Jones Day Global Privacy & Data Security Update | Vol. 20

by Jones Day

Jones Day


Regulatory—Policy, Best Practices, and Standards

NIST Releases Internal Report Regarding IoT Cybersecurity

In September, the National Institute of Standards and Technology ("NIST") released a draft internal report called "Considerations for Managing Internet of Things ("IoT") Cybersecurity and Privacy Risks." The report addresses differences in managing cybersecurity and privacy risks for conventional information technology versus the IoT.

Regulatory—Consumer and Retail

Children's Consumer Protection Watchdog Asks FTC to Investigate Manipulative Preschool Apps

On October 30, the Campaign for a Commercial-Free Childhood ("CCFC") asked the Federal Trade Commission ("FTC") to investigate the market for preschool apps. The CCFC cited a new University of Michigan study that found "a number of troubling advertising practices, including apps that force kids to watch ads or make in-app purchases in order to advance in the game," as well as advertisements disguised as gameplay, and cartoon characters urging children to make purchases.

Retailer Announces Breach of Employee Data

On November 5, a retailer notified employees that some of their personal data may have been compromised in an internal data breach. The company stated that it was investigating an October 9 incident in which a contract worker improperly handled some employee data. Compromised data may have included employees' names, Social Security numbers, payment card numbers, checking and routing account numbers, insurance provider information, salary information, dates of birth, addresses, and phone numbers.


SEC Orders Cease-and-Desist Proceedings Against Investment Adviser

On September 26, the Securities and Exchange Commission ("SEC") ordered public administrative and cease-and-desist proceedings against a registered broker-dealer and investment adviser for deficient cybersecurity practices. The SEC found that the company violated the Safeguards Rule by failing to adopt written policies and procedures reasonably designed to protect customer records and information. The SEC also found that the company violated the Identity Theft Red Flags Rules by failing to develop and implement a written identity theft prevention program. The SEC imposed a $1 million civil monetary penalty on the company.

SEC Report Recommends Improvements to Internal Accounting Controls to Combat Cyber Fraud

On October 16, the SEC published an investigative report examining the efficacy of internal accounting controls for nine public companies that lost millions of dollars as a result of cyber-related fraud. Though public companies are required to implement internal accounting controls designed to safeguard against cyber-related fraud, as required by Section 13(b)(2)(B) of the Securities Exchange Act of 1934, the SEC found that the fraudulent schemes "were not sophisticated in design or the use of technology." The SEC recommended that public companies reassess and calibrate their internal accounting controls to the current cybersecurity risk environment.

Bank Announces Data Breach Affecting Some Online Customer Accounts

On November 2, a bank notified customers of unauthorized access to online customer accounts between October 4 and October 14. The bank disclosed that the incident may have exposed customers' full names, dates of birth, email addresses, phone numbers, bank account numbers, balance information, and statement histories. The bank suspended online access to these customers' accounts and offered a subscription to credit monitoring services for affected customers.


Seven Russian Agents Face Charges for Hacking U.S. Nuclear Power Company
On October 4, the U.S. Department of Justice announced an indictment against seven Russian intelligence agents accused of hacking a U.S. nuclear power company that designed nuclear plants and sold nuclear fuel to Ukraine. According to the indictment, the hackers surveyed the company's networks and personnel, created a fake company domain, and sent spear-phishing emails to the work and personal email accounts of the company's employees in an attempt to collect log-in credentials.

Intelligence Report Details Foreign Economic Cyber Threats Against U.S. Industries
In November, the National Counterintelligence and Security Center released its 2018 Report on Foreign Economic Espionage in Cyberspace. The report described the threat of cyber-economic espionage against U.S. industries by foreign nation-state actors that exploit vulnerabilities in next-generation technologies such as artificial intelligence, the IoT, and cloud computing. The report identified the energy, biotechnology, and defense technology industries as among the sectors of highest interest to foreign actors. The report also highlighted emerging cyber threats to U.S. industries, including potential infiltration of supply chain operations.


FTC Settles With Ride-Sharing Service for Failure to Disclose Data Breach
On October 26, the FTC gave final approval to a settlement agreement with a ride-sharing service. The FTC alleged that the company had deceived consumers about its privacy and data security practices, such as failing to take reasonable measures to secure consumer data stored in the cloud, resulting in two data breaches. The FTC's Decision and Order requires the company to maintain a comprehensive privacy program, obtain privacy assessments by a third party, report any future data security incidents to the FTC, and submit a compliance report to the FTC.

FCC Commissioner Discusses Development of Smart Cities
On October 30, Michael O'Rielly, a commissioner of the U.S. Federal Communications Commission ("FCC"), made remarks on technological advancements needed to build smart cities, including fiber, spectrum, and the IoT. The commissioner also highlighted data privacy concerns associated with the collection, use, and analysis of individuals' data in a smart city.

Regulatory—Health Care/HIPAA

Health Insurer Agrees to Largest Settlement of a Health Data Breach

On October 15, the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") announced that a health insurance company agreed to pay $16 million and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act ("HIPAA") related to a data breach. The company discovered the breach in January 2015 that may have exposed the electronic protected health information of almost 79 million people between December 2, 2014, and January 27, 2015. The settlement represents the largest settlement paid to OCR, more than doubling the previous highest amount of $5.55 million in 2016.

