Data protection authorities across Europe have recently imposed significant fines on companies for violations of data protection laws. We bring to your attention decisions related to breaches of direct marketing and profiling below.
A telecommunications company fined €50 million by the French Supervisory Authority
On 23 January 2025, the French Supervisory Authority (CNIL) fined a
On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the[] SPG Program Terms will be handled individually without any class action ….”Continue Reading Fourth Circuit Decision Highlights Class Action Waivers for Data Breaches are Alive and Well
Meta-owned Instagram has been fined €405 million by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation (GDPR), following a two year investigation into how the social media platform handles children’s data. This is the largest fine imposed by the DPC to date. Below, we highlight some of the key issues arising in the case.Continue Reading Irish DPC fines Instagram a record €405 million
On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.Continue Reading CafePress FTC settlement signals future approach to enforcement actions
Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.
The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.
In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.Continue Reading New guidelines on personal data breach notifications
On 7 September 2021, the High Court granted a defendant’s application for summary judgment in a claim for compensation brought by three data subjects resulting from a data breach suffered by the defendant, on the basis that the breach was ‘trivial’ (here).
The case
The case related to a single email (with attachments) sent by the defendant, a firm of solicitors. The defendant, who represents a school to whom the claimants, a set of parents, owed outstanding school fees, had been instructed to write to the claimants with a demand for payment. The email consisted of a letter and a copy of the statement of account.
Due to one letter difference in one of the email addresses, the correspondence was sent to an unintended recipient. The unintended recipient responded promptly, indicating that they thought the email was not intended for them. The defendant then responded promptly, asking the unintended recipient to delete the email, which they agreed to do. The recipient was unknown to the claimants personally.
The email contained the claimants’ names, address and the amount of school fees owed, as well as reference to proposed legal action, but it did not contain any financial information in the form of bank or card details, or information about the income or financial position of the claimants.
The claim brought by the claimants was for, amongst other things, compensation for non-material damage (i.e., distress) under article 82 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) and section 169 of the Data Protection Act 2018. This was based on (i) the claimants having suffered “lost sleep”, (ii) the breach having “made them feel ill” and (iii) extensive time having been spent by the claimants dealing with the issue.Continue Reading ‘Trivial’ data breach claim dismissed by High Court
On March 31, 2021, the Texas legislature passed House Bill 3746 (HB 3746), an update to the state’s breach notification statute. HB 3746 is expected to be signed into law by the Texas governor and become effective on September 1, 2021. The bill makes two primary changes to Texas’ current breach notification statute.
First, the updated breach notification statute will require the Texas attorney general’s office to begin posting on its website “a listing of the notifications” it receives when a breach affects at least 250 Texas residents. The amended statute does not describe what “listing” must be posted; however, the statute prohibits the posting of “any information that may compromise a [business’] data system’s security,” or anything that includes sensitive personal information or is considered confidential under the law.
Unlike similar posting requirements under the laws of other states (California, Massachusetts, etc.), the Texas law provides for a take-down for what might be considered good behavior. If the business does not notify the Texas AG of an additional data breach within the subsequent twelve months, the online posting for that business is to be taken down. In addition, the Texas statute only contemplates publication of one breach – the most recent one. The one-year time period for the listing restarts when each new listing is posted.
Continue Reading Texas legislature updates state data breach notification law to provide for online posting of certain data breaches
In a recent Q&A with Colorado Attorney General (AG) Phil Weiser, the first term AG discusses how he makes data privacy and cybersecurity accessible and interesting to his Colorado constituents. AG Weiser also explains the role of Colorado’s interdisciplinary Data Privacy and Security Impact Team and how its implementation has benefitted the state. Lastly, AG
Vermont’s Security Breach Notice Act is noteworthy because it has the United States’ shortest deadline for providing preliminary notice of a “security breach” to the state’s attorney general. The deadline is 14 days from discovery of a security breach. Security incident response teams commonly consider the Vermont law early in the response process to determine whether an organization will be required to provide breach notifications to affected Vermont residents and the state attorney general. On July 1, 2020, the Vermont law will be expanded to cover more types of incidents, which may cause organizations to pay even more attention to the Vermont notice deadline. The amendments also provide instructions on how organizations should provide notice in the event that online account credentials are breached.
Continue Reading Amendments to Vermont’s Security Breach Notice Act to become effective July 1
On March 26, 2020, amendments to Washington, D.C.’s data breach notification law were enacted in bill number B23-0215. Put briefly, the amendments impose various prevention, response, and mitigation obligations on businesses regarding data breaches that affect D.C. residents. Below is a summary of the key changes of which businesses should be aware.
Continue Reading Amendments to D.C.’s data breach law create new data security and breach notification obligations for businesses