Privacy & Data Protection

In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.

Continue Reading Processing of Personal Data That May Indirectly Reveal Sensitive Information on the Basis of a Legal Obligation: The CJEU Draws the Contours

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

Continue Reading $1.2 Million CCPA Settlement with Sephora Focuses on Sale of Personal Information and Global Privacy Controls

In the recent article, “Facebook and Google settled biometrics lawsuits. Look for more.” featured in Crain’s Chicago Business, Partner Jason Stiehl analyzes wider repercussions of Snapchat’s recent settlement after accusations that it used facial recognition technology that collected and stored users’ biometric information without consent. Stiehl explains that he expects more litigation due to Illinois’

The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”

Continue Reading California AG Interprets “Inferences” Under CCPA

On February 23, join Crowell attorneys Preetha Chakrabarti and Suzanne Trivette and Gail Gottehrer of Gail Gottehrer LLC for “Lawyers in the Metaverse.” Hosted by the National Association of Women Lawyers’ Women in Intellectual Property & Tech Law affinity group of which Preetha and Gail are co-chairs, this timely webinar will help lawyers understand how

The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
Continue Reading Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations

Monday, October 18, 2021

Deceptive or Misleading Conduct & Protecting Older Consumers

  • The FTC issued its latest report to Congress on protecting older consumers, which highlights updated findings from the Commission’s fraud reports showing trends in how older adults report being affected by fraud with the most frequent type of fraud reported by older adults

As the world continues to settle into its new normal regulators have so too. Recently, State Attorneys General (AGs) are increasingly focused on several specific enforcement priorities, including (1) price gouging; (2) privacy concerns; (3) antitrust litigation; and (4) harmful substances in products and environmental issues. Many of these priorities have gained prominence in the midst of the COVID-19 pandemic.
Continue Reading Enforcement in the New Normal: Recent Trends in State AG Enforcement

On August 20, 2021, China’s national legislature passed the Personal Information Protection Law (“PIPL”), which will become effective on November 1, 2021. As China’s first comprehensive system for protecting personal information, the PIPL is an extension of the personal information and privacy rights enshrined in China’s Civil Code, and also a crucial element of a set of recent laws in China that seek to strengthen data security and privacy. Among other things, the PIPL sets out general rules for processing and cross-border transfer of personal information. A number of provisions, notably various obligations imposed on data processors, restrictions on cross-border transfer, and hefty fines, will have significant impact on multinational corporations’ HR activities, including recruitment, performance monitoring, cross-border transfers, compliance investigations, termination of employment relationships, and background checks.

This alert will highlight specifically how the PIPL will apply to workplace scenarios in China and provide suggestions to help ensure data privacy compliance for multinational corporations’ China labor and employment operations.

Employee Consent and Exceptions to Consent

Under Article 4 of the PIPL, “personal information” is defined broadly as information related to natural persons recorded electronically or by other means that has been used or can be used to identify such natural persons, excluding information that has been anonymized. Specific types of personal information have been noted for additional protection under Article 28 of the PIPL as “sensitive personal information”. Sensitive personal information is defined under the law as personal information that is likely to result in damage to the personal dignity, physical wellbeing or property of any natural person, and includes, among others, information such as biometric identification, religious belief, special identity, medical health, financial account, physical location tracking and whereabouts, and personal information of those under the age of 14.
Continue Reading Employee Personal Information Protection in China – Are You Up to Speed?

Could the end of Section 6(b) of the Consumer Product Safety Act (CPSA) actually be near?  Time will tell.  But last week’s development on Capitol Hill in the saga of “Section 6(b)” is noteworthy, and, one day in the not-so-distant future, may be recognized as the beginning of the end for this controversial provision of the law.

On April 22, Senator Richard Blumenthal (D-CT) and Representatives Jan Schakowsky (D-IL) and Bobby Rush (D-IL) introduced legislation—the Sunshine in Product Safety Act—to fully repeal Section 6(b) of the CPSA.  This is the first time in recent memory that Members of Congress have introduced legislation to do away with Section 6(b) altogether.  For example, in the last Congress, Representative Rush introduced the “SHARE Act,” which sought primarily to scale back one of Section 6(b)’s most important protections for firms—allowing a company to judicially challenge the U.S. Consumer Product Safety Commission’s (“CPSC” or “the Commission”) decision to release information about a firm, or one of its products, prior to its disclosure.  But that legislation left the rest of Section 6(b)’s procedures and protections intact.  This current bill, therefore, is much more ambitious, and stakeholders should take note.

By way of background, Section 6(b) requires the CPSC to engage in certain procedural steps before publicly disclosing information from which the identity of a manufacturer of a product can be readily ascertained.  Those include taking reasonable steps to ensure that the information to be disclosed publicly is fair, accurate, and reasonable related to effectuating the purpose of the product safety laws.  Practically speaking, this means notifying the manufacturer of the potential disclosure, providing either a summary of what the agency intends to disclose, or the actual disclosure itself, and providing the company with the opportunity to comment, typically 15 days, though that time period can be shortened by the CPSC with a “public health and safety finding.”  Other regulators, like FDA and NHTSA, do not have similar statutory constraints on the release of product information nor do they have due process protections around data release, whether those be adverse events or vehicle accidents.
Continue Reading New Bills Seek to Repeal Controversial Provision of Product Safety Act