Privacy and Data Security Client Alert | January 2019

Shook, Hardy & Bacon L.L.P.

Shook, Hardy & Bacon L.L.P.

Going Deep on the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) has been called the beginning of America’s GDPR. As the most comprehensive privacy law in the United States, entities doing business in California need to ensure they are in compliance or risk severe penalties. 


U.S. Supreme Court to Address Standing in Data Privacy Settlement

Following the U.S. Supreme Court’s request, the parties in Frank v. Gaos completed supplement briefing on the question of standing in the case, which stems from an $8.5 million privacy settlement of a class action regarding Google’s alleged unauthorized disclosure of search queries with third parties. The trial court approved the settlement before the Court announced its ruling in Spokeo v. Robins, and the question is now whether merely alleging a statutory violation (without a more concrete injury) is sufficient to provide standing.

Read the full article at Bloomberg Law >>


Data Security Lawsuit Filed by Investors Against Marriott

On December 1, 2018, Marriott investors filed a complaint in the Eastern District of New York alleging that the hotel chain “misled” them about the security of its data storage systems. The lawsuit (and many others that followed) stems from the November 30, 2018, announcement that hackers stole the personal data of 500 million guests from Marriott’s reservation system, beginning as early as 2014.

Read the full article at The New York Times >>


Australia Passes Controversial Encryption Bill

Framing the move as an anti-terrorism measure, the Australian Parliament voted to approve a law that would require technology companies to provide law enforcement and security agencies with access to encrypted communications. It was opposed by civil-rights activists and tech companies as overbroad and vague, and on the basis that it could hurt business because customers would doubt promises to protect encrypted data.

Read the full article at The New York Times >>


D.C. Attorney General Alleges Facebook Fell Short of Duty to Protect User Data

In a lawsuit filed on December 19, 2018, the Washington, D.C., attorney general filed a complaint against Facebook alleging that the company “failed to protect the privacy of its users and deceived them about who had access to their data and how it was used[.]”  The lawsuit stems from the Cambridge Analytica scandal that broke in March 2018; the company obtained the personal data of nearly 87 million individuals around the world without their knowledge and later used that data to target voters in the 2016 U.S. presidential election.

Read the full article at The Washington Post >>


Twelve State Attorneys General File Joint Lawsuit Against Medical Records Companies Over Cybersecurity Practices

On December 4, 2018, in a landmark filing, the attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin jointly alleged in an Indiana federal court that a May 2015 cyberattack on WebHealth, an electronic health record application, resulted in unauthorized access of over 3.9 million records containing personal health information.  The complaint alleges that poor cybersecurity practices led to the breach, which constituted  a “violation of the state consumer protection, data breach, personal information protection laws and federal HIPAA statutes[.]”

Read the full article at SC Media >>


European Commission Releases Report on Second Joint Review of the Privacy Shield Mechanism

The European Commission released its official report on the second U.S. and EU joint review of the Privacy Shield data transfer mechanism on December 20, 2018. The Commission, while noting that the United States has taken many steps over the past year to strengthen the mechanism, stressed that it expects the United States to appoint a permanent ombudsperson to handle national security complaints by February 28, 2019. To date, the position has been filled by a temporary ombudsperson within the U.S. State Department.

Read the EU press release >>


Mercy Health Class Action Dismissed For Lack of Actual Data Breach

The mere possibility that a third party could improperly access personal health information is not enough to confer standing under the U.S. Supreme Court’s 2016 decision in Spokeo v. Robins, an Ohio federal court has found.

Read the full article at Global Data Review >>


Google Faces Fines Under GDPR For Its Location-Tracking Feature

Google is facing complaints filed by consumer groups in seven European countries that follow on the heels of the revelation that the company is able to track a user’s location even when the “Location History” option is turned off.  Fully disabling the function requires users to disable a second “Web and App Activity” setting, which is enabled by default.  The consumer groups claim that Google is using “deceptive practices” to get users to enable both settings and that consent to track the user’s location is not given freely.

Read the full article at The Verge >>


New Dutch Wi-Fi Tracking Guidance Released

The Dutch data protection authority has released guidance limiting the circumstances in which an individual may be tracked through Wi-Fi. Among other requirements, the guidance states that Wi-Fi tracking should only be used in situations where personal data processing is beneficial, e.g., as a safety measure.

Read the International Assocation of Privacy Professionals' article >>


Brazil Adopts Provisional Measure Establishing National Data Protection Authority

On December 27, 2018, outgoing president Michel Temer adopted Provisional Measure No. 869 of 27 December 2018 providing for the creation of a Brazilian data protection authority (called the ANPD based on its Portuguese acronym).

Read the full article at ZDNET >>


Two BIPA Lawsuits Dismissed for Lack of Article III Standing

A federal court dismissed two class actions based on alleged violations of the Illinois Biometric Information Privacy Act (BIPA). The court held that the plaintiffs knew or should have known that their finger-scan information was being collected and therefore lacked standing under Article III. The lawsuits may be refiled in state court, where most BIPA cases are pending, and the Illinois Supreme Court is expected to issue a decision on whether a plaintiff must show more than a technical violation of BIPA to establish standing in state court.

Read the full articles at Gizmodo  and Bloomberg Law >> (subscription required)


California Sues The Weather Company Based on Data Collection Practices

The State of California sued The Weather Company for allegedly misleading users of its app about why their geolocation data was needed. According to the lawsuit, The Weather Company informed users that it collects the data to personalize alerts, but it did not tell users that the information is sold to advertisers.

Read the complaint >>

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shook, Hardy & Bacon L.L.P. | Attorney Advertising

Written by:

Shook, Hardy & Bacon L.L.P.

Shook, Hardy & Bacon L.L.P. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.