Regulatory—Defense and National Security

Department of Defense Releases Cyber Strategy

On September 18, the Department of Defense ("DoD") released the "2018 Department of Defense Cyber Strategy," which supersedes the 2015 DoD Cyber Strategy. The Strategy focuses on securing sensitive information and accelerating cyber capabilities for countering malicious cyber actors. The DoD plans to build partnerships with private-sector entities to support the Department's cybersecurity activities and reduce malicious cyber activity targeting critical infrastructure.

White House Releases National Cyber Strategy

On September 20, the White House released the "National Cyber Strategy of the United States of America," which outlined how the Administration would protect networks, promote digital economic and domestic innovation, deter malicious cyber activity, and promote an open and secure internet abroad. The Strategy also focuses on ensuring that federal agencies have the necessary legal authorities and resources to combat malicious, transnational cybersecurity activity.

Litigation, Judicial Rulings, and Agency Enforcement Actions

New Mexico Attorney General Sues Technology Companies Over Children's Privacy Concerns

On September 12, New Mexico Attorney General Hector Balderas filed a complaint in the District of New Mexico against technology companies and application developers for alleging designing and marketing applications that illegally track children in violation of the Children's Online Privacy Protection Act. The complaint focuses on online game applications that access the geolocation, demographics, and online activities of children without the knowledge and consent of parents for the purpose of targeted advertising.

Attorneys General Reach $148 Million Settlement with Ride-Sharing Company Over Delay in Data Breach Notification

On September 26, attorneys general from all 50 states and the District of Columbia announced a $148 million settlement with a ride-sharing company to address the company's one-year delay in reporting a data breach. The company learned in November 2016 that hackers had gained access to some personal information of about 57 million riders and drivers, including drivers' license information of approximately 600,000 drivers nationwide, but the company did not notify the affected individuals pursuant to state laws until November 2017. The settlement also requires the company to implement certain data security safeguards, incorporate privacy-by-design into its products, and hire a third-party company to audit its data security practices.

Technology Company Strikes $50 Million Settlement in Data Breach Litigation

On October 22, an email service provider agreed to pay $50 million to settle a class action in the Northern District of California related to a trio of data breaches involving unauthorized access to usernames, passwords, and other private data of up to three billion email user accounts worldwide. The settlement still needs to be approved by the district court. The settlement would require the company to establish a $50 million non-reversionary settlement fund and provide at least two years of credit monitoring and identity theft-protection services for all settlement class members.

Ride-Sharing Company Reaches $4 Million Settlement of TCPA Class Action

On November 6, a proposed consumer class requested that the U.S. District Court for the Western District of Washington preliminarily approve its proposed $3.99 million settlement with a ride-sharing company. The class alleges that the company used an automatic telephone dialing system to send unsolicited commercial texts to individuals in violation of the Telephone Consumer Protection Act ("TCPA"). The settlement class includes all Washington residents who, between June 1, 2012, and the date of preliminary approval, received one or more invitational text messages through the company's "Invite A Friend" program.

Supreme Court to Weigh in on FCC's Interpretation of "Advertisement" Under TCPA

On November 13, the U.S. Supreme Court announced that it would determine whether the Hobbs Act required a district court to accept the FCC's legal interpretation of the TCPA. The FCC maintained that an unsolicited fax sent by a major health information provider regarding offers for a free e-book must have had a commercial goal to be an advertisement under the TCPA. The Supreme Court will consider the standard that lower courts must use to determine "when" and to "what extent" to defer to FCC guidance.

Consumer Reporting Agency Agrees to $22 Million Settlement of Data Breach Class Action

On December 3, a federal court in the Central District of California granted plaintiffs' request for preliminary approval of a proposed $22 million settlement of class action claims against a consumer reporting agency related to a data breach that affected 15 million individuals in the United States. The breach involved unauthorized access to individuals' names, addresses, dates of births, Social Security numbers, and driver's license numbers. The settlement funds will be used to provide two years of credit monitoring services to class members and cash payments for out-of-pocket costs.


Cybersecurity and Infrastructure Security Agency Act of 2018 Becomes Law

On November 16, the Cybersecurity and Infrastructure Security Agency Act of 2018 was signed into law. The law rebrands the Department of Homeland Security's main cybersecurity unit, the National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency ("CISA"). The law gives CISA the responsibility to protect the United States' critical infrastructure from physical and cyber threats and to coordinate with government and private-sector organizations to do so. It establishes three divisions in the new agency: Cybersecurity, Infrastructure Security, and Emergency Communications.


California Enacts Legislation Regulating Security of IoT

On September 28, California Governor Jerry Brown signed legislation making California the first state to expressly regulate the security of connective devices, commonly referred to as IoT devices. The new law aims to protect the security of both IoT devices and any information contained on IoT devices. The law requires a manufacturer that sells or offers to sell a connected device in California to equip the device with reasonable security features. The new law goes into effect on January 1, 2020. For more information, please see our Commentary.

