Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.

The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR).  WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017.  This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).

But first, what counts as automated decision-making under the GDPR?  And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making

As we’ve discussed previously, the GDPR significantly limits user consent as a basis for processing personal data.  One interesting question is whether the new rules on consent will kill free apps in Europe.  Free apps typically involve the offer of a service (the app) in exchange for access to personal data (whatever data the app siphons off from my phone, for example, per the terms of use that I probably didn’t bother reading).  Under the GDPR, that may not be a bargain that I, as a consumer, am allowed to make. Continue Reading Will free apps soon be dead in Europe?

If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series:  The Long Reach of COPPA.   Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.


Register online here – NY and CA CLE credit is available.

The Network Advertising Initiative (NAI) has issued guidance for its members on the use of non-cookie technologies for Interest-Based Advertising (IBA) and Ad Delivery and Reporting (ADR) (Guidance). The NAI is a self-regulatory organization for third-party digital advertising companies. Consistent with the NAI Code of Conduct (NAI Code) which was designed based on the Fair Information Practice Principles, the Guidance explains how the NAI Code applies to members’ use of non-cookies technologies for IBA and ADR, sets best practices for members and offers insight into the NAI’s staff review of members using non-cookie technologies for IBA as a part of the NAI annual compliance reviews.

We all know what cookies are by now.  So what is IBA and “non-cookie” technology?

Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities,  amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. For more information about IBA, please click here. The NAI defines non-cookie technology as “mechanisms, other than cookies, used to identify your browser, which can include technologies such as browser cache, locally stored objects (LSO’s), or statistical identifiers… used for many purposes including, but not limited to, ensuring your online banking is secure, preventing online advertising fraud, or to engage in Interest-Based Advertising or Ad Delivery and Reporting”. For more information about non-cookie technology, please see the NAI FAQ’s on Non-Cookie Technologies.

What are the NAI-recommended best practices for members’ use of non-cookie technology for IBA and ADR?

The Guidance sets forth baseline best practices for:

  1. Notifying consumers of a member’s use of non-cookie technology and providing transparency:
  • Members using non-cookie technology for IBA and/or ADR must include certain information in their privacy policies regarding their use of the technology and consumer choice with regard to such use, such as (1) a general description of the technology and a disclosure of use of such technology for IBA and/or ADR, (2) a description of and easy access to a user-friendly opt-out mechanism that will allow consumers to halt online behavioral advertising for a particular browser or device as well as behavioral advertising based on the use of non-cookie technology; (3) a description of an easy access to a consumer transparency tool; and (4) any required updates to representations made in the privacy policy that browser cookie controls in isolation prevent online behavioral advertising where such representation s would otherwise be erroneous.
  • Members using non-cookie technology for IBA must require websites collecting data for IBA through the non-cookie technology to clearly and conspicuously post a notice containing a disclosure that non-cookie technology may be used by third-parties on the site. Members are further required to make a reasonable effort to ensure that such notice is posted on their partners’ websites and that related language that is currently used by their partners is updated accordingly. Addendum A to the Guidance provides several examples of partner website notices.
  • Members using non-cookies technologies for IBA that cannot be viewed or modified using native browser controls are required to implement a consumer-facing transparency tool which, at a minimum, displays: (1) on both the member’s website and the NAI’s opt-out page whether data is collected for IBA on a specific browser using non-cookie technology, and the opt-out status for such browser, and (2) on the NAI’s opt-out page only, a disclosure or an icon to inform consumers that the member is using non-cookie technology for IBA and to link back to the member’s website for information about the member’s use of such technology.

2. User control:

  • Members engaging in IBA are required to provide an opt-out mechanism available both on the member’s website and through the NAI’s opt-out page that ensures that data collected using the non-cookie technology is not used for IBA after a consumer has opted out of such use of their data. The opt-out must cover the browser on which the choice is expressed. After a consumer exercised the opt-out choice and while the consumer is opted out, a member may continue to collect data using non-cookie technology only for non-IBA purposes and any such data may not be used for IBA at any time, regardless of future opt-out status and technology used.
  • Under the Guidance, NAI members will be required to offer a centralized consumer opt out of non-cookie technologies through the NAI’s new opt-out tool once it is published to the NAI opt-out page. According to the NAI, this new tool will inform consumers when NAI members use non-cookie technologies for IBA as well as offer a redesigned opt-out experience.

