On January 14, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”).  The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (“GDPR”), WP 250.  The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.


Continue Reading European Data Protection Board Issues Guidelines on Data Breaches

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.

With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.


Continue Reading Your Vacuum Cleaner, Your Coffee Maker, and Your Baby Monitor May Be Watching You, So They Better Be Secure: California Passes New Connected Device Cybersecurity Law