Photo of Dhara Shah*

Dhara Shah is an law clerk in the Intellectual Practice Group in the firm's Chicago office.

Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, the same time as Colorado’s very similar law. Companies preparing for these new laws (Virginia goes into effect January 1, 2023 and Utah December 31, 2023) will want to keep in mind the following five things about this fifth general US state privacy law.
Continue Reading Connecticut Fifth State to Pass a Comprehensive Privacy Law

The California AG recently issued an opinion interpreting the scope of information that should be provided to consumers in an access request. In responding to access requests, companies must provide a list of all personal information that it has about that consumer. The AG opinion clarifies that inferences a company draws from personal information should be included in such a response.
Continue Reading In First CCPA “Opinion”, California AG Clarifies Scope of Access Requests

The Belgian Data Protection Authority (APD) recently released a draft decision imposing a €250,000 fine ($285,000) on the provider of a consent mechanism that operates within a real-time ad bidding program. The ad bidding program, OpenRTB, allows advertisers to place online ads through an automated online auction of available ad space. Thousands of advertisers can bid on space in real time, through a fairly complex process involving many different entities (a schematic of the process was included by the ADP in its decision on page 9). The case first arose in 2019, and after several interim decisions the ADP has now held in this draft decision, among other things, a two month deadline for IAB Europe to present a remediation plan to the ADP. The case was one with cross-Europe impact, and thus the ADP’s decision has been sent to its European counterparts for feedback.

Continue Reading Interactive Advertising Bureau of Europe Fined By Belgian DPA for GDPR Violation

The Colorado AG recently issued guidance on practices companies should consider to safeguard consumer data. This guidance was issued in response to companies asking what “reasonable” security means. While noting that the standard is a flexible one and calls for case-by-case determinations, the AG highlighted activities it will weigh when making a decision on whether companies are acting reasonably to safeguard information.
Continue Reading Colorado AG Issues Guidance on Data Security Best Practices

The European Commission recently adopted an adequacy decision regarding the Republic of Korea’s data protection laws. As a result of this decision, personal data can freely flow between the EEA and South Korea without the need for additional transfer mechanisms.

Continue Reading European Commission Adopts Korean Adequacy Decision

Virginia edges closer to its privacy law January 2023 implementation. A new working group report gives some insight on implementation focus. The working group is tasked with giving advice on implementing the Virginia Consumer Data Protection Act. It held a series of meetings with companies and other stakeholders throughout the year. This current report summarizes “points of emphasis” from those meetings.  Those included that law be interpreted strictly. For example, sunseting companies “right to cure” after two years. Another point raised was whether to let the attorney general seek actual damages based on harm.

Continue Reading Virginia Privacy Law Continues to Progress Towards 2023 Implementation

Google Play’s “data safety form” is now live. Developers can now submit the form for early review and feedback. Starting in April 2022, Google will require this label and a privacy policy for all new and existing apps. This is similar to Apple. Before, only apps that collected personal and sensitive user data needed to share a privacy policy in Google’s store.

Continue Reading Google’s Privacy “Data Safety” Form Is Now Available