SB 220, taking effect on October 1, 2019, just three months before the CCPA becomes operative. The law’s main focus is to give consumers the right to opt out of the sale of certain personal information about them, though it is substantially narrower than…