HFN Technology & Regulation Client Update November 2017 Dear Clients and Friends, We are pleased to introduce you to our November edition of the Technology & Regulation Client Update, which includes several important regulatory and industry developments in the fields of data privacy, technology compliance, content and digital advertising. These include the following: Google Chrome’s update will automatically prevent webpages from redirects; The French Data Protection Authority’s new Compliance Pack on connected vehicles; The Securities and Exchange Commission’s warning to celebrities endorsing virtual currencies; Updates to Google AdWords’ Misrepresentation Policy; and The Electronic Frontier Foundation’s practical implementation guide for its “Do No Track Policy”. Kind regards, Ariel Yosefi, Partner Co-Head - Technology & Regulation Department Herzog Fox & Neeman If you have an important regulatory or industry compliance update you would like to share with the industry, please let us know. Google Chrome Will Automatically Prevent Webpages from Redirects TOPICS: App Industry Compliance, Unwanted Ads, Google Safe Browsing, Google Chrome In our pervious updates, we reported on Google's ongoing efforts to fight unwanted ads, