Claims Against the CNIL’s Decision to Grant an Adaptation Period for Compliance on Cookie Consent Rules Dismissed

The French Council of State considers legal, the Commission Nationale de l’Informatique et des Libertés (CNIL), decision to engage in a consultation to define the new practical modalities of expression of consent in the matter of targeted advertising, and to grant a period of adaptation to the stakeholders.


Pending the finalization of the new ePrivacy Regulation, there have recently been several material changes in the local regulations applying to cookies and tracking devices. The ePrivacy Directive requires consent types of cookies and tracking devices, and several national data protection authorities (including in France, Germany, the Netherlands and the UK) have started to change their guidance on cookies to take into account the changes brought by the General Data Protection Regulation (GDPR) on what constitutes valid consent.

In addition, the Court of Justice of the European Union (CJEU) announced, on 1 October 2019, its decision in the Planet49 case on the very issue of consent for cookies. An analysis of this decision may be found on our blog, Security & Privacy // Bytes. Continue Reading

Proposed CCPA Regulations: Initial Overview and Highlights

On October 10, 2019, the California Attorney General (California AG) issued the long-awaited California Consumer Privacy Act (CCPA) Regulations (Proposed Regulations), along with an Initial Statement of Reasons (ISOR) explaining the Proposed Regulations. These Proposed Regulations not only fill in statutory gaps, but also create several substantive new requirements. Companies may submit comments through December 6, 2019, and several public hearings will be held in the first week of December. Our Data Privacy & Cybersecurity Practice can assist you in drafting comments to the California AG during this public comment period. Continue Reading

I’m an Employer – What Do I Need to Do under CCPA?

Welcome to our post highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at CCPA, please read our prior posts regarding applicability, gap assessments, and the recent amendments, and remember to register for our upcoming webinar covering the final requirements of the law on October 17, 2019. Stay tuned for our next post, “I’m a B2B Company – What Do I Need to Do under CCPA?”


If CCPA applies to your organization and you employ California residents, you may be rejoicing after the recently passed amendments. On September 13, 2019, the California Senate and Assembly passed bills including a limited moratorium for specific types of worker data (as defined below) and the bills are expected to be signed by the Governor soon.

The carve-out is generous, but it is not unlimited. In short, using worker data for any purpose other than employment-related purposes will likely result in the data falling outside of the scope of the exemption, and employers are still required to provide notice.

Unless the moratorium is extended or a permanent carve-out is adopted in the next legislative session, CCPA will apply in full to all worker data effective January 1, 2021. Continue Reading

Déjà Vu:  New California Ballot Initiative Seeks to Strengthen Data Privacy Further

California RibbonEven though the California Consumer Privacy Act (“CCPA”), enacted in June 2018, radically transformed data privacy regulation in the US, it appears that some privacy advocates in California are seeking to strengthen consumers’ data privacy rights even further.  Californians for Consumers Privacy, the group behind the ballot initiative that led to the CCPA, announced this week that it would seek to gain approval for a new ballot initiative that would be voted on by Californians in the November 2020 general election.  The new proposal, filed on September 26; 2019, would, among other things, create new rights around the use of “sensitive” personal information, enhance protections for minors, and impose transparency obligations connected with automated decision-making. It would also create a new authority, the California Privacy Protection Agency, which would take over the role currently assigned to the Office of the Attorney General of California to enforce the law and provide guidance to the industry and consumers. Continue Reading

The Planet49 Decision: Key Takeaways

On October 1 2019, the Court of Justice of the European Union (CJEU) issued its decision in the Planet49 case. The decision confirms much-anticipated and relevant principles regarding the use of consent for the processing of personal data and the use of cookies. Notably, it confirms that pre-ticked boxes do not constitute a legally valid consent, in line with the General Data Protection Regulation (GDPR).

However, the decision does not provide answers to some of the key issues that publishers and other companies with an online presence struggle with. Questions surrounding so-called cookie walls[1], or whether consent may be obtained by the mere action of browsing on a website (for instance, accompanied with a notice or pop-up, such as “if you scroll down…” or “if you continue browsing on this website…”), are still outstanding. Continue Reading

Webinar: The Final California Consumer Privacy Act – What Are Your Obligations?

The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020. The California legislature passed a number of amendments on September 13, 2019, that alter the law in important ways. These amendments are now being reviewed by the governor and will be finalized by October 13, 2019. Join our webinar just a few days later, on October 17, when Elliot Golding and Lydia de la Torre will explain requirements under the CCPA and practical steps to comply, including an analysis of how the law is modified by the amendments related to employee data, B2B data, loyalty programs, disclosure methods, parental consent, and other issues.

Our discussion of the final version of the act will include:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

If you would like to attend, or have colleagues who would, please register any interested parties.

Polish Data Protection Authority’s Position on Making Copies of Identity Documents by Banks


Map of Warsaw, Poland

On September 9, the Polish Data Protection Supervisory Authority (UODO) issued its response to the letter of the President of the Polish Bank Association, wherein it clearly stated that the provision of the banking law (i.e. article 112b of the act) does not entitle banks to make copies of personal ID cards of their clients at all times (e.g. for the purpose of setting up a bank account or checking the client’s credibility). In the regulator’s opinion, making copies is permitted only when the law explicitly authorizes one to do so. Continue Reading

CCPA 2019 Amendments: Do They Provide the Clarity Businesses Need?

This is Squire Patton Boggs’ Data Privacy and Cybersecurity Group’s second post regarding the recent amendments to the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Our earlier post covering the CCPA amendment requiring data brokers to register with the California Attorney General, is available herePlease also read our prior posts regarding CCPA applicability and gap assessments, and remember to register for our upcoming webinar covering the final requirements of the law on October 17, 2019. Stay tuned for additional posts and information about CCPA.

The bills modifying CCPA that passed are: consolidated bills A.B. 1355 (clarifies breach provision and makes changes to definitions), A.B. 25 (partially excludes employee information), and A.B. 1146 (generally exempts warranty and recall information from deletion requirement and in certain contexts, from the opt out requirement also); A.B. 1564 (toll-free number alternative); and A.B. 874 (clarifies exemptions from the definition of “personal information”). Continue Reading

CCPA and California’s New Registration Requirement

The California legislature made several amendments to the California Consumer Privacy Act (“CCPA”) last Friday, September 13, 2019.  This post focuses on the enactment of Assembly Bill No. 1202, which requires certain businesses that sell consumers’ personal information, as defined under the CCPA, to register as data brokers with the California Attorney General.  For more information about the CCPA, see our prior alerts on applicability and conducting gap assessments, and remember to Register for our October 17, 2019 webinar covering the final requirements under the law.

Assembly Bill No. 1202

In a surprise move, the California legislature passed Assembly Bill No. 1202 (“A.B. 1202”) on September 13, 2019, and will now head to the governor’s desk for a final signature.  This new law requires “data brokers” to register with the California Attorney General’s Office on an annual basis. Continue Reading

Nevada’s New Privacy Law Will Go Into Effect Next Month: Are You Ready?

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) applies to operators of commercial websites and online services. NPICICA was amended in June 2019 through SB-220 to include a requirement to allow consumers to opt-out of certain data disclosures (“Sales”). This new law was inspired by the advent of the most stringent state US privacy law – the California Consumer Privacy Act (“CCPA”).  Remarkably, it will leapfrog CCPA as it goes into effect on October 1, 2019.
Continue Reading