On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”
On August 1, 2022, the Court of Justice of the European Union (CJEU) issued an opinion regarding a Lithuanian data protection case that may signal an expansion of interpretation of the definition of sensitive personal data under the EU’s General Data Protection Regulation (GDPR). Specifically, the CJEU found that data indirectly disclosing sexual orientation constitutes sensitive personal data.
At issue was a Lithuanian law that requires the Chief Official Ethics Commission of Lithuania to publish information about the private interests of public officials in an effort to combat corruption. In the facts underlying the case, a Lithuanian official objected to the Chief Official Ethics Commission’s online publication of his private interest information, which included his spouse’s name. The CJEU concluded that the publication of such information was prohibited by the GDPR because it was “liable to disclose indirectly the sexual orientation of a natural person,” a type of special category of personal data generally prohibited from processing under GDPR Article 9 (processing of special categories of personal data) unless certain additional conditions are satisfied such as the data subject’s explicit consent, or that processing is necessary for reasons of substantial public interest.
On November 8, 2021, New York Governor Kathy Hochul signed new workplace privacy legislation (A.430/S.2628) into law. Beginning in May 2022, private employers with a “place of business” in the state of New York will have to inform their employees if the employer “monitors or otherwise intercepts” telephone conversations, e-mail, or internet access or usage “of or by an employee by any electronic device or system.” This legislation does not apply to state or local government employers.