Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading

Congress’ 2,000-page Omnibus Spending Bill slipped in a trap for the unwary: a radical expansion of the reach of the Stored Communications Act, 18 USC §§ 2701-2712. The “Clarifying Overseas Use of Data Act,” aptly shorthanded as the CLOUD Act, successfully mooted the issue presented in the United States v. Microsoft Corp. case recently dismissed by the United States Supreme Court by instituting a new framework for cross-border discovery in criminal actions. Under the previous version of the Stored Communications Act (SCA), it was necessary to have a Mutual Legal Assistance Treaty (MLAT), essentially a treaty negotiated by a foreign nation and ratified by the Senate. The CLOUD Act, passed on March 23, 2018, allows authorities to bypass MLATs and gives law enforcement the ability to directly compel production of materials by a party storing its data abroad, as well as allowing foreign governments to access data stored in the U.S. 
Continue Reading

In 2017, the Cayman Islands passed the Data Protection Law (“DPL”), which reads much like the upcoming European Union General Data Protection Regulation (“GDPR”) that goes into effect Mary 25, 2018. The DPL applies to entities falling within the definition of “data controller” who are established in the Islands or who process data in the Islands. The DPL divides data into two categories, personal data and sensitive data. Certain information is exempt from the application of the DPL, such as data processed in connection with a corporate finance service.[1] The DPL gives individuals the right to access their information, object to processing, and the right to request their information be corrected or erased.


Continue Reading