3. User limitations:

  • Members making a material change to their IBA data collection and use policies and practices are required to obtain opt-in consent before applying such change to data collected prior to the change; until opt-in consent is obtained or in its absence, any data collected prior to the change will continue to be governed by the data collection and use policies in effect when the information was collected.

4. Accountability:

  • Members using non-cookie technology for IBA that do not allow the NAI to conduct reasonable technical oversight will be required to develop a process with the NAI staff whereby the NAI compliance team will be able to conduct reasonable, external oversight and monitoring (e.g., access to a member’s API).
  • A member’s opt-out inspection service must provide the NAI: (1) a methodology to determine if changes to an ad interest profile have been made post the applicable consumer’s opt-out where such changes would be updated through the use of the non-cookie technology, and (2) some other methodology that provides adequate information to permit the NAI compliance staff to assess and ensure the member’s compliance with the NAI Code and the Guidance. Members are required to attest that their business practices are compliant with each aspect of the NAI Code.

The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance.  Members that want to use non-cookie technologies for IBA and ADR during this time may do so but only in accordance with the requirements set forth in the Guidance.  However, since the  current NAI opt-out tool does not indicate when members use non-cookie technologies for IBA, the requirement to use the NAI’s opt-out tool will become effective after the NAI completes testing and integrating the new tool into its central industry opt-out page.

It’s Monday morning — do you know your privacy/security status?

Here are a few bits and bytes to start your week.

SEC to Registered Investment Advisers and Broker-Dealers:  It’s Your Turn to Pay Attention to Cybersecurity

The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties.  That information includes information concerning fund investors and advisory clients.   We’ve summarized key points from the recently-issued Guidance.

The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

  • Conduct a periodic assessment of:
    • the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
    • internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
    • security controls and processes currently in place; and
    • the impact should the information or technology systems become compromised;  and the effectiveness of the governance structure for the management of cybersecurity risk.
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:PrivacyMonday_Image1
    •  controlling access to:
      • various systems and data via management of user credentials;
      • authentication and authorization methods;
      • firewalls and/or perimeter defenses;
      • sensitive information and network resources;
      • network segregation;
      • system hardening; and
      • data encryption.
  • protecting against the loss or exfiltration of sensitive data by:
  • restricting the use of removable storage media; and
  • deploying software that monitors technology systems for:
    • unauthorized intrusions;
    • loss or exfiltration of sensitive data;  or
    • other unusual events.
  • data backup and retrieval; and
  • the development of an incident response plan
    • routine testing of strategies could also enhance the effectiveness of any strategy.
  • Implement the strategy through:
    • written policies and procedures; and
    • training that:
      • provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
      •  monitors compliance with cybersecurity policies and procedures.

Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.


Penn State University Confirms Cyberattack Originated in China

If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while.  The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China.   Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered.   The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.

For more:  Cyberattack on Penn State University


Digital Advertising Alliance to Enforce Mobile App Principles

Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment.   The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment.  Mobile tools for consumers were released in February:  App Choices and the Consumer Choice Page for Mobile Web.

The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.

After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.



Don’t forget to register for the next in our Privacy Wednesday Webinar series:  The Long Reach of COPPA.   Webinar is eligible for NY and CA CLE credit — register here.






Facebook does it.  Google does it.  It’s everywhere in the mobile ad ecosystem.  And your smartphone does it more often than you know, according to a study released on Monday by Carnegie Mellon.

Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading Cross-Device Tracking: The New World

When small and mid-size companies start expanding their apps or web presence into Europe, they need to start thinking about EU data protection laws.  It’s tempting to take a look at what one or two of the “big guys” do about EU data protection compliance and think that whatever  the big guys do in Europe must be good enough.  But the ongoing saga between Google and the EU’s data protection authorities shows that this approach shouldn’t be adopted uncritically.

