Mark your calendars for Wednesday, December 13th, at 10 AM Pacific/1 PM Eastern. The Network Advertising Initiative (NAI) is set to host an insightful panel discussing the implications of the California DELETE Act, featuring Kyle Fath, Partner in our Data Privacy, Cybersecurity & Digital Assets group. Alongside Kyle on the panel will be fellow privacy and AdTech experts, Julie Rubash (General Counsel & CPO, Sourcepoint), Rachel Glasser (Chief Privacy Officer, Magnite), Tony Ficarrotta (VP, General Counsel, NAI) and David LeDuc (VP, Public Policy, NAI).

The panel aims to delve into key aspects of the California Delete Act, shedding light on its impact on businesses, compliance strategies and the broader implications for consumer data protection.

Don’t miss out on this opportunity to gain valuable insights on a hot topic from industry experts. Register now to secure your spot and join the discussion on December 13th.

Register for the panel here.

In a decision last week, the Ninth Circuit Court of Appeals affirmed dismissal of a putative class action concerning allegations that Shopify violated various California privacy and unfair competition laws by purportedly concealing its involvement in online consumer transactions.  Briskin v. Shopify, Inc., No. 22-15815, 2023 WL 8225346 (9th Cir. Nov. 28, 2023).  In this ruling of first impression, the Ninth Circuit outlined several “key principles” to govern the assessment of whether personal jurisdiction exists as to online platforms in consumer data collection and retention cases going forward.  Read on to learn more.

Case Background

Plaintiff in Briskin is a California resident who, allegedly while physically present in California, used his iPhone to purchase fitness apparel.  Plaintiff alleged in the Complaint that unknown to him, the company he purchased clothing from usedsoftware and code from Shopify, Inc. to process customer orders and payments.

Shopify is a Canadian corporation with its headquarters in Canada.  It provides participating merchants with a sales platform that enables the processing of online purchases.  As alleged in the Complaint, Shopify obtains, processes, stores, analyzes, and shares the information of consumers who complete transactions on Shopify’s merchant-customers’ websites.  Plaintiff in this case asserted that when he provided his personal information and credit card information for purposes of ordering fitness apparel online, Shopify: (i) “collected this information”; (ii) “installed cookies onto [Plaintiff’s] phone, connected his browser to its network, generated payment forms requiring [Plaintiff] to enter private identifying information, and stored [Plaintiff’s] personal and credit card information for later use and analysis; (iii) “transmitted [Plaintiff’s] payment information to a second payment processor”; and (iv) “used the customer information it received to create consumer profiles, which Shopify also shared with its merchant and other business partners.”

Plaintiff filed a putative class action in California federal court, asserting that Shopify violated various California privacy and unfair competition laws because it deliberately concealed its involvement in the consumer transactions.  Plaintiff sought to represent a putative class defined as “[a]ll natural persons who, between August 13, 2017 and the present, submitted payment information via Shopify’s software while located in California.”  Shopify and two of its wholly owned subsidiaries (neither of which were headquartered or had their principal place of business in California) were named as defendants.  Defendants moved to dismiss Plaintiff’s claims for lack of personal jurisdiction.

Overview of General vs. Specific Jurisdiction

Federal courts have limited jurisdiction, and generally may not exercise judicial power over defendants that do not reside in the forum.  In any case, the plaintiff bears the burden of establishing personal jurisdiction over a defendant.

Consistent with Supreme Court precedent, a court’s power to exercise personal jurisdiction manifests in two basic ways: general or all-purpose jurisdiction, and specific or case-linked jurisdiction. For a corporation, the paradigm forum for the exercise of general jurisdiction is one in which the corporation is fairly regarded as at home—which encompasses the corporation’s place of incorporation and its principal place of business.  By contrast, specific jurisdiction is narrower.  It covers defendants less intimately connected with a State, but only as to a narrower class of claimsThere are three requirements for a court to exercise specific jurisdiction over a defendant in a litigation.  First, the defendant must have “purposefully availed” itself of “the benefits and protections of the forum’s laws.” Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475-76 & 482 (1985) (citation omitted).  Generally, this requires “some act by which the defendant purposefully avails itself of the privilege of conducting activities within the forum State.”  Hanson v. Denckla, 357 U.S. 235, 253 (1958).  Second, the plaintiff’s claims “must arise out of or relate to the defendant’s contacts” with the forum.  Ford Motor Co., 141 S. Ct. at 1025.  Third, the court must assess the reasonableness and substantial justice of exercising jurisdiction over the defendant in the particular case.

