In this issue:

- European Data Protection Law: Breach Notification Requirements – A Global Approach

- FTC Announces $1 Million Penalty for Children’s Privacy Violations by Fan-Club Website Operator

- Company That Purchased and Sold Sensitive Consumer Data Agrees to $1.2 Million Settlement with FTC

- California Law Prohibits Employers from Demanding Social Media Passwords from Employees and Applicants with Limited Exceptions

- Court Dismisses Michigan Class Action Claims Alleging Pandora Improperly Disclosed Profile Information and Musical Preferences

- An excerpt from "European Data Protection Law: Breach Notification Requirements – A Global Approach":

Cyber attacks, hacked passwords, compromised credit card information, and data thefts—in recent years, data breaches have become commonplace. Under data protection law, data breaches may have to be reported to regulators, who then will decide whether action against a company should be taken, and potentially to individuals as well. Due to the global nature of the Internet and the evolving digital environment, data breaches may not be limited to one country and the same incident may trigger notification requirements in a variety of countries. For example, a breach related to a database located in the United States that also is distributed among different European Union (EU) countries or that may otherwise concern the data of EU citizens might trigger notification requirements in the EU.