The end of the Brexit transition period on 31 December 2020 means the UK now has full autonomy over its data protection policies. As of 1 January 2021 the UK is recognised as a ‘third country’ under EU General Data Protection Regulation (GDPR) rules. The EU-UK Trade and Cooperation Agreement, which is an agreement in principle between the EU and UK, does not yet include a provision for the vast flow of personal data being transferred between the two jurisdictions. The transfer of personal data will be subject to a separate adequacy decision from the EU due in early 2021. This separate adequacy decision will determine whether the EU will allow the ongoing free flow of data from EU/EEA countries to the UK. If an adequacy decision is not granted, then organizations who transfer personal data from the EU/EEA to the UK will have to take additional steps to ensure data being transferred is provided equivalent protections to those under the EEA. The UK has already determined that it considers all EEA/ EU states to be adequate which means that personal data flows from the UK to the EU/EEA will remain unaffected.

Continue Reading The Status of EU–UK Data Flows Following Brexit

In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.

NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES

a. Key data protection principles

The GDPR revolves around seven key data protection principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability


Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II

A major consumer privacy law is likely this legislative session in Florida that stands to jeopardize not only technology companies, but financial services, healthcare entities, and thousands of small and medium-sized businesses that rely on digital marketing and advertising to conduct business.

Florida legislators are generally pro-business, but this year could be an exception. Talks

The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA).  We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA makes several significant changes to the CCPA:

  • It introduces the concept of “sensitive personal data”;
  • It introduces new obligations on businesses, and GDPR-style “principles”;
  • It introduces new rights for consumers; and
  • It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.

These changes are very significant – but do they represent a move closer to GDPR, or a move away?


Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part I

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.


Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA

FRENEMIES Podcast logo

The third season in Frenemies has been released — watch these episodes.

  • The One Where California Falls in Love With Privacy: The California Consumer Privacy Act in 10 Minutes (featuring Bethany Lukitsch and Justin Yedor)
  • The One Where “Sale” Doesn’t Mean What You Think: What Is a Sale and Why Does it Matter? (featuring Ali

FRENEMIES Podcast logoThere’s tension in this relationship. Marketing and the legal department know they need each other, but that doesn’t mean they always understand each other.

Marketers are out-of-the-box thinkers whose ideas engage customers and drive company revenue. Lawyers help the business stay in business by avoiding unnecessary risk, which sometimes requires them to say “no” to the marketing team’s ideas. It’s no wonder the departments are often frenemies, supporting the same organizational goals, but sometimes pushing back on each other.

In the interests of peace, love and understanding, McGuireWoods’ IP and privacy teams present “Frenemies,” a series of short videos covering legal considerations in advertising. We hope these episodes help marketing and legal departments understand each other, work together, issue-spot, and maybe go from being frenemies to friends. Registration is not required and after release, each season will be available for binge watching from your office or your couch.


Continue Reading Frenemies Video Series – Season 1: Marketers and Lawyers Learn to Speak the Same Language

On October 13. 2020, White Castle System, Inc. petitioned the United States Court of Appeals for the Seventh Circuit for permission to seek an interlocutory appeal pursuant to 28 U.S.C. § 1292(b).  This petition arises out of the United States District Court for the Northern District of Illinois’ opinion on White Castle’s motion for judgment on the pleadings issued on August 7, 2020.  The matter hinged on whether repeated collection of the same biometric information from an employee without prior consent constituted separate violations of the Illinois Biometric Information Privacy Act (BIPA).

Summary of District Court’s Cothron v. White Castle Opinion

In the district court’s opinion, Judge Tharp held that “[a] party violates Section 15(b) [of the BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent.”  Judge Tharp continued, “[t]his is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.”  Similarly, Judge Tharp held that BIPA requires that dissemination of information without consent, even if to the same third party as previously disseminated, is an additional violation of the BIPA.


Continue Reading Does Continued Collection of The Same Biometric Information Increase BIPA Violations? The Seventh Circuit (or Illinois Supreme Court) Has An Opportunity to Clear the Air

On October 12, 2020, the California Attorney General provided public notice of a new Proposed Third Set of Modifications to the Regulations under the California Consumer Privacy Act (the “CCPA”).  You will be forgiven if you assumed that “final approval” of the existing Regulations back in August meant the Regulations were final—or at least we hope so because we made the same assumption.

Since August, however, it appears the AG was working behind the scenes to resurrect previously withdrawn Sections 999.306(b)(2) (covering offline notice of opt-out if a business substantially interacts with consumers offline); 999.315(c) (minimum standards for opt-out requests); and 999.326(c) (specific requirements for authorized agents).  The AG describes the newly proposed rules as follows:


Continue Reading Spooky: Presumed-Dead CCPA Regulations Come Back to Life