Keller and Heckman has submitted comments to the European Data Protection Board (EDPB) in the context of a public consultation on their draft guidelines 2/2023 on the Technical Scope of Art. 5(3) of ePrivacy Directive, on behalf of various organisations that wished to contribute in a meaningful manner without drawing attention to their identity.
data security
Why every company with digital activities should comment on the EDPB’s new ePrivacy guidelines

So much for tackling consent fatigue. The short version: If unchanged, the new EDPB guidelines on what is known as the “cookie” rule would extend that rule to cover nearly every communication over the Internet and any use of software on a computer. Your business is probably more impacted than you might think, and it…
Contract as Legal Ground? New CJEU Ruling Creates Risks Re Personalisation


What kinds of processing are necessary for the performance or conclusion of a contract?
This is one of the questions the Court of Justice of the European Union (CJEU) was asked to examine in case C-252/21 between Meta Platforms and the German Federal Cartel Office, in which it delivered a judgment on July 4th…
Soon Higher GDPR Fines in Belgium? Court Decision Paves Way for Public Fining Methodology

Until now, fines by the Belgian Data Protection Authority (BDPA) had, compared to its neighbouring countries (France, Luxembourg, and the Netherlands), appeared on the low side in absolute numbers.
Last year we carried out an analysis of over 300 fines related to (alleged) infringements of the General Data Protection Regulation (GDPR), including the top 250…
NetChoice Challenges Constitutionality of California Age-Appropriate Design Code Act


When the California legislature passed the California Age-Appropriate Design Code Act (CAADCA or Act) AB 2273 in September of this year, it generated considerable controversy. Companies, trade associations, and even some non-governmental organizations questioned whether the law’s broad reach was not just counterproductive and likely to invade consumer privacy, but preempted by federal law and…
EU Cyber Resilience Act: Cybersecurity Obligations for Connectable Hardware and Software Products Including IoT

The Internet of Things (IoT) segment has grown, and with it have come many examples of vulnerable products, from babycams whose feeds could be viewed by strangers online to hackable implantable cardiac devices. There are also infamous examples of botnets (i.e., clusters of hacked devices) featuring millions of IoT devices with one common trait: weak…
FTC Issues Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security


At a press conference on August 11, 2022, the Federal Trade Commission (FTC or Commission) announced an Advance Notice of Proposed Rulemaking (ANPR), which was published, along with a fact sheet, to explore potential new rules governing what the FTC characterizes as prevalent “commercial surveillance” and “lax data security practices.” The FTC issued the…
Sheila Millar Authors “The Right to Repair: Implications for Consumer Product Safety and Data Security” for Inhouse Defense Quarterly

Keller and Heckman partner Sheila Millar wrote the Inhouse Defense Quarterly article, “The Right to Repair: Implications for Consumer Product Safety and Data Security. The article examines the potential effects of President Biden’s July 9, 2021, executive order that aims to expand consumers’ “right to repair.” Advocates of the right to repair, including the Federal…
FTC and D-Link Settle Data Security Dispute


After protracted litigation, the Federal Trade Commission (FTC) entered into a proposed settlement with computer software manufacturer D-Link over charges that the company misrepresented the security of its wireless routers and Internet-connected cameras and failed to take reasonable software testing and remediation measures to protect the devices.
As we previously reported, part of the…
UK ICO Proposes GDPR Fines for British Airways and Marriott Data Breaches


Earlier this week, the UK Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183,390 million ($230 million) and its intent to fine Marriott International more than £99 million ($123 million) for violations of the General Data Protection Regulation (GDPR) arising out of data breaches. The ICO investigated the breaches as the lead…