Increased Scrutiny on Notice and Choice for Use of AD Profiling, Especially Using Mobile Location Data

Group of people standing in line and looking at their smart phonesAre you an app publisher or do you advertise via mobile apps or obtain marketing data that originates from them?  If so, you need to beware that regulators and consumer protection authorities are taking action against companies with regard to the notice and choice, or lack thereof, they are providing to consumers for the collection of their precise location data on mobile devices. The Digital Advertising Alliance (DAA) recently held a presentation (DAA Presentation) which highlighted what transparency and choice consumers should be provided in connection with the collection of such location data. Among the speakers was Jon Brescia, Director of Adjudications and Technology of the Advertising Self-Regulatory Council (ASRC) Online Interest-Based Advertising Accountability Program (OIBAAP), which enforces the DAA’s self-regulatory principles. For one, the DAA requires that consumers be provided enhanced notice of location awareness for advertising purposes during the process of downloading the mobile application (pre-install), at the time the application is opened, or at the time such data is collected and in the application’s settings or any privacy policy. Based on conversations we have had with the OIBAAP, and suggestions made during the DAA Presentation, enhanced notice can be provided ether in the precise location data permission box of the mobile application or in a pop-up that appears immediately before the permission box is displayed. This is consistent with the position taken by the Los Angeles city attorney in a lawsuit regarding a commercial mobile application discussed below. Companies should evaluate the adequacy of the notice and choice they are providing to consumers and supplement their practices where necessary to meet self-regulatory best practices and avoid becoming the subject of an enforcement action or a lawsuit. Continue Reading

Washington Privacy Act Clears Senate

Computer security concept. Others in this series.On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide important relief for businesses from some of the more onerous provisions of the legislation. As we reported in our blog post discussing the recently introduced legislation, the Washington Privacy Act anticipates that businesses will accord consumers certain GDPR-style rights and conduct risk assessments to weigh the potential privacy and security implications of data-processing activities. The revised legislation places important limitations and clarifications on the envisioned requirements of both consumer rights and risk assessments. In short, data processed for “business purposes” will be exempt from deletion, and such processing activities are presumptively permissible. Importantly, the legislation as amended still does not permit a private right of action, and still requires the attorney general to provide notice of alleged noncompliance and give businesses an opportunity to cure before bringing an enforcement action. Continue Reading

EU Regulators Increase Focus on Cookie Practices

"EU flags fly in a row in front of the European Commission building in Brussels, Belgium"In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), and the Bavarian data protection authority, Bayerisches Landesamt für Datenschutzaufsicht (“BayLDA”) sends a clear signal that companies should be taking a new approach with respect to cookies in 2019. In a previous post here, we discussed the UK Information Commissioner Office’s warning to the Washington Post for its practice of allowing free access to certain articles only if users consented to tracking cookies. Continue Reading

FTC Launches a New Task Force Dedicated to Monitoring the Tech Industry for Anti-Competitive Practices

The Federal Trade Commission announced the creation of a new task force that is dedicated to monitoring competition in the U.S. technology industry. This Technology Task Force will coordinate and consult with 17 staff attorneys throughout the FTC who have experience in complex product and service markets, including the markets for online advertising, social networking, mobile operating systems and apps, and platform businesses. In addition to examining industry practices and conducting law enforcement investigations, these staff attorneys will be charged with investigating “technology-related sectors of the economy.” This mandate is intentionally overbroad and designed to grant wide-ranging authority to examine industry behavior, including the review of both prospective mergers and consummated technology mergers.  Continue Reading

Cybersecurity Firms Issue Annual Threat Reports

Press enter button on the keyboard computer Shield cyber Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger KeyboardCrowdStrike, FireEye and IBM Security recently released their annual threat reports. These reports contain a wealth of information on recent trends in cybersecurity attacks and recommendations on the preventive measures companies can take to protect themselves. As attackers’ tactics, techniques and procedures continue to evolve, and as the attack surface of organizations continues to grow, it is increasingly important that companies stay up to date on these matters. Continue Reading

California Sets Forth Further Legislation Imposing New Obligations on Companies

Over the past few weeks, California Republican lawmakers have introduced a new package of legislation called “Your Data, Your Way,” which would expand and strengthen consumer privacy rights beyond what is required by the new California Consumer Privacy Act (CCPA). The “Your Data, Your Way” package is comprised of bills that would impose new obligations on businesses, including providing consumers greater control over the use of their data, limiting companies’ storage and use of certain types of data, and notifying consumers within three days of discovering a data breach. The package consists of the following five bills:

AB 288 – Social Media Privacy:

Coined the “Own Your Own Data Act,” this bill proposes to require a social media company (defined as a company that provides electronic services or accounts, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or internet website profiles or locations) to:

    • Provide users that close their accounts the option to have the users’ personally identifiable information permanently removed from the company’s database and records and excluded from sale.
    • Honor such a request within a reasonable time.

The bill would provide for actual damages, and in the case of willful violations, punitive damages, as well as reasonable attorney’s fees for the prevailing party. Injunctive relief is also available to aggrieved consumers. Continue Reading

BakerHostetler Comments On CCPA Rule Making For Clients

Sacramento California outside the capital buildingThe California attorney general (AG) has kicked of it process of promulgating regulations to interpret and implement California’s sweeping new privacy law. After a series of public hearings across the state, which we covered here and here, the AG closed the initial public comment period on March 8. Our clients have mostly sought to convey their comments through their respective trade organizations.  About a dozen of our clients asked us to supplement those efforts with a set of aggregate comments, which we filed and are available here. Our U.S. Consumer Privacy and the CCPA attorneys follow CCPA and other state and federal privacy legislative and regulatory developments. Learn more, here. Legislation is pending in approximately 15 states and at the federal level.  For more information contact the author.

Beware the Ides of March – Is Your NYDFS Cybersecurity Compliance in Order?

March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (Covered Entities) were required to address substantial data security compliance requirements over the past two years (detailed in our February 2017 and July 2017 posts). The March 1 deadline marked the end of the last transitional period for the regulation, and perhaps a new period marked by its enforcement. Continue Reading

Trojan Malware Reclaims the Top Spot as the Greatest Cyber Threat to the Healthcare Sector

Midsection of female nurse using digital tablet in hospital. Close-up of medical professional is touching screen in ward. She is wearing scrubs.Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018.[1] Specifically, trojans Emotet and Trickbot, originally used in banking incidents, were labeled the most common malware strains, while hijackers, rootkits and riskware rounded out the top threats to the sector.

Continue Reading

States Propose to Expand Child Privacy and Ad Laws

It is the 25th anniversary of the federal Children’s Online Privacy Protection Act (COPPA), which has served us well, but states are looking to expand privacy protection for minors. Several years ago California expanded its Online Privacy Protection Act to give minors the right to remove content they have posted on social media and certain other websites and to limit advertising of age-restricted products to them. Now Connecticut proposes to do the same with GA 6601. Last year California’s new consumer privacy law restricted the sale of personal information of California residents under 16 years of age except with express opt-in consent (which must be exercised by the parent of children under 13). Now a California bill, AB 1665 purposes to limit websites and mobile apps from publishing a minor’s name, picture, or any reasonably identifiable  information about the minor on a social media service (not defined), where the publisher is paid by a third party to do so, absent parental consent, which consent cannot be a condition of using the service. It is not clear what uses cases the bill intends to address, but presumably paid publication of “likes” of brands would be covered. For more information on these laws and bills join the author at the CARU conference on March 6 in Los Angeles.