The Ninth Circuit’s Ruling on Personal Jurisdiction

Plaintiff in this case did not argue that there was general jurisdiction over Shopify or its subsidiaries named as Defendants.  Instead, the issue before the Ninth Circuit was whether the District Court had correctly dismissed the case for lack of specific jurisdiction on the basis that the Shopify “expressly aimed” its activities at the forum state so as to satisfy the second prong required for the exercise of specific jurisdiction in the litigation.

In addressing this issue, the Court noted that “[f]or specific jurisdiction to exist over Shopify, [Plaintiff’s] claim “must be one which arises out of or relates to the defendant’s forum-related activities.” (citation omitted).  As such, “[t]his is a claim-tailored inquiry that requires [the Court] to examine the plaintiff’s specific injury and its connection to the forum-related activities in question.”  On this basis, the Court held that the central jurisdictional inquiry boiled down to the question of causation, finding that [Plaintiff’s] claims do not “arise out of” Shopify’s broader forum-related activities in the state (its contracts with California merchants, physical Shopify offices, and so on)”  Rather, an injury arising “out of a defendant’s forum contacts require[s] ‘but for’ causation, in which ‘a direct nexus exists between a defendant’s contacts with the forum state and the cause of action.’”

As such, the Court determined that “[t]here is no such causal relationship between Shopify’s broader California business contacts and [Plaintiff’s] claims because these contacts did not cause [Plaintiff’s] harm.”  Nor, the Court held, did Plaintiff’s claims “relate to” Shopify’s “broader business activities in California outside of its extraction and retention of [Plaintiff’s] data.”  The Ninth Circuit reasoned that:

[Plaintiff] would have suffered the same injury regardless of whether he purchased items from a California merchant or was physically present in California when he did so.  To the extent [Plaintiff] suggests that Shopify’s broader business actions in California set the wheels in motion for Shopify to eventually inflict privacy-related harm on him in California, such a butterfly effect theory of specific jurisdiction would be far too expansive to satisfy due process.
(emphasis supplied).

Other Principles Set Forth by the Ninth Circuit to Guide Other Cases

The Ninth Circuit framed the core issue presented in this question was a novel one, concerning “whether Shopify, which provides web-based payment processing services to online merchants throughout the nation (and the world), thereby expressly aimed its conduct toward California.” 

Because Shopify operates a web-based platform, the Court found (and the parties agreed) that Ninth Circuit personal jurisdiction cases involving interactive websites should govern the jurisdictional inquiry as to Shopify and litigations other involving a broadly accessible back-end web platform.  The Court stated the core principles governing the personal jurisdiction inquiry were the following:

  • “First, the fact that a broadly accessible web platform knowingly profits from consumers in the forum state is not sufficient to show that the defendant is expressly aiming its intentional conduct there.” (emphasis supplied).
  • “Second, to establish the ‘something more’ needed to demonstrate express aiming in suits against internet platforms, the plaintiff must allege that the defendant platform has a forum-specific focus.”  In the alternative, “the plaintiff must allege that the defendant is specifically ‘appeal[ing] to … an audience in a particular state’ or ‘actively target[ing]’” the forum state (citations omitted).  The Court explained that what is needed in either instance, however, is “differentiation of the forum state from other locations . . . which permits the conclusion that the defendant’s suit-related conduct ‘create[s] a substantial connection” with the forum.’” (citations omitted).
  • “Third, the specific nature and structure of the defendant’s business matters.”  The Court explained that “how the defendant operates and organizes its web-based platform” and how the defendant interacts with relevant third parties all affect the “something more” analysis.


In ruling that Shopify was not subject to specific jurisdiction for Plaintiff’s claims, the Court cautioned that it was not suggested “that the extraction and retention of consumer data can never qualify as express aiming” for purposes of establishing specific jurisdiction over a defendant.  The Court noted that because “the nature and structure of a defendant’s business can affect the personal jurisdiction analysis,” personal jurisdiction in all instances depends on a “fact-intensive” assessment.  Therefore, the Court’s ruling in this case was based on an application to the facts as alleged in Plaintiff’s Complaint.  However, the principles set forth in the decision will undoubtably guide consumer privacy litigations in the Ninth Circuit going forward, and will be persuasive authority to defendants in other cases.  For more, stay tuned.  Privacy World will be there to keep you in the loop.

