The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecurTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.

Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:Continue Reading FTC settlement and warning letters over cross-border personal data transfers

This month, the Privacy Shield Program posted answers to Frequently Asked Questions. The Privacy Shield provides a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The general guidance addresses topics such as the continued status of the Privacy

In 2007, Google bought online ad network DoubleClick, which uses cookies to collect and store data about Google users from their browsing history, to best place clients’ ads. This past June, Google revised its privacy policy to state that users’ activities on other sites tracked by DoubleClick “may be associated with [their] personal information.”  This

California Attorney General Kamala Harris is enlisting new enforcers in her efforts to get companies to comply with the state’s privacy policy requirements: members of the public.

On October 14, Harris released an online form enabling consumers to report websites, mobile applications, and other online services that are violating the California Online Privacy Protection Act

The High Court in Bangura v Loughborough University [2016] EWHC 1503 (QB) ruled 19 May that Loughborough University acted lawfully under the Data Protection Act 1998 (“DPA”) in supplying Leicestershire Police with the registration form of a student suspected of sexual assault and rape. In contravention of the university’s data protection policy, the registration form

Over the last years, a number of German Courts had to decide whether the operator of a website that contains a contact form for the website’s visitors shall be obliged to provide visitors a privacy policy that informs the visitor about type, scope and purposes of collection and use of personal data.

The question whether a breach of the underlying statutory information duties will trigger a competitor’s right to file an injunction against the website operator is highly disputed among German Courts.

Judgment of Higher Regional Court Cologne of 11 March 2016

Under Section 13(1) German Telemedia Act (Telemediengesetz – TMG), a service provider is obliged to inform the user at the beginning of the use of the service about type, scope and purpose of collection and use of personal data in a generally understandable manner, if such information has not already been given.
Continue Reading Privacy policy required for contact forms on websites? German Courts in disagreement

This post was also written by Joshua B. Marker and Tyler M. Layton.

In a significant victory, Delta Airlines’ demurrer to the enforcement action filed by the state of California was sustained without leave to amend. We previously wrote about the case here. California alleged that Delta’s mobile application was in violation of CalOPPA

Pursuant to their common decision 26 February 2013 to engage action in order to penalize Google Inc. for refusing to revise its global privacy policy, six of the European Working Party 29 regulators, led by the French CNIL, have now jointly started to act in their respective jurisdictions and according to their national laws against

This post was also written by Frederick Lah.

A California state assemblyman proposed legislation this week attempting to require that online privacy policies be no more than 100 words. The legislation would also require that the privacy policy “be written in clear and concise language, be written at no greater than an 8th grade reading