A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact
Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy CasePrivacy
EDPB highlights the importance of cooperation between data protection and competition authorities
On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).
In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.
Key takeaways
- In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
- The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
- The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.
Summary of the Position Paper
The EDPB first outlines certain overlaps between data protection and competition law (e.g., data serving as a parameter of competition). The EDPB argues that as both legal regimes seek to protect individuals and their choices, albeit in different ways, “strengthening the link” between data protection and competition law can “contribute to the protection of individuals and the well-being of consumers”.
The EDPB takes the view that closer cooperation between DPAs and CAs would therefore benefit individuals (and businesses) by improving the consistency and effectiveness of regulatory actions. Moreover, the EDPB emphasises that, based on the EU principle of “sincere cooperation” between regulatory authorities and pursuant to the European Court of Justice’s ruling in Meta v Bundeskartellamt (2023), cooperation between DPAs and CAs would be “in some cases, mandatory and not optional”.Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities
Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing Program
A Pennsylvania court recently dismissed a wiretapping complaint filed against a trio of defendants for lack of Article III standing, lack of personal jurisdiction, and failure to state a claim in Ingrao v. Addshoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024).
The two plaintiffs in this case…
Continue Reading Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing ProgramNew York Adopts Amendment to the State Data Breach Notification Law
On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements. The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach…
Continue Reading New York Adopts Amendment to the State Data Breach Notification LawState Attorneys General Issue Guidance On Privacy & Artificial Intelligence
Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go…
Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial IntelligenceLong-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
The Information Regulator recently published its Guidance Note on Direct Marketing (“Guidance Note”), providing clarity on how personal information can be lawfully processed under the Protection of Personal Information Act (“POPIA”). The Guidance Note offers actionable steps for organizations to align their marketing practices with these principles, fostering responsible marketing that complies with both the letter and spirit of the law.
In this blog, we briefly examine POPIA’s rules on direct marketing, and some of the key highlights from the Guidance Note.
How Direct Marketing is Regulated under POPIA
POPIA regulates direct marketing by establishing strict conditions for the lawful processing of personal information. It requires “responsible parties” (more commonly known as ‘controllers’) to ensure that personal data is collected and used transparently, fairly, and only for a specific, legitimate purpose.
For direct marketing:
- Consent is the default requirement for unsolicited electronic communications (e.g., emails, SMSs, and automated calls). Section 69 of POPIA explicitly prohibits such communications unless the data subject has given prior consent or is an existing customer under specific conditions.
- Legitimate interests may only serve as a justification for non-electronic direct marketing (e.g., postal mail or in-person promotions) under section 11, provided the responsible party conducts a legitimate interest assessment and complies with all conditions for lawful processing.
These rules emphasize data subjects’ control over their personal information, highlighting the importance of consent and the right to object.Continue Reading Long-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”
Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser. Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that…
Continue Reading Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”Health Privacy Developments to Watch in 2025
2024 was an incredibly busy year for health privacy. As the year draws to a close and we look ahead to 2025, we share several areas that we are watching in the coming year, which we expect to be similarly busy with federal- and state-level activity:
- Proposed Updates to the
Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively
In a new post on the Inside Class Actions blog, our colleagues discuss a new Illinois federal court decision, Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024), which holds that the state’s recent amendment to its Biometric Information Privacy Act capping…
Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies RetroactivelyTech Policy in a Second Trump Administration: AI Promotion and Further Decoupling from China
Technology companies will be in for a bumpy ride in the second Trump Administration. President-elect Trump has promised to adopt policies that will accelerate the United States’ technological decoupling from China. However, he will likely take a more hands-off approach to regulating artificial intelligence and reverse several Biden Administration policies related to AI and other emerging technologies.Continue Reading Tech Policy in a Second Trump Administration: AI Promotion and Further Decoupling from China