On March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy

Continue Reading US: New Hampshire Enacts 15th Comprehensive State Privacy Law

Overview

On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay

Continue Reading California Attorney General Settles with DoorDash over Alleged Sale of Personal Information

Background

March 2023 saw the launch of the European Data Protection Board’s (EDPB’s) second coordinated enforcement action (CEF 2023), which focused on the designation and position of Data Protection Officers (DPOs). Data Protection Authorities (DPAs) across the EEA have launched coordinated investigations into this topic. In particular

Continue Reading Europe: EDPB coordinated enforcement action identifies areas of improvement to promote the role and recognition of DPOs

After several failed attempts in recent decades to summarize and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is once again attempting to do so.

Current legal situation in Germany

Currently, employee data protection in Germany is largely determined by case law.

Continue Reading Germany: New legislative procedure for an Employee Data Protection Act

Authors: James Clark and Verena Grentzenberg

The Court of Justice of the European Union (CJEU) has delivered an important judgment on the scope and interpretation of the ‘automated decision-making’ framework under the GDPR.  It is a decision that could have significant implications for service providers who use algorithms to produce automated scores, profiles

Continue Reading EU: Significant new CJEU decision on automated decision-making

On 27 November 2023, the Council formally adopted the final version of the regulation on harmonised rules on fair access to and use of data (“Data Act”), after the European Parliament had adopted the Data Act earlier this month.

Drafted with the objective of fostering innovation and facilitating the sharing of data between

Continue Reading EU: EU formally adopts ‘Data Act’

The European Data Protection Board has published new guidelines (14 November 2023) on the scope of Article 5(3) of the e-Privacy Directive – i.e., the so-called ‘cookie rule’.  

These guidelines apply a maximalist interpretation to the cookie rule, meaning that a wide variety of technologies other than traditional cookies are, in the opinion of the

Continue Reading EU: New EDPB guidelines on the scope of the ‘cookie rule’

Implicit within Delaware law, and now explicit in the SEC Cyber Rules, is the concept of adequate governance. It is not what the FTC just said on a particular topic, the latest guidance from a Data Protection Authority, what the NIST framework provides, or a set of controls in any particular subject area regarding privacy

Continue Reading US: Understanding Governance–A Path for Privacy and Security Governance

We (finally) have more clarity as to the next steps in the long-awaited reform of the Australian Privacy Act.

As we noted back in February this year (see here), the Attorney-General’s Department recommended a number of changes to Australia’s core privacy regime, which saw its last major overhaul in 2014.

The Australian Government

Continue Reading Australia – next stages in the Privacy Act review confirmed