On January 21, 2019, the CNIL (the French data protection authority) issued a fine of €50 million to Google under the General Data Protection Regulation (the “GDPR”) for its failure to (1) provide notice in an easily accessible form, using clear language, when users configured their Android mobile device, and (2) obtain users’ consent to process personal data for ad personalization purposes. The CNIL’s enforcement action and resulting fine arose out of actions filed by two not-for-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL under the GDPR and remains one of the highest fines to date. In determining the amount of the fine, the CNIL considered the fact that the violations related to essential principles under the GDPR (transparency and consent), the violations were continuing, the importance of the Android operating system in France, and the fact that the privacy notice presented to users covered a number of processing operations. Google appealed the decision. READ MORE
Shannon K. Yavorsky is a leading authority on U.S. and European data privacy and security issues. She is uniquely qualified in California, England and Wales and Ireland, bringing a deep understanding of the increasingly complex global privacy and data security regulatory landscape.
Shannon routinely advises clients on a broad range of U.S. and European data privacy and cybersecurity issues. She advises on emerging issues surrounding the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR) and the e-Privacy Directive. Shannon helps clients undertake comprehensive privacy and cybersecurity assessments worldwide, evaluate privacy and security risks in corporate transactions, and draft and negotiate contracts concerning data-related vendors and arrangements. She also advises and represents clients on cross-border data transfers, data breaches and developing global privacy compliance programs. She has significant experience with model contract clauses, privacy policies, website terms and conditions, data processing agreements, and self-certifying to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
In addition to the GDPR and CCPA, Shannon advises on an array of privacy and security laws and regulations, including the FCRA, ECPA, TCPA, HIPAA, CAN-SPAM, GLBA, state breach notification laws, and self-regulatory frameworks, including those covering online advertising and payment card processing.
Shannon’s clients are multinational clients across diverse industry sectors, with an emphasis on technology, financial services, retail, staffing, advertising, healthcare, and automotive.
Posts by: Shannon Yavorsky
On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.
On March 11, 2020, the California Attorney General, Xavier Becerra, (“California AG”) released a second set of modifications to the proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). These recent modifications reflect some minor changes and clarifications from the first set of modifications to the proposed regulations (published on February 10, 2020).
On March 10, Orrick lawyers Shannon Yavorsky, Rebecca Harlow, Brett Cooper and Julie Totten recorded a discussion about COVID-19 operational issues associated with managing employees and businesses, including covering the topic of cyber vulnerability. The conversation shares insights into how COVID-19 is creating increased cybersecurity and privacy risks as companies prepare for the spread of the virus and are forced to adapt to a new way of doing business. This video is a segment from a one-hour CLE program entitled “The Early Legal Impact of COVID-19.” To view our video and the full length CLE click here. READ MORE
The European Data Protection Board (EDPB) and a number of European data protection supervisory authorities have recently issued guidance on processing personal data, including special categories of personal data (i.e., health data), in connection with COVID-19. While the General Data Protection Regulation (“GDPR”) generally harmonizes data protection laws across Europe, E.U. Member States may derogate from the law in certain circumstances, including in matters of “public interest.” It is therefore critical for companies to keep abreast of the latest guidance issued by supervisory authorities in jurisdictions relevant to their businesses to ensure they comply with any local law guidance. READ MORE