On November 30, 2023, the Illinois Supreme Court unanimously held that an exclusion in the Illinois Biometric Information Privacy Act applies to healthcare workers where their biometric information is collected, used, or stored in the course of providing medical services.  The holding is a significant victory for healthcare institutions and clarifies that the applicable exemption, Section 10 of BIPA, does not only apply to hospital patients, but also extends to other circumstances.

Plaintiffs were healthcare workers who used finger scanning authentication devices in the course of providing patient care, including for medication dispensing systems and to gain authorized access to patient materials and medications. They filed suit against their employer, a hospital, alleging violations of Sections 15(a), (b), and (d) of BIPA.  The defendant hospital filed a motion to dismiss, arguing that the biometric data that it purportedly collected, used, and/or stored was used for internal purposes to restrict access to patients’ protected health information and medication.  Additionally, the defendant also asserted that because the data at issue was used for health care treatment and operations, it was, therefore, specifically exempt under Section 10 of BIPA.  This provision provides that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].”

In this case, an Illinois circuit court ruled that the exemption in Section 10 of BIPA was limited only to patient information.  Defendant timely appealed that ruling.

On appeal, in a case of first impression, the Illinois Supreme Court held that healthcare workers’ use of biometric scanning devices fell within the scope of Section 10’s exemption by the plain language of the statute: “Pursuant to its plain language, [BIPA] excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA.”  As such, the Court ruled, using finger scanning devices to access patient medications and provide patient care fell within the scope of “information collected, used, or stored for health care treatment, payment, or operations.”

This ruling is a significant victory for the BIPA defense bar.  However, attorneys should be cautious of reading Mosby too expansively, as the Court cautioned that it did not intend to create a “broad, categorical exclusion of biometric identifiers taken from health care workers.”  It is anticipated that future cases applying the Section 10 exemption will further refine the standard resulting from this decision.  For more, stay tuned; Privacy World will be there to keep you in the loop.

Earlier this fall, the Fourth Circuit vacated the district court’s class certification order in the Marriott data breach MDL because of the potential applicability of a class action waiver defense. See In re Marriott Int’l Consumer Data Security Breach Litig., 78 F.4th 677 (4th Cir. 2023). Our post on this decision can be found here. On remand, the district court took little time to conclude that Marriott had waived the class action waiver in the Choice of Law and Venue provision of the putative class members’ contracts and that regardless “the adhesive provision, buried on the last page of the Terms cannot direct this Court to ignore the provisions of Rule 23 of the Federal Rules of Civil Procedure.”  In re Marriott Int’l Consumer Data Security Breach Litig., 2023 WL 8247865 (D. Md. Nov. 29, 2023). The district court thus reinstated the classes as earlier certified.

Continue Reading District Court Quickly Reinstates Class Certification in Marriott Data Breach Litigation

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules | Privacy World

Considering DPF Certification? It May be Worth Considering APEC Certifications, Too | Privacy World

Privacy Challenges for Digital Advertising, Particularly in Europe | Privacy World

The Online Safety Act: Does this present a difficult balancing act for online service providers? | Privacy World

Simplified Sanction Procedure Used by the CNIL To Sanction Geolocation and Video Surveillance of Employees in France | Privacy World

The Federal Communications Commission (“FCC”) has adopted rules to address two fraudulent practices that “bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of the consumer’s phone.”

In its recent Report and Order and Further Notice of Proposed Rulemaking released November 16, 2023, the Commission first addressed the practice where bad actors are able to swap a consumer’s subscriber identity module (“SIM”) card to a wireless device associated with a different SIM (i.e., SIM card swap fraud). The agency also acted on wireless number porting fraud, where bad actors impersonate a customer and convince the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls (i.e., port-out fraud). 

Continue Reading FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules

Compliance with data protection laws is an issue of increasing complexity for most organizations these days. New laws and regulations are cropping up with increasing frequency, making companies’ compliance challenges more complicated all the time. As a result, many companies are seeking ways to simplify their compliance strategy while demonstrating compliance to individuals, clients, customers and regulators.

