On Thursday, the Digital Advertising Alliance (“DAA”) announced that it will enforce its previously issued “Application of Self-Regulatory Principles to the Mobile Environment” (the “Mobile Guidance”) beginning September 1, 2015.
Although the Mobile Guidance was initially issued in July 2013, enforcement was delayed pending the DAA’s implementation of an effective choice mechanism for the mobile environment. In February 2015, the DAA released two mobile tools for consumers – the “AppChoices” mobile application and the “DAA Consumer Choice Page for Mobile Web.”
The Mobile Guidance clarifies how the existing Self-Regulatory Principles for Online Behavioral Advertising and MultiSite Data (collectively, the “Self-Regulatory Principles”) apply to mobile web sites and applications. In particular the Mobile Guidance addresses:
- privacy notice, enhanced notice, and controls (opt-out mechanism) for data collected from a particular device regarding application use over time and across non- affiliate applications (“Cross-App Data”);
- privacy notice, enhanced notice, and controls (opt-in consent) for data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device (“Precise Location Data”); and
- transparency and controls (opt-in consent) for calendar, address book, phone/text log, or photo/video data created by a user that is stored on or accessed through a particular device (“Personal Directory Data”).
After September 1, any entity that collects and uses Cross-App Data, Precise Location Data or Personal Directory Data will be required to demonstrate compliance with the Mobile Guidance, or risk being subject to the DAA accountability mechanisms. The Mobile Guidance will be enforced by the Council of Better Business Bureaus (“CBBB”) and the Direct Marketing Association, the same two entities which have had oversight of the Self-Regulatory Principles since 2011. During that period the CBBB has issued 29 Accountability Program decisions regarding advertisers, ad publishers and ad networks.
This client alert was prepared by my colleagues Robert Leonard, Michael Mavrides and Christopher Wells.
On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:
- Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
- both computerized and hard copy data that contain personal information that is not “secured;” and
- encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption. Continue Reading
In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.” Continue Reading
The past few years have seen exponential growth in the use of technology in the classroom, with applications ranging from the increased availability and use of e-books to the displacement of physical classrooms through Massive Open Online Courses (also known as MOOCs). One of the fastest growing segments of the education technology market relates to online educational services and applications, which are designed to track individual student progress and use the data gathered to deliver an individualized learning experience to each user. However, while online educational services and applications hold significant potential, the gathering of massive amounts of data has also sparked fears about what data will be collected, from whom, how it will be used, and whether, if at all, it will be deleted. This fear is especially prevalent when it comes to online educational services and applications targeted at children.
Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.
The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post. Continue Reading
With the news of the recent cyber-attack and resulting data breach at health insurance giant Anthem Inc., the buzz around data security and privacy is again high. The Anthem breach serves as a reminder to those entities subject to the Health Insurance Portability and Accountability Act (HIPAA) that failing to keep protected health information secure and private can lead to serious consequences. Continue Reading
Data security is big news. And so is the Federal Trade Commission (“FTC”). Put the two together in a crucible of litigation, and it is sure to be a blockbuster. That is what the closely-watched case FTC v. Wyndham, now pending before the Third Circuit Court of Appeals, is shaping up to be.
To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent. Continue Reading
On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.
By Rochelle Emert and Phillip Caraballo-Garrison
On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert that summarized its findings about cybersecurity preparedness in the securities industry. As part of its Cybersecurity Examination Initiative, the OCIE collected and analyzed information about cybersecurity practices and trends from over 100 registered investment advisers and broker-dealers. Proskauer discussed the OCIE study and its key findings in a client alert located here. With the OCIE stating that it will continue to focus on cybersecurity issues through 2015, registered investment advisers and broker-dealers should evaluate their cybersecurity policies and procedures in consideration of the OCIE findings.