In the latest Google EU privacy development, Google has signed an undertaking (binding commitment) with the UK’s data protection office (the ICO) to make a number of changes to its privacy policy.  Google has been in dialogue with EU data protection offices both at the country level and through the Article 29 Working Party since Google adopted a unified privacy policy across its products and businesses in 2012.  While the ICO has recognized that Google has made progress since 2012, the ICO has recently determined that “further improvements” are needed.  Google has agreed to a number of specific requirements, including:

  • Making it easier for users to find information about Google’s privacy policy.
  • Describing its data processing activities more clearly in its privacy policy, including clarifying the types of information that it processes, the purposes, and how users can exercise their rights.
  • Providing “clear, unambiguous and comprehensive information” regarding its data processing,” including an “exhaustive list of the types of data . . . and purposes.”
  • Providing more information about its use of anonymous identifiers (a next-generation tracking/behavioral profiling technology that’s being developed and may eventually replace cookies).
  • Educating its employees better concerning notice and consent requirements.
  • Making sure that users are equally protected regardless of what device they are using (mobile phones, tablets, desktops, and any new devices that are invented).

Google has committed to putting these changes into effect by June 30, 2015.  In the meantime, Google’s undertaking provides a useful spotlight on the areas of EU data protection compliance that the ICO (and other data protection offices) think require significant attention.

There is another retail data breach to talk about in this Privacy Monday post – privacy & security bits and bytes to start your week.

Supermarket Chain Reports Data Breach

Minnesota-based food retailer Supervalu Inc. has reported breach of its point-of-sale (POS) system, apparently by hackers.  A press release on the corporate website describes the incident as a “criminal intrusion” and says that it “may have” resulted in the theft of credit or debit card numbers.  According to Supervalu, there is no evidence that data were stolen, and it has not had any reports of misuse of any such data.   Affected stores are reported by the company to be operated under the Cub Foods, Farm Fresh, Hornbacher’s Shop ‘n Save and Shoppers Food & Pharmacy banners as well as other stand-alone liquor stores and franchised stores.  The complete list is at the company’s Consumer Security Advisory on its website.

Continue Reading Privacy Monday – August 18, 2014

Written by Adam Veness

The United States Senate Permanent Subcommittee on Investigations recently released a report outlining six findings concerning online advertising risks to consumers’ personal information and four recommendations on how to protect consumers from these hidden hazards.


1) Consumers risk exposure to malware through everyday activity.  Consumers can incur malware attacks by simply visiting even a mainstream website and without taking any action such as clicking an advertisement.  The complexity of online advertising makes it impossible for consumers to avoid advertising malware attacks or identify the source of the malware exposure and determine whether the ad network or host website could have prevented the attack.

2) The complexity of current online advertising practices impedes industry accountability for malware attacks.  The online advertising industry has grown in complexity to the point that each party can conceivably disclaim responsibility when malware is delivered to a user’s computer through an advertisement.  Due to the many layers of intermediaries through which online advertisements often travel before appearing in a user’s browser, the ad networks themselves rarely deliver the actual advertisement from their own servers and the owners of the host website visited by a user often does not know what advertisements will be shown on their site.

3) Self-regulatory bodies alone have not been adequate to ensure consumer security online.  Self-regulatory codes of conduct in online advertising do not fully address consumer security from malware.  Interestingly, self-regulatory efforts in online security to date have been dependent on online ad networks for funding and viability, which creates a potential conflict of interest in their dual roles as industry advocates and standard-setting bodies.

4) Visits to mainstream websites can expose consumers to hundreds of unknown and potentially dangerous third parties.  Even visiting a mainstream website exposes consumers to hundreds of third parties, and each of those third parties may be capable of collecting information on the consumer and may be a potential source of malware.

5) Consumer safeguards are currently inadequate to protect against online advertising abuses, including malware, invasive cookies, and inappropriate data collection.  Self-regulatory codes do not significantly address online advertising security and data collection protections are often limited in scope and underutilized.  Current FTC safeguards are insufficient to protect consumers from online advertising abuses, and cybercriminals are constantly finding new ways to evade existing security methods.

6) Current systems may not create sufficient incentives for online advertising participants to prevent consumer abuses.  Due to the difficulty in determining responsibility for malware attacks and inappropriate data collection through online advertisements, online advertising participants may not be fully incentivized to establish effective consumer safeguards against abuses. Continue Reading How Online Advertisers May Steal Your Personal Information: Recommendations for Protecting Consumers