Since the EU-US and Swiss-US Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF were approved earlier this year, some international organizations are considering DPF certification to show compliance with the requirements of European and UK law. Such organizations may also want to consider certification to the Asia Pacific Economic Cooperation (APEC), Cross-Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP). The CBPR and PRP are voluntary frameworks under which companies can apply for certification.

Compared to the DPF which is bilateral between the EU and U.S. (see our FAQs here), the CBPR (and its forthcoming successor the Global CBPR) have a wider geographical reach that can facilitate more multilateral transborder data flows. However, certification to CBPR and PRP can be used not only as cross-border data transfer mechanisms, but also as comprehensive domestic privacy compliance and accountability programs.

In this blog post, we will outline the benefits of certification, and factors to consider in determining whether CBPR and PRP certifications are appropriate for your organization.

What Are the CBPR and PRP?

The CBPR and PRP are data protection frameworks which were adopted by participating APEC economies.

A CBPR or PRP certified company in a relevant participating economy can transfer personal data, to either: (a) a recipient within the same group of companies; or (b) to an external third party, even if that recipient is neither CBPR nor PRP certified and regardless of whether that recipient is based in a participating economy or not.

The CBPR certification is for data controllers, (i.e., companies that control the processing of personal data). Conversely, the PRP certification is for data processors, (i.e., companies that process personal data on behalf of controllers). The PRP is designed to help processors demonstrate their ability to assist controllers in complying with relevant data privacy obligations. The PRP also helps controllers identify qualified and accountable data processors. If a company is a controller under certain circumstances and a processor under others, that company may choose to become both CBPR and PRP certified.

Who Are the Participating Economies of the CBPR and the PRP?

Currently, there are nine members of the CBPR system, namely:

  • The US
  • Australia
  • Canada
  • Japan
  • Korea
  • Mexico
  • The Philippines
  • Singapore
  • Taiwan/Chinese Taipei

Of this nine, the CBPR has already been fully implemented and operationalized in:

  • The US
  • Japan
  • Korea
  • Singapore.

The remaining five members are in varying stages of implementation/operationalization. Other countries who have indicated that they will be joining the CBPR in due course include Chile, Indonesia, Malaysia, the UK and Vietnam. 

Currently, there are two members of the PRP system, namely:

  • The US
  • Singapore

What is the Process for Getting Certified?

An applicant company must apply to a recognized accountability agent, which is an external independent certification body appointed within the relevant APEC participating economy in which the company is primarily based/located. The applicant company can select an accountability agent from a list of accountability agents appointed by the relevant participating economy.

The procedure for applying for certification will begin with the applicant company contacting an accountability agent from the agents approved by the participating economy. Typically, some basic information will be requested and then the applicant company will be contacted by a representative from that accountability agent. Next, the applicant company will undergo a comprehensive assessment by the accountability agent, based on specified program requirements/assessment criteria discussed below.

Accountability agents are responsible for receiving an applicant company’s intake documentation, verifying its compliance with the requirements of the CBPR or PRP (as the case may be) and, where appropriate, assisting the applicant in modifying its policies and practices to meet the requirements of the CBPR or PRP (as the case may be). The accountability agent will certify those applicants that are deemed to have met the minimum criteria for participation, and will be responsible for monitoring their compliance with the CBPR or PRP (as the case may be), based on such criteria.

What Are the Criteria by Which Applicant Companies Will be Assessed?

Each of the CBPR and PRP contain its own set of program requirements, which are based on the following 9 Privacy Principles set forth in the 2005 Apec Privacy Framework.

  • Preventing harm
  • Notice
  • Collection limitation
  • Uses of personal information
  • Choice
  • Integrity of personal information
  • Security safeguards
  • Access and correction
  • Accountability

The program requirements and assessment criteria for the CBPR can be found here, and for the PRP here. The CBPR and PRP program requirements will assist the accountability agents in reviewing for compliance the practices adopted by an applicant company. These also ensure that the process is conducted consistently throughout all participating economies of the CBPR or PRP systems.

What are the Legal Implications of Becoming Certified?

Once a company becomes CBPR or PRP certified, it must comply with the CBPR and PRP which are imposed as enforceable obligations on it. The certification becomes legally enforceable by the privacy enforcement authority in the participating economy in which the company is based. For instance, if the company was based in the US, then the authority is the US Federal Trade Commission.

