Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Spanish DPA on Use of Cookies: Continued Browsing is Consent

On November 8, the Spanish data protection authority (AEPD) published new Guidelines on the Use of Cookies (Guidelines) (Spanish only). The Guidelines have been prepared in collaboration with different organisations in the marketing and online advertising industries (e.g., Adigital, Iab Spain, etc.), and aim to provide some direction on the use of cookies and similar technologies (e.g., local shared objects or flash cookies, web beacons or bugs, fingerprinting techniques, etc.) in compliance with information society services laws and regulations. Continue Reading

Posted in News & Events

Webinar Invitation — California Consumer Privacy Act (CCPA) Update

Mark Brennan

Tim Tobin








With the effective date for the California Consumer Privacy Act (CCPA) fast approaching on January 1, 2020 and the Attorney General’s CCPA rulemaking still pending, covered businesses have important decisions to make in the very near future.

Join us for a webinar discussion with Hogan Lovells Privacy and Cybersecurity partners Mark Brennan and Tim Tobin of how the CCPA changes enacted over the past year and the California Attorney General’s proposed regulations may impact your compliance efforts. This program will expand on Mark and Bret Cohen‘s webinar discussion from June 2019 titled Operationalizing the California Consumer Privacy Act – Key Decisions and Compliance Strategies, (available here), which discussed the impact of the CCPA, key definitions, how to determine whether businesses are covered, how to account for opt-outs from sales to third parties, the content and timing of CCPA notices, how to apply the CCPA’s exceptions, and more. Continue Reading

Posted in Cybersecurity & Data Breaches

Lessons for In-House Counsel from Cybersecurity’s Front Lines

Recent developments reinforce the urgent need for general counsel and legal departments to deepen their focus on cybersecurity. In today’s environment, any organization can be the target of a cyberattack, regardless of industry, size, or geographic footprint. Indeed, in just the past few years, a variety of cyber adversaries have attacked financial institutions, social media sites, a movie studio, hospital systems, a peer-to-peer ridesharing company, the Democratic National Committee, hotel chains, city governments, educational institutions, telecommunications and energy utilities, prominent retailers, manufacturers, and even the mobile app of a well-known coffee and donut chain.

Lessons for In-House Counsel from Cybersecurity’s Front Lines was written by members of the Hogan Lovells Privacy and Cybersecurity practice Peter M. Marta and Asmaa Awad-Farid for Bloomberg Law.

To read the full article, click here.

Posted in International/EU Privacy

Spanish DPA Publishes Guide for Satisfying PbD Obligation

On October 17, the Spanish data protection authority (AEPD) published the Guide to Privacy by Design (Guide). While Privacy by Design (PbD) first became a legal requirement in the EU with implementation of the General Data Protection Regulation (GDPR), it is a well-known concept among privacy professionals that dates back to the 1990s.

PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated with personal data. Continue Reading

Posted in News & Events

Now Available: CCPA Draft Regulations – What You Need to Know (Webinar Materials)

Tim Tobin

Melissa Bianchi

Mark Brennan

Bret Cohen

Scott Loughlin












On October 17, 2019, the Hogan Lovells Privacy and Cybersecurity team discussed key elements of the California Attorney General’s proposed regulations implementing certain provisions of the California Consumer Privacy Act (CCPA). (See our coverage of the proposed regulations, here.)

While the proposed regulations may change, including based on public input, they provide valuable signals of how the California Attorney General may ultimately approach a wide array of CCPA requirements.

The Hogan Lovells team discussed the proposed requirements and how they would impact privacy notices, individual rights, financial incentive programs, and contracting strategies. We also discussed steps you can take to develop reasonable and defensible CCPA compliance strategies by January 1, 2020, along with several areas where businesses may want to provide comments to the Attorney General based on practical business realities.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity November 2019 Events

Please join us for our November 2019 events.

November 5
Your Body as Data
Mark Brennan will speak on the panel, “Your Body as Data: Facial Recognition, Biometrics, and the Future of Privacy,” at the Columbus School of Law at The Catholic University of America.
Location: Washington, D.C.


November 5
2019 Data Protection Leadership Forum
Eduardo Ustaran will speak during the session, “International Issues,” and will participate in a Q&A Session at the 2019 Data Protection Leadership Forum hosted by Arthur Cox.
Location: Dublin


Continue Reading

Posted in Consumer Privacy

IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA

On October 22, the Interactive Advertising Bureau (IAB), a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies (Framework) and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act (CCPA) by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt-out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create Service Provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019. Continue Reading

Posted in International/EU Privacy

EU-U.S. Privacy Shield Passes Its Third Annual Review

Following the joint press statement from Commissioner Věra Jourová and Secretary of Commerce Wilbur Ross of 13 September, on 23 October 2019 the European Commission published its report on the third annual review of the functioning of the EU-U.S. Privacy Shield. In a nutshell, the report of the third review found that the U.S. continues to provide an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S.


On 12 July 2016, the European Commission issued its adequacy decision concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. The Privacy Shield formally entered in operation on 1 August 2016 and to date, more than 5,000 companies have been certified and are committed to comply with the data protection requirements. This covers most U.S. for-profit businesses, but excludes a number of banks, financial services companies, telecoms, and other businesses that are not subject to the jurisdiction of the Federal Trade Commission or Department of Transportation. Continue Reading

Posted in Health Privacy/HIPAA

OCR Provides Insight into Enforcement Priorities and Breach Trends


Regulators, industry experts, and researchers provided insight into health privacy and security enforcement trends, emerging threats, and new tools at a recent conference focused on the Health Insurance Portability and Accountability (HIPAA) regulatory framework. Moving into 2020, organizations with health data should be aware of:


  • Shifting OCR enforcement priorities;
  • Regulators’ continued attention to key HIPAA compliance activities;
  • The changing threat landscape for health data; and
  • New guidance and frameworks for health data not regulated by HIPAA.

Continue Reading

Posted in Health Privacy/HIPAA, International/EU Privacy

Medical Research Council Advises on How to Anonymise Information for Research Purposes

Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council (MCR) – which is part of UK Research and Innovation – has recently published guidance on Identifiability, anonymisation and pseudonymisation (the guidance). Although the guidance itself states that it has been developed with the participation of the Information Commissioner’s Office (ICO), it is not ICO-approved and so institutes and organisations should be cautious when relying on the criteria set out in the guidance. Continue Reading