A U.S. Federal Court dismissed the New Mexico Attorney General’s lawsuit against Google that alleged the technology company failed to obtain proper parental consent to collect personal information from students who use its educational products.  The Court ruled that Google’s practice of relying on schools as an intermediary or agent to obtain parental consent is consistent with the Children’s Online Privacy Protection Act (COPPA), the federal law that protects children’s personal data. Technology companies can use schools to give notice and to obtain parental consent regardless ..read more

The European Data Protection Board (“EDPB”) plans to release further guidance in the coming months on specific steps that companies can take to export personal data from the European Economic Area to locations in the United States following a major shakeup in the law earlier this year.  Although the EDPB issued only initial FAQs shortly after the change, EDPB Chair Andrea Jelinek said on September 23, 2020, “I’m quite sure that the companies should not wait until they are advised differently, because the Court told the companies in its decision, in this ruling, that it’s u ..read more

The Federal Trade Commission (“FTC”) settled charges with Age of Learning—the operator of ABCmouse, a digital learning program for children—that the company: (1) failed to disclose material auto-renewal terms, (2) did not obtain consumers’ express consent to recurring subscription charges, and (3) misrepresented its cancellation policies and procedures in failing to provide a simple cancellation mechanism. The FTC alleged these practices were not only unfair and misleading, but that they also violated the Restore Online Shoppers Confidence Act (“ROSCA”). As a result of the settlemen ..read more

While not outright eliminating the Swiss-U.S. Privacy Shield, the Swiss Data Protection Authority, the Federal Data Protection and Information Commissioner (FDPIC), announced in a position paper on September 8, 2020 that he no longer considers the Swiss-U.S. Privacy Shield adequate for the transfer of personal data from Switzerland to the U.S.  The Commissioner’s position paper follows an annual assessment of the Swiss-U.S. Privacy Shield regime and echoes a recent ruling on data protection by the Court of Justice of the European Union (CJEU) in the case kno ..read more

Today, Apple confirmed that it will delay the launch of its iOS 14 AppTrackingTransparency feature until early next year. However, Apple still intends to release iOS 14 this fall, along with its new privacy “nutrition labels” and other privacy features.  AppTrackingTransparency Framework Delayed The AppTrackingTransparency framework seeks to give users more control over whether advertisers can track users and their devices across websites, apps, and offline properties. When enabled, the feature will require advertisers to obtain user consent before being able to track a device acros ..read more

This article was originally published in the IAPP Daily Dashboard on August 19, 2020. By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in “Schrems II” left open the possibility that such transfers could continue. However, it emphasized that exporters and importers may need to adopt additional safeguards when using SCCs to ensure an adequate level of protection for personal data transferred to the U.S. Until now, commentators have seemed unsure as to what those ..read more

We are seeking candidates for our 2021-2022 Fellowship Program. The program presents a unique opportunity to work with and learn from some of the most experienced privacy and data security lawyers representing the biggest names in technology, and it’s a great place to start your career, just ask former Fellows: “ZwillGen was a fantastic place to dive into some of the most interesting tech and privacy legal issues. I learned a ton working with some of the best and most fun lawyers I know.” —Brett Weinstein, former ZwillGen Fellow “Complex and intriguing work and the real cherry on top is the ..read more

On July 22, 2020, the Federal Trade Commission (“FTC”) issued revised FAQs regarding the Children’s Online Privacy Protection Act and the FTC Rule issued thereunder (together “COPPA”). The COPPA FAQs provide practical guidance to help operators of commercial websites and online services determine if COPPA applies to them and how to comply. The FTC explained that the revisions are largely consistent with and serve to consolidate and streamline the FTC’s existing COPPA-related guidance, such as that contained in its settlements and other policy documents. Although the new FAQs ge ..read more

On July 9, 2020, the Italian Data Protection Authority (“Garante”) issued a 16.7 million euro fine against Wind Tre S.p.A., an Italian telecom operator, for a number of unlawful data processing activities related to direct marketing under the General Data Protection Regulation (“GPDR”). Following an extensive investigation and several complaints, the Garante found Wind Tre sent unsolicited marketing messages to numerous users via text, telephone, e-mail, fax, and automated calls, and, in many cases, the messages continued even after the data subjects had withdrawn their consent or e ..read more

Today the Court of Justice of the European Union (“CJEU”) ruled that: The EU-U.S. Privacy Shield framework (“Privacy Shield”) is no longer a valid mechanism for exportation of personal data from the European Economic Area (“EEA”) to the United States. This is primarily because, in the CJEU’s view, the Privacy Shield fails to remedy two problems with aspects of the legal framework for U.S. intelligence collection: (i) U.S. law gives U.S. authorities the right to collect personal data about non-U.S. persons without sufficient safeguards and (ii) such individuals have no effective man ..read more