Ohio Amends Data Breach Notification Law

On November 2, Ohio's amended data breach notification law went into effect. The amended law provides companies with a "safe harbor" against tort actions brought under Ohio law alleging a lack of reasonable information security controls. To qualify for the safe harbor, companies must adopt reasonable cybersecurity measures and ensure that the company's cybersecurity measures "reasonably conform" to certain industry-recognized frameworks. Companies also must tailor the scope of their cybersecurity program to the company's size, complexity, and nature of the company's activities, among other requirements.


Canada Launches New Canadian Centre for Cyber Security

On October 1, Canada announced the launch of its new Canadian Centre for Cyber Security. The Centre was created in response to Canada's 2016 Cyber Review, which identified a need for more "focused federal management on cyber security." The Centre's mandate is to "make Canada more resilient to cyber incidents and build a stronger cyber security community" within Canada.

Canada's Mandatory Data Breach Notification Law Goes into Effect

On November 1, Canada's Breach of Security Safeguards Regulations went into effect, implementing the Personal Information Protection and Electronic Documents Act, known as "PIPEDA." The regulations provide the requirements for mandatory data breach notification to affected individuals and the Office of the Privacy Commissioner if a breach poses a real risk of significant harm to individuals. Companies also must maintain a record of every security incident for 24 months. Companies are subject to potential penalties of CAD$100,000 for failure to make notifications or maintain records.

The following Jones Day lawyers contributed to this section: Jeremy Close, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Laura Lim, Christopher Markham, Dan McLoon, Mary Alexander Myers, Kaeley Brown, Mauricio Paez, and Nicole Perry.



Argentinian Agency Sends Personal Data Privacy Bill to Congress

On September 19, the Access to Public Information Agency (Agencia de Acceso a la Información Pública) submitted to Congress a bill to update Argentina's personal data privacy legislation (source document in Spanish). The bill proposed restrictions on the use of personal data and additional mechanisms for companies to safeguard sensitive material, including appointment of a data protection officer and expanded individual rights.


Brazil Observes Council of Europe's Convention 108 Meeting

On October 18, the Council of Europe announced that Brazil joined the Committee of Convention 108 as an observer. Convention 108 requires signatories to take the necessary steps in their domestic legislation to implement the data protection principles of the Convention. Observers are countries that have not yet become members of the Convention.


Chilean Congress Proposes New Computer Crimes Law

On October 25, the Ministry of the Interior and Public Security (Ministerio del Interior y Seguridad Publica) announced that it referred a new Computer Crimes bill to the National Congress (source document in Spanish). The Computer Crimes bill, part of Chile's National Cybersecurity Strategy, would replace the current regulation promulgated in 1993. The bill proposed to create several types of cybercrimes, including unauthorized access, disruption, or damage to a computer, and improve government coordination and response to cyber incidents.

Chile's Financial Stability Central Bank Warns of Cybersecurity Risks

On November 15, Chile's Central Bank (Banco Central de Chile) issued the Financial Stability Report corresponding to the second semester of 2018, which warned about the cybersecurity risks to private financial institutions and the importance of maintaining adequate security systems to prevent data breaches, critical disruptions, and information loss in Chile's financial system (source document in Spanish). No systemic cybersecurity attacks have occurred, although there were some reports of temporary interruptions to bank operations because of attacks on digital platforms.


Colombian Superintendence Joins OECD's Global Consumer Awareness Campaign

On November 13, the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio) announced its collaboration with the global consumer awareness campaign on product safety organized by the Organization for Economic Co-operation and Development ("OECD") and the European Commission to raise awareness about the risks involved in the free movement of unsafe products over the internet (source document in Spanish).

Costa Rica

Costa Rica Hosts the Ibero-American Meeting of Data Protection

On September 25, the Data Protection Agency (Agencia de Protección de Datos de los Habitantes) announced that Costa Rica will host the sixth edition of the Ibero-American Data Protection Meeting (source document in Spanish). The purpose of the meeting is to address best practices on data protection issues, identify data protection risks, and address changes to data protection laws at a global level.


Convention 108 and its Additional Protocol Enters into Force in Mexico

On October 1, the National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales or "INAI") announced that Convention 108 of the Council of Europe and its Additional Protocol governing cross-border data flows went into effect in Mexico (source document in Spanish). The Convention requires signatories to take the necessary steps in their domestic legislation to apply the data protection principles of the Convention. The INAI announced that complying with the principles of the Convention would strengthen Mexico's business relations with other signatory countries and establish rules to facilitate data transfers.


Panamanian Congress Passes Bill to Protect Personal Data

On October 24, the Panamanian Congress (Asamblea Nacional de Panamá) passed bill No. 665 to safeguard and guarantee citizens' constitutional right to the protection of personal data (source document in Spanish). The bill appoints the Data Transparency and Access to Information Authority (Autoridad Nacional de Transparencia y Acceso a la Información) as the governmental agency with authority to protect personal data in connection with information and communication technologies.


Data Control Unit Issues Guidelines on Data Protection

On October 29, the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales) announced the authorization of new guidelines on data protection issues (source document in Spanish). The guidelines provide recommendations for protecting personal data in three areas: (i) use of online cookies; (ii) implementation of Bring Your Own Device policies; and (iii) operation of drones.

The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, and Juan Carlos Quinzaños.


