On March 7, 2024, the Court of Justice of the European Union issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of IAB Europe in the processing operations associated with its Transparency and Consent Framework and further developed CJEU case law on the concept of personal data under the GDPR.
Continue Reading CJEU Rules on IAB Europe’s Transparency and Consent Framework
Penalty
College Board Agrees to Settle with the New York Attorney General Over Student Data Privacy
New York Attorney General Letitia James and New York State Education Department Commissioner Betty A. Rosa recently announced that College Board has agreed to settle charges in connection with allegations that it violated New York Education Law § 2-d, New York’s student privacy law. …
Continue Reading College Board Agrees to Settle with the New York Attorney General Over Student Data Privacy
HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation
On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS. …
Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation
FTC Announces $16.5 Million Settlement Against UK Service Provider and Ban from Selling Browsing Data for Advertising Purposes
On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited requiring the company to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes.
Continue Reading FTC Announces $16.5 Million Settlement Against UK Service Provider and Ban from Selling Browsing Data for Advertising Purposes
ICO Orders Companies to Cease Using Facial Recognition Technology and Fingerprint Scanning to Monitor Attendance
On February 23, 2024, the UK Information Commissioner’s Office reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.
Continue Reading ICO Orders Companies to Cease Using Facial Recognition Technology and Fingerprint Scanning to Monitor Attendance
Second CCPA Enforcement Action Settlement Announced by California AG
On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.Continue Reading Second CCPA Enforcement Action Settlement Announced by California AG
NYDFS Issues $8 Million Fine Against Virtual Currency Company
On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order with virtual currency company Genesis Global Trading, Inc. (“Genesis”) for “significant” failings in Genesis’ Anti-Money Laundering and cybersecurity compliance frameworks. According to the NYDFS, Genesis’ failure to comply with the NYDFS’ virtual currency and cybersecurity regulations left the company vulnerable to cybersecurity risks and related unlawful activity. Continue Reading NYDFS Issues $8 Million Fine Against Virtual Currency Company
CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR
On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.Continue Reading CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR
European Parliament Agrees on Position on the AI Act
On June 14, 2023, the European Parliament approved its negotiating mandate regarding the EU’s Proposal for a Regulation laying down harmonized rules on Artificial Intelligence, and the vote in the Parliament means that EU institutions may now start trilogue negotiations. …
Continue Reading European Parliament Agrees on Position on the AI Act
Irish Data Protection Commission Fines Meta €265 Million for Privacy Violations
On November 25, 2022, Ireland’s Data Protection Commission released a decision fining Meta Platforms, Inc. €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.
Continue Reading Irish Data Protection Commission Fines Meta €265 Million for Privacy Violations