Privacy & Information Security Law Blog

On August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

On August 25, 2021, New Mexico Attorney General (“AG”) Hector Balderas sued Rovio Entertainment (“Rovio” or the “Company”), the developer of the popular Angry Birds mobile app games, alleging that the Company violated the federal Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting data from players under age 13 and sharing it with advertisers. Under COPPA, developers of child-directed apps are required to provide notice to parents of their data collection practices and obtain verifiable parental consent to collect personal information from children under 13.

On August 19, 2021, the UK Information Commissioner’s Office (“ICO”) approved the criteria for three certification schemes, as required under Article 42(5) of the UK General Data Protection Regulation (“UK GDPR”). Certification schemes are one method for organizations to demonstrate compliance with the UK GDPR.

On August 12, 2021, the UK Information Commissioner’s Office (“ICO”) published a call for views on data protection and employment practices. The ICO intends to update its employment practices code and associated guidance, originally produced under the Data Protection Act 1998, which has now been replaced by the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”). The ICO is requesting responses from large and small employers, workers, volunteers, trades unions, employment dispute resolution bodies, recruitment agencies, professional and trade bodies, and suppliers of employment technology solutions.

On August 26, 2021, the UK Department of Culture, Media and Sport (“DCMS”) made news by publishing a document indicating its intent to begin making adequacy decisions for UK data transfers to foreign jurisdictions and by announcing its preferred candidate for the position of new UK Information Commissioner.

The Children’s Advertising Review Unit (“CARU”), a part of a part of the Better Business Bureau National Programs (“BBBNP”), released its revised Children’s Advertising Guidelines (the “Guidelines”) earlier this month. The Guidelines, which contain some notable changes, will go into effect in January 2022.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

On August 9, 2021, the UK First-Tier Tribunal (General Regulatory Chamber) (“FTT”) reduced a fine imposed by the UK Information Commissioner’s Office (“ICO”) against Doorstep Dispensaree Ltd (“DDL”) from £275,000 to £92,000, a reduction of approximately two thirds. DDL, which supplies medicines to customers and care homes, was fined in December 2019 for failure to comply with the EU General Data Protection Regulation (“GDPR”). The ICO also issued an Enforcement Notice, requiring DDL to take certain actions to bring its processing into compliance.

Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).

On July 30, 2021, the UK High Court handed down its judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), determining that the claimant could not seek damages on the basis of misuse of personal information, breach of confidence or common law negligence following a data breach.

On August 2, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it had levied a €2,500,000 fine on Deliveroo Italy s.r.l. for the unlawful processing of personal data of approximately 8,000 Deliveroo riders, and various infringements of the EU Genera Data Protection Regulation (the “GDPR”).

On July 29, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s Consultation on the Draft Artificial Intelligence Act (the “Act”). Feedback received as part of this consultation will feed into discussions with the European Parliament and the European Council as the proposal makes its way through the EU legislative process.

On July 31, 2021, Zoom Video Communications, Inc. (“Zoom” or the “Company”) agreed to pay $85 million to settle a class action suit that alleged the Company violated users’ privacy rights by misleading consumers about encryption security, sharing data through third-party integrations without adequate notice or consent, and failing to protect private meetings from being disturbed by “zoombombings.” Class members would be eligible to receive payment, regardless of whether they paid for a Zoom account.

On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021 (the “Act”). The Act would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.

On July 20, 2021, the U.S. Department of Homeland Security’s (“DHS’s”) Transportation Security Administration (“TSA”) announced a new Security Directive (the “Second Directive”) requiring owners and operators of certain critical pipelines transporting hazardous liquids and natural gas to implement specific cybersecurity measures. This Second Directive builds on the TSA’s earlier directive of May 27, 2021, on which we previously reported.

Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.

On July 29, 2021, U.S. Representative Rep. Kathy Castor (D-Florida), a member of the House Energy and Commerce Committee, reintroduced the Protecting the Information of our Vulnerable Children and Youth Act (the “Bill”). The Bill would update the Children’s Online Privacy Protection Act (“COPPA”) to, among other requirements: (1) cover teens ages 13-17; (2) expand the categories of information considered to be “personal” (to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings); (3) prohibit companies from targeting online advertising to children and teens based on their personal information and behavior; (4) require opt-in consent to process personal information collected from all individuals under age 18; (5) strengthen Federal Trade Commission enforcement of COPPA; (6) provide a private right of action to parents of children and teens; and (7) eliminate the FTC’s recognition of self-regulatory COPPA safe harbor programs.