European Court of Justice

European Court of Justice Conducts Hearing on Privacy Case Referred by French Court
On September 11, the Court of Justice of the European Union ("CJEU") conducted a hearing to obtain evidence for a case brought by the French Data Protection Authority ("CNIL") in August 2017 against a U.S. technology company involving the right to be forgotten (source document in French). The CJEU obtained evidence from the technology company, the CNIL, a number of EU countries representatives, and other privacy advocates. The CJEU will have to decide whether the right to be forgotten should apply to all of the domain names used by a search engine worldwide, regardless of the place from where the search was initiated, or whether this right should apply only to searches initiated on domain names associated with the EU Member States where the search was initiated. The CJEU's decision is expected sometime next year.

European Court of Justice Rules on Access to Personal Data in Context of Criminal Investigation
On October 2, the CJEU adopted a judgment in Case C‑207/16 confirming the conditions for public authorities to access personal data retained by providers of electronic communications services to conduct criminal investigations. The CJEU stated that the access by public authorities to identification data (such as first name, last name, or address) of the holder of a SIM card activated for a stolen mobile telephone is not a "serious interference" with the fundamental rights of the persons whose data is concerned. The CJEU stated that such access is justified by the need to prevent, investigate, detect, and prosecute criminal offenses, even if those offenses are not defined as "serious."

European Parliament

Members of European Parliament Issue Resolution Calling for Investigation of Social Media Company
On October 25, members of the European Parliament announced a resolution urging a social media company to allow EU bodies to carry out a full audit to assess data protection and the security of users' personal data. This announcement arises out of alleged misuse of users' personal data on the social media platform by a third party. The members suggested that EU Member States conduct investigations in conjunction with the European Union's Judicial Cooperation Unit, known as Eurojust, whose mission is to promote and strengthen coordination and cooperation among national authorities to combat serious cross-border crime. The members also called for EU Member States to consider implementing rules to prevent political and electoral interference via social media.

European Commission

European Commission Publishes Report on Second Annual Review of Functioning of EU-U.S. Privacy Shield

On December 19, the European Commission published its report on the second annual review of the functioning of the EU-U.S. Privacy Shield. The report demonstrates that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the European Union to self-certified companies in the United States. Since the last report, U.S. authorities have taken significant measures to implement the recommendations made by the European Commission and have therefore improved the functioning of the framework. The European Commission, however, is waiting for U.S. authorities to appoint a permanent Ombudsperson by February 28, 2019. The Ombudsperson is an important mechanism under the Privacy Shield to ensure that complaints by data subjects concerning access to personal data by U.S. authorities are properly addressed.

European Data Protection Board

EDPB Adopts 22 Opinions Listing Common Criteria for DPIAs
On September 25, the European Data Protection Board ("EDPB") adopted 22 Opinions listing the common criteria for the types of processing activities that require a data protection impact assessment ("DPIA"). A DPIA is a process to identify and mitigate data protection risks that could affect the rights and freedoms of individuals. The EDPB received lists from the national data protection authorities of 22 EU Member States regarding the types of operations that are likely to result in a high risk to individuals and may trigger a DPIA.

EDPB Adopts Opinion on Proposed e-Evidence Regulation
On September 25, the EDPB adopted an Opinion on the European Commission's proposed e-Evidence regulation of April 2018. The Board determined that the proposed new rules providing for the collection of electronic evidence should sufficiently safeguard the data protection rights of data subjects and be more consistent with EU data protection law.

EDPB Discusses EU-Japan Draft Adequacy Decision
On November 16, the EDPB met for its fourth plenary session and discussed work on the EU-Japan draft adequacy decision. The EDPB reiterated the importance of guaranteeing the continuity and high level of protection for data transfers from the European Union.

EDPB Adopts Draft Guidelines on Territorial Scope of GDPR
On November 16, the EDPB adopted draft Guidelines on the territorial scope of the GDPR and further clarification on the application of the GDPR in various situations, particularly the designation of a representative where the data controller or processor is established outside of the European Union. The Guidelines will be subject to a public consultation.

European Data Protection Supervisor

EDPS Publishes Opinion on Consumer Legislation
On October 5, the European Data Protection Supervisor ("EDPS") issued an Opinion outlining its position on the legislative package titled "A New Deal for Consumers." The package contains the Proposal for a Directive regarding better enforcement and modernization of EU consumer protection rules. It also contains the Proposal for a Directive on representative actions for the protection of the collective interests of consumers.

EDPS Calls for Closer Alignment Between Consumer Law and Data Protection Rules
On October 8, the EDPS released a statement calling for greater cooperation between regulators of Europe's consumer law and data protection rules to prevent legal uncertainty and develop a "big-picture approach" to addressing systemic harms to individuals in digital markets. In particular, the EDPS noted that it is "problematic" for consumers to pay for the supply of digital content or services with their personal data.

ENISA Publishes Annual Security Incidents Report
On October 8, the European Union Agency for Network and Information Security ("ENISA") published its annual report on security incidents for trust services in 2017. Electronic trust services relate to digital signatures, digital certificates, and other mechanisms used to secure electronic transactions. ENISA is required to publish the annual report pursuant to Article 19 of the Electronic Identification, Authentication and Trust Services ("eIDAS") Regulation. This is ENISA's first full-year report since the eIDAS Regulation went into effect.