A certified company must implement complaint and redress mechanisms to address and respond to any individual complaints concerning potential violations. Such complaint and redress mechanism must accord with its APEC, CBPR and PRP dispute resolution procedure rules. The key features of such dispute resolution procedure (Procedure) are as follows. The accountability agent will be the dispute resolution provider that administers the Procedure for any complaints alleging that a certified company has failed to comply with the PRP program requirements. For a complaint to be eligible for resolution under the Procedure, it must:

  • Be made against a certified company
  • Allege that the certified company failed to comply with program requirements in relation to the complainant’s personal data
  • Include information to support the complainant’s allegations
  • Follow a good faith effort by the complainant to resolve the complaint directly with the certified company
  • Not have been previously resolved by the same dispute resolution procedure, or court action, arbitration or other form of dispute settlement
  • Not currently be the subject of litigation or other adjudicatory process (unless both the complainant and certified company agree otherwise)

Upon initial contact by a potential complainant, the accountability agent will:

  • Seek information about the complaint to determine its eligibility for resolution under the Procedure
  • Verify the identity of the complainant

The accountability agent will determine whether the complaint is eligible and will notify the complainant of its decision. The accountability agent will then issue a written decision to the parties after receipt of all information provided by the parties. The decision will state whether, and why, corrective action is or is not necessary and if it is, specify a commercially reasonable time frame for such action to be implemented. If the accountability agent determines that changes to the certified company’s privacy policies or practices are necessary to correct any non-compliance with the PRP program requirements, the certified company must submit a statement to the accountability agent indicating whether, and how, it will comply with the decision. The accountability agent will notify the parties once the required changes have been made and close the case. If no further action is required, it will notify the parties accordingly and close the case. The accountability agent is also entitled to suspend or withdraw certifications for non-compliant companies. It can also, in its sole discretion, report any non-compliance to the US Federal Trade Commission or other appropriate government agency.

Do Certifications Need to be Renewed?

As with the DPF, a CBPR or PRP certified company needs to renew its certification annually and is subject to a re-certification process every year. To get its CBPR or PRP certification renewed, the company must update and complete the intake questionnaire to reflect any changes since the initial certification. If there has been a material change, the accountability agent will perform a review process and issue an audit report with its findings on the company’s level of compliance with the program requirements. This report will also highlight areas of non-compliance, and rectifications that are needed to be made, as well as the timeframe within which they must be made to obtain re-certification. Once all requirements are in compliance, a final report will be issued to the company, and the company will be re-certified.

What are the Implications of being CBPR / PRP Certified on Enforcement?

Nothing in the CBPR or PRP systems change the allocation of responsibility including in the controller-processor relationship under applicable national data privacy laws. Under the accountability principle in the APEC Framework and the CBPR system, controllers continue to be responsible for the activities that data processors perform on their behalf and they will remain so even when contracting with a PRP-recognized processor. Accordingly, processor activities remain subject to enforcement through enforcement against the controllers. This means that CBPR-certified controllers must apply due diligence in selecting their processors and engage in appropriate oversight over their processors, regardless of whether the processors are PRP-recognized. Note, there is no requirement that a CBPR-certified controller must engage a PRP-recognized processor to perform information processing to comply with the accountability principle in the APEC Framework and the CBPR system.

How Can CBPR or PRP Certification Benefit My Organization?

The CBPR and PRP can function as comprehensive privacy compliance and accountability programs and are widely recognized globally as a way to validate robust data protection practices.

As indicated above, the CBPR and PRP can be used to as an international transfer mechanism to enable permissible personal data transfers from a participating economy to any other country. However, the CBPR and PRP go beyond just facilitating cross-border transfers and are also comprehensive privacy frameworks that can help organizations demonstrate compliance with generally recognized privacy principles and privacy laws in participating jurisdictions.

For processors, PRP certification can help demonstrate robust data protection practices to clients. Objective third-party verification of compliance by an accountability agent is helpful for this purpose.

Additionally, with the myriad privacy requirements organizations are obligated to follow, CBPR or PRP certification will help an organization establish a data protection baseline which can be adjusted where necessary to satisfy unique jurisdictional requirements. Accordingly, CBPR and PRP certifications can be used to establish a good data protection standard, generally. This standard can be subsequently developed and refined as your organization grows and matures.

