Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. The French data protection authority (the “CNIL”) has adopted new guidelines on cookies and other online trackers as part of its 2019-2020 action plan on targeted advertising. In particular, the CNIL noted that the Guidelines aim to harmonize future regulations at the European level and that it had repealed the former guidelines on cookies adopted in 2013 which did not comply with the GDPR. In addition, the CNIL highlighted that the Guidelines will be followed by a new recommendation which will specify technical requirements for obtaining consent. Moreover, CNIL outlined that operators must continue to allow access to services even in cases of refusal to consent, as well as providing a method to withdraw consent that is easy to access and use
  2. The European Data Protection Supervisor published its list of the kinds of processing operations that require a data protection impact assessment to be performed under the GDPR. In particular, the Decision provides criteria for controllers in EU institutions to assess whether their processing requires a DPIA. Furthermore, the Decision outlines that controllers in EU institutions, when assessing whether their planned processing operations require a DPIA, shall conduct a threshold assessment in accordance with Annex 1 of the Decision, which lists the criteria requiring a DPIA, such as the systematic and extensive evaluation of personal aspects or scoring, including profiling, automated decision making with legal or similar effect, and systematic monitoring.
  3. The U.S. Federal Trade Commission announced that Equifax has agreed to pay at least $575 million and potentially up to $700 million as part of a proposed settlement with the FTC, the Consumer Financial Protection Bureau, and 50 US states and territories which allege that Equifax’s failure to take reasonable steps to secure its network led to a 2017 data breach that affected the names, dates of birth, social security numbers, physical addresses and other personal information of approximately 147 million people. The FTC highlighted that as part of the proposed settlement, Equifax will be required to implement a comprehensive information security program, requiring the company to take several measures including designating an employee to oversee the program, and will be required to obtain third-party assessments of its security program every two years.
  4. The FTC also finalized a settlement that includes a multimillion-dollar fine with Google as part of findings that Google inadequately protected children who used YouTube. The FTC, which voted along party lines to approve the settlement, also found that Google improperly collected data in breach of the Children’s Online Privacy Protection Act. The amount of the fine has not been disclosed, and the Department of Justice is currently reviewing the details of the settlement.

That’s all for now. Thanks again for watching Last Week in Privacy, helping you to prepare for this week in privacy. See you next time.