ENISA Publishes Good Practices for Security of IoT for Smart Manufacturing
On November 19, ENISA published its study on security for IoT in the context of smart manufacturing. This ENISA study addressed the security and privacy challenges related to the evolution of industrial systems and services precipitated by the introduction of IoT innovations. The study discussed good practices to ensure security of IoT in the context of Industry 4.0/Smart Manufacturing, and mapped the relevant security and privacy challenges, threats, risks, and attack scenarios.


Belgium Establishes "Information Security Committee"

On September 10, the official journal published a law establishing the "Information Security Committee" to perform specific tasks regarding processing by public bodies and in the field of social security and health (source documents in French and in Dutch).

Belgium Publishes Law Implementing GDPR

On September 5, the official journal published the Belgian law implementing the GDPR (source documents in French and in Dutch). The Parliament had voted to pass the draft in July. For more information, please see our Alert.

Belgian Data Protection Authority Issues Six-Month Post-GDPR Implementation Status

On November 23, the Belgian Data Protection Authority ("DPA") published a status report on GDPR implementation (source documents in French and in Dutch). According to the report, there have been 317 data breach notifications (versus 13 in 2017), 3,599 information requests (versus 2,145 in 2017), 148 complaints/requests (versus 76 in 2017), 137 opinion requests (versus 44 in 2017), and 3,540 notifications of data protection officers. The report also mentions that the first dawn raids took place, although no file has yet been transmitted to the dispute body.


CNIL Reports on Effective Implementation of GDPR in France and Europe
On September 25, the French Data Protection Authority ("CNIL") published an article reporting progress on GDPR implementation (source document in French). For instance, 24,500 organizations have appointed a Data Protection Officer, as compared to only 5,000 prior to the GDPR. The article also reported that individuals have become more aware of their right to personal data protection since GDPR entered into force. For example, the number of complaints received by the CNIL has increased by 64 percent since May 25, 2018. Finally, the CNIL declared that new regulatory tools will be adopted soon to further encourage the effective implementation of the GDPR.

CNIL Issues Decision on Data Processing That Requires DPIA
On October 11, the CNIL issued Decision No. 2018-327 adopting a list of several types of data processing operations that require the implementation of a DPIA (source document in French). The list includes, for instance, the processing of health data by medical and social entities for patient care, biometric data of persons who are considered "vulnerable" (such as students, elderly persons, and patients), and personal data for the purpose of regularly monitoring employee activity.

CNIL Adopts New Guidelines Regarding DPIAs
On October 11, the CNIL adopted new guidelines on conducting DPIAs under the GDPR (source document in French). The guidelines supplement the requirements set out in Article 35(1) of the GDPR and the list of nine criteria defining high-risk data processing, adopted on October 4, 2017, by the Working Party 29 ("WP29"). In line with the WP29, the CNIL requires a DPIA for any data processing that meets at least two of the nine criteria. However, the CNIL exempts data controllers from conducting a DPIA if they provide a documented explanation that the processing does not create a "high risk." Where applicable, the explanation must include the opinion of the Data Protection Officer.

CNIL Issues Guidance on Measuring and Aggregating Audience Data
On October 17, the CNIL provided guidance on using devices to measure audiences and track attendance or flows of visitors in public spaces (source document in French). The CNIL explained that such rules do not apply to devices that do not collect personal data. The CNIL provided examples of scenarios for anonymizing and pseudonymizing this data and provided guidance on the need for a DPIA.

CNIL Issues Guidance on DPIAs
On November 6, the CNIL provided further guidance on conducting DPIAs (source document in French). The CNIL mentioned that a DPIA should: (i) precisely describe the data processing; (ii) provide a legal assessment of whether or not such processing is necessary and proportional to the fundamental rights concerned; and (iii) provide an evaluation of the technical risks in terms of data security. The CNIL explained that DPIAs are mandatory when using a type of processing that the CNIL already stated requires a DPIA (see CNIL's Decision n° 2018-327 of October 10, 2018) and whenever the processing meets at least two of the nine criteria mentioned under the G29 Guidelines (see Decision n° 2018-326 of October 10, 2018).

Cigref Publishes New Report on Cybersecurity
In October, the French Association Cigref, a large network of companies and public administration entities, published its latest report on cybersecurity (source document in French). The report provides private companies and public entities with guidelines and information about the security of their information technologies so that companies can identify, assess, and manage the risks of using those technologies. In its report, Cigref explained that cybersecurity issues should be governed internally by a manager, who would be responsible for raising awareness among other managers within the company on the impact that cyberattacks may have on the company's activity and assets.


Data Protection Authority Issues First German Fine under GDPR
On November 21, the Data Protection Authority of Baden-Württemberg issued the first fine under the GDPR in Germany against a social media provider for violating data security requirements (source document in German). The company had notified the authority of a data breach after becoming aware that the personal data of 330,000 users, including email addresses and passwords, had been stolen during a hack. The authority determined that the company violated data security obligations under Article 32 of the GDPR, for example by storing the passwords in clear text. The authority imposed a modest fine of €20,000 and took into account mitigating factors such as the company's willingness to cooperate with the authority.

Bavarian Administrative Court Decides Targeted Advertising Case

On September 26, the Bavarian Administrative Court decided that a social media company's custom audience feature for targeted advertising violated applicable data protection law in the absence of consent from social media users (source document in German). The Bavarian Administrative Court confirmed in its decision an order of the Bavarian Data Protection Authority ("BayLDA") prohibiting a Bavarian online shop from using the custom audience feature (source document in German).