What is the Global Cross-Border Privacy Rules (Global CBPR) Forum and How is it Related to the APEC CBPR and PRP?

The Global CBPR Forum was established in 2022 and builds on the APEC CBPR system as a framework that supports the effective protection and flow of data internationally. The Global CBPR Forum intends to establish an international certification system based on the APEC CBPR and PRP, but the system will be independently administered and separate from the APEC Systems.

There will be consultations with accountability agents and companies certified under the APEC CBPR and PRP to formally transition operations to the Global CBPR Forum. Any pre-existing accountability agents will be provided with at least 30 days’ notice. For companies that are already certified or interested in becoming APEC CBPR or PRP certified, these certifications will continue to be provided through APEC-approved accountability agents until further notice. All APEC CBPR or PRP certified companies, as well as their approved accountability agents, will automatically be recognized in the new Global CBPR Forum based on the same terms that they are recognized within the APEC CBPR and PRP Systems.

Presently, the Global CBPR counts the US, Canada, Mexico, Japan, South Korea, the Philippines, Singapore, Chinese Taipei and Australia as members, with the UK granted associate status in July 2023. With its broad geographical footprint and expanding take up, the Global CBPR has the potential for facilitating more multilateral cross-border transfer arrangements over a wider region, compared to the bilateral approach adopted by the EU for instance. For more information on the upcoming Global CBPR Forum, see:


With the increasingly global nature of business and increasingly complex data protection compliance obligations, certifications like the CBPR and PRP can be helpful tools to ensure that your organization is equipped to satisfy those requirements.

Companies that certify to CBPR and PRP can use such certifications to demonstrate commitment to data protection principles. As a result, such certifications can help to distinguish your organization in an increasingly competitive market. Additionally, certifications like CBPR and PRP can help to demonstrate good faith efforts to comply with applicable data protection requirements. Showing good faith efforts are often a crucial defense against regulatory enforcement actions. Compliance with robust data protection standards can also help companies defend against allegations of failure to implement adequate data protection controls.

To this end, individuals who are unsatisfied with the ways that a company handles its data protection obligations are given the opportunity to settle the matter under the CBPR and PRP’s independent redress mechanism. Disputes resolved pursuant to the independent redress mechanism are less likely to be elevated to the relevant data protection authority or result in lawsuit.

Should you require assistance or support, please contact the authors of this blog post or your relationship partner at our firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor our firm accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Privacy Challenges for Digital Advertising, Particularly in Europe

The Online Safety Act: Does this present a difficult balancing act for online service providers?

Simplified Sanction Procedure Used by the CNIL To Sanction Geolocation and Video Surveillance of Employees in France

Scott Warren and Kristin Bryan to Speak at the Society for the Policing of Cyberspace (POLCYB) Conference

Two Significant AI Announcements:  Spooky for AI Developers?

Last Chance to Register for In-Person CLE: The Important Role Legal Plays in an Era of Growing Data Risks: Key Findings From the 2023 ACC CLO Report

Cyber and AI talks in Tokyo

Join us for a Roundtable: Preparing for the EU Artificial Intelligence Act – Brussels

UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK

FTC Amends GLBA Safeguards Rule to Require Reporting of Certain Data Breaches

Unclear on AI Contracting in the EU – the European Commission Is Pleased to Help

Today at a panel before the International Association of Privacy Professionals (“IAPP”) – Europe Data Protection Congress in Brussels, leading European Union (“EU”) data protection authority commissioners cast doubt on the notion that there could ever be a lawful basis for targeted advertising based on behavioral profiling, referred to often as interest-based advertising (“IBA”).

Continue Reading Privacy Challenges for Digital Advertising, Particularly in Europe


The Online Safety Act (“OSA”) aims to make the internet a safer place, protecting adults and children from illegal and harmful content by making online service providers such as social media companies more accountable for content published on their sites[1]. Despite the positive intentions, the OSA may have unintended consequences. In particular, service providers will face the difficult task of balancing the duty to protect users from illegal and harmful content against the duty to protect freedom of expression.

The OSA became law on 26 October 2023.

Continue Reading The Online Safety Act: Does this present a difficult balancing act for online service providers?