Data Protection Authority Increases GDPR Compliance Audits of Bavarian Companies

On November 7, the BayLDA announced that it increased its auditing activities of Bavarian companies (source document in German). The audits focus on the secure operation of online shops, protection against ransomware in medical practices, compliance with the accountability obligations of large corporations and medium-sized companies, and implementation of information obligations in application procedures.

Data Protection Authority Warns of Scam

On October 2, the State Commissioner for Data Protection in Schleswig-Holstein ("ULD") warned companies of a fax sent by a fake authority going by the name "Datenschutzauskunft-Zentrale" falsely informing companies of a requirement to fill out a form to comply with data protection legal obligations (source document in German). The ULD stated that the "Datenschutzauskunft-Zentrale" is not an official authority.

Data Protection Authority Announces Guide for Website Operators

On October 12, representatives of the BayLDA announced a new book containing a summary of requirements for data protection on websites (source document in German). The document contains guidance and checklists for website operators to comply with the GDPR, as well as the anticipated ePrivacy Regulation.


Italian DPA Issues Opinion on Consent to Fundraising Text Messages
On November 15, the Italian DPA issued an opinion on the use of donor identification data by nonprofit organizations for the purpose of fundraising campaigns via SMS and telephone calls (source document in Italian). According to the DPA, data subjects who made donations to nonprofit organizations via SMS or phone calls may be informed of the outcome of the fundraising campaigns to which they participated. However, if these nonprofit organizations wish to contact the donors for a new campaign, the entities must obtain the donor's consent, which may be given by sending a text message or by pressing a button on the phone when making the donation.

Italian DPA Identifies Types of Processing Subject to DPIA Requirement
On November 15, the Italian DPA published the list of processing activities that require a DPIA (source document in Italian). The list prepared by the Italian DPA includes large-scale evaluation or scoring activities, automatic processing operations with a significant impact on individuals, systematic processing of biometric data and genetic data, and use of IoT and artificial intelligence technologies. Data controllers are also required to carry out a DPIA when at least two of the criteria set forth in the Working Party 29 Guidelines on DPIA are met or whenever the data controller deems that the specific processing requires a DPIA.

The Netherlands

Dutch DPA Provides Status Update on DPO Audits
On October 5, the Dutch DPA ("DDPA") completed its audit of hospitals and health insurers and determined that all 91 hospitals and 33 health insurers have registered a Data Protection Officer ("DPO") (source document in Dutch). On November 20, the DDPA announced that it is auditing 45 banks and 93 insurers on compliance with requirements to appoint a DPO (source document in Dutch). The first review showed that six banks and nine insurers have not registered a DPO with the DDPA.

DDPA Provides Guidance on Consent Requirements Under PSD2 to Payment Service Providers
On October 18, the DDPA issued notice to payment service providers about requirements for access to consumers' personal data under the second Payment Services Directive (source document in Dutch). One of those requirements is that payment service providers need the explicit consent of consumers before gaining access to personal data. The DDPA clarified that "explicit consent" means: the consent request must be separated from other parts of the agreement (for instance, through a pop-up or a separate checkbox in a dialogue screen), consent must be given freely and be unequivocal, informed, and specific. Consumers must be able to refuse or revoke consent without suffering adverse consequences.

DDPA Penalizes Agency for Insufficient Data Security
On October 30, the DDPA published a decision imposing a penalty on the Employee Insurance Agency ("UWV") (a Dutch quasi-governmental organization) for insufficient security of its web portal (source document in Dutch). The portal is used by employers and labor organizations to log employee absences due to illness. The DDPA determined that the UWV failed to maintain sufficient security measures because multifactor security is needed to secure health data.


SDPA Recommends Security Measures for Social Media Users
On October 3, the Spanish Data Protection Agency ("SDPA") issued recommendations to social media users in light of a security breach that could have exposed information of 50 million users (source document in Spanish). Although social media companies as data controllers are responsible for the privacy and security of users' personal data, the SDPA stated that users can also play an active role in the protection of their own personal data. The SDPA recommended that users follow basic security measures, such as managing their security settings, closing their sessions when finished with the site, and re-entering their credentials when they seek to access the site again.

Spanish Authorities Offer Recommendations to Promote Safe Online Shopping
On November 19, the SDPA, the General Directorate of Commercial Policy and Competitiveness, and the Directorate General of Consumer Affairs made recommendations to encourage safe online shopping (source document in Spanish). They advised that consumers use official or trusted pages, use robust passwords, avoid the use of public Wi-Fi networks, close sessions after completing purchases, use one credit card exclusively for online payments, and review website privacy policies, among other recommendations. The authorities also advised consumers who purchase connected toys for minors to check the types of data the toy collects, consider who and what the toy will be used for, and assess privacy configuration options.

Spanish Senate Approves New Data Protection Law and Guarantee of Digital Rights
On November 21, the Spanish Senate approved the Organic Law on Data Protection and Guarantee of Digital Rights and published it in the Official Spanish Gazette on December 6 (source document in Spanish). The law is designed to complement the GDPR. It also introduces new privacy rights in a digital environment, including the right to universal access to the internet, right to privacy with use of digital devices in the workplace, and right to privacy from video surveillance at work.

United Kingdom

ICO Fines Companies for Telemarketing Violations
On October 31, the Information Commissioner's Office ("ICO") announced fines of £220,000 against two companies that made 600,000 nuisance calls to individuals who opted out of telemarketing calls by registering with the Telephone Preference Service. The ICO stated that the fines are meant to deter marketing companies from violating consumers' privacy by contacting them without valid consent.

ICO Issues Maximum Fine Against Social Media Company
On October 31, the ICO announced that it issued the maximum fine possible under the Data Protection Act 1998 against a social media company for serious data protection violations. The ICO determined that between 2007 and 2014, the social media company allowed application developers to use personal information without sufficiently clear and informed consent. It also found that the company lacked adequate data security measures, which allowed third parties to harvest the personal information of 87 million individuals worldwide, including one million users in the United Kingdom.

The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Audrey Paquet, Sara Rizzon, Irene Robledo, Elizabeth Robertson, and Rhys Thomas.


Hong Kong

Privacy Commissioner Initiates Investigation into Hacking of Social Media Accounts

On September 29, the Privacy Commissioner for Personal Data ("Privacy Commissioner") initiated a compliance review to investigate the hacking of social media user accounts (source document in Chinese). The Privacy Commissioner emphasized that social media platforms should implement effective security measures to protect personal data of users from unauthorized or accidental access, processing, or use of personal data. The Privacy Commissioner suggested steps that social media users can take to protect their personal data, including changing passwords to social media accounts, activating two-factor authentication for account login, and checking privacy settings.

Privacy Commissioner Releases Report Regarding Ethical Processing of Personal Data

On October 24, the Privacy Commissioner released a report on the ethical and fair processing of personal data at the 40th International Conference of Data Protection and Privacy Commissioners held in Brussels, Belgium. In particular, the report addresses the processing of personal data through advanced technologies, such as artificial intelligence and machine learning, and seeks to balance the interests of all stakeholders.

Privacy Commissioner Announces Investigation of Airline Data Breach

On November 9, the Privacy Commissioner announced that it would initiate a compliance investigation of a data breach against an airline carrier pursuant to section 38(b) of the Personal Data Privacy Ordinance ("PDPO"). The Privacy Commissioner previously expressed concern that the breach might have compromised the personal data of local and foreign citizens, including names, dates of birth, passport numbers, Hong Kong Identity Card numbers, and credit card numbers. The Privacy Commissioner will examine the company's security measures to safeguard its customers' personal data and its data retention policies and practices.

Privacy Commissioner Announces Periodic Review of Data Protection Law

On November 14, the Privacy Commissioner issued a statement to inform the public it will review data protection issues as part of its statutory obligation to periodically review the PDPO. The Privacy Commissioner will focus on issues of recent importance, including mandatory breach notification requirements, sanctions for noncompliance, and regulation of data processors.


Personal Information Protection Commission Issues Guidance to Social Media Company

On October 22, the Personal Information Protection Commission of Japan announced that it provided guidance to a social media company to address the Commission's concerns about recent data breaches (source document in Japanese). The guidance includes a request for the company to report to the Commission regarding notice to data subjects and measures to prevent future breaches, among other requests.


PDPC Announces Rule Prohibiting Collection of National Identification Numbers

On November 13, Singapore's Personal Data Protection Commission ("PDPC") announced that organizations are not allowed to collect National Identity Registration Card ("NRIC") numbers or other national identification numbers, unless it is required by law or necessary to verify an individual's identity. This rule goes into effect on September 1, 2019.

PDPC Fines Financial Company for Website Security Vulnerabilities

On December 13, the PDPC imposed a $30,000 penalty on a financial company for failing to make reasonable security arrangements to prevent the unauthorized disclosure of personal data. The website that individuals used to register for an account contained a vulnerability that exposed the personal data of other users, including customer identification numbers, national identification numbers, and bank account numbers.

People's Republic of China

Ministry Releases Regulation Regarding Cybersecurity Inspections

On September 15, China's Ministry of Public Security released the Regulation on the Internet Security Supervision and Inspection by Public Security Organs, which became effective on November 1 (source document in Chinese). The Regulation sets forth detailed procedures describing how Public Security Bureaus conduct cybersecurity inspections of companies that provide internet services or network-using entities in China. Public Security Bureaus have a wide range of power and discretion to inspect internet service providers, such as physically entering the companies' premises, reviewing and copying materials related to internet security, and inspecting the companies by remote access. Public Security Bureaus may authorize cybersecurity service providers to conduct the inspections.

Cyberspace Administration Releases Draft Regulation on Blockchain Information Services

On October 19, the Cyberspace Administration of China released the draft Regulation on Blockchain Information Services (source document in Chinese). The draft Regulation was available for public consultation until November 2. It would require blockchain service providers to register certain information with the Cyberspace Administration of China, including the types of services provided, scope of application, and server address. Before launching any new products, applications, or functions, the providers must undergo a security assessment with the Cyberspace Administration. The draft Regulation also would require users of blockchain services to provide their ID card number and mobile phone number for identity verification. Providers may refuse blockchain services to users who refuse to disclose their real identity and may restrict or close accounts of users who have violated the Regulation or blockchain services agreement.

Chinese Authorities Release Regulation Governing Internet Information Service Providers

On November 15, the Cyberspace Administration of China and the Public Security Bureau jointly released the Regulation of Security Evaluation for Internet Information Service Providers ("IISP") that impact public opinion or social mobilization (source document in Chinese). The Regulation is designed to supervise and guide IISPs to fulfill the obligation of safety management, maintain online information security and order stability, and prevent the spread of rumors and false information. A new IISP must voluntarily conduct security evaluations before going online.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.


OAIC Examines Privacy Protection Proposals for Digital Platforms

On December 10, the Office of the Australian Information Commissioner ("OAIC") announced that it is examining proposals in a preliminary report issued by the Australian Competition and Consumer Commission ("ACCC") to strengthen privacy protections for individuals on digital platforms. The preliminary report addresses concerns regarding the collection of consumer data and targeted advertising. The OAIC will issue its response to the ACCC's proposals in February.

The following Jones Day lawyers contributed to this section: Adam Salter and Samantha Sisomphou.


Current Developments in Global Data Privacy and Security, Ethics & Compliance Certificate Program, SMU Dedman School of Law, Dallas, Texas (February 2019). Jones Day Speaker: Jay Johnson

Data Privacy—A Discussion of Law and Policy, Federalist Society, Notre Dame Law School, South Bend, Indiana (February 2019). Jones Day Speaker: Jay Johnson

Handling a Cybersecurity Investigation: An Interactive Tabletop Exercise Led by a Regulator, a Lawyer, and a Security Expert, Utilities & Energy Compliance & Ethics Conference, SCCE, Houston, Texas (February 2019). Jones Day Speaker: Jay Johnson

Privacy by Design and Privacy by Default—on the Ground, IAPP Data Protection Intensive France 2019, Paris, France (February 2019). Jones Day Speaker: Olivier Haas

Threat & Vulnerability Management, CISO Executive Network, Dallas, Texas (January 2019). Jones Day Speaker: Jay Johnson

Blockchain Technology, Security, and Privacy, ABA Science and Technology Section, Webinar (January 2019). Jones Day Speaker: Jay Johnson

2018 Privacy & Data Security Recap, Association of Corporate Counsel, Minneapolis, Minnesota (December 2018). Jones Day Speaker: Rick Martinez

International Data Breach Notification: How to Get it Right, Roundtable Topic Discussion, IAPP Europe Data Protection Congress 2018, Brussels, Belgium (November 2018). Jones Day Speaker: Jörg Hladjk

The EU General Data Protection Regulation, Lecture at the Jones Day Course at Beijing University, Beijing, China (November 2018). Jones Day Speaker: Undine von Diemar

GDPR Training for members of China National Enterprise Compliance Committee (CNECC), Beijing, China (November 2018). Jones Day Speaker: Undine von Diemar

The Relevance and Context of GDPR for Players, FIFPro (International Federation of Professional Footballers)—Division Europe, General Assembly, Rome, Italy (November 2018). Jones Day Speaker: Jörg Hladjk

New Enforcement Powers: What DPAs Can Learn From Competition Law Practice, IAPP Europe Data Protection Congress, Brussels, Belgium (November 2018). Jones Day Speaker: Laurent De Muyter

Privacy and Security for Lawyers: Legal and Ethical Guidelines for Managing Evolving Risks, Houston Association of Women Lawyers, Houston, Texas (November 2018). Jones Day Speaker: Nicole Perry

Identity and Access Management, CISO Executive Network, Washington, D.C. (November 2018). Jones Day Speaker: Jennifer Everett

Identity and Access Management, CISO Executive Network, Dallas, Texas (November 2018). Jones Day Speaker: Jay Johnson

Recent California Privacy Regulations, CISO Executive Network, Houston, Texas (November 2018). Jones Day Speaker: Nicole Perry

Pizza & Privacy, American Constitution Society, SMU Dedman School of Law, Dallas, Texas (November 2018). Jones Day Speaker: Jay Johnson

Data Protection and Open Banking: Experiences and Expectations, Brussels, Belgium (October 2018). Jones Day Speaker: Jörg Hladjk

GDPR and Latin America at the 33rd Annual Financial Cybersecurity Conference, Miami, Florida (October 2018). Jones Day Speakers: Rick Martinez and Jennifer Everett

Cybersecurity and the Impact on SEC Filings and Compliance, Dallas Bar Association Securities Law Section, Dallas, Texas (October 2018). Jones Day Speaker: Jay Johnson

General Data Protection Regulation "GDPR": Seeking or Supplying Information to or from the EU or EEA After May 25, 2018. Eastern District of Texas 2018 Bench Bar Conference, Plano, Texas (October 2018). Jones Day Speaker: Jay Johnson

Data-Centric Security, CISO Executive Network, Dallas, Texas (October 2018). Jones Day Speaker: Jay Johnson

Data-Centric Security, CISO Executive Network, Houston, Texas (October 2018). Jones Day Speaker: Nicole Perry

Privacy Law, Guest Lecturer at Internet Law Class, University of Houston Law Center, Houston, Texas (October 2018). Jones Day Speaker: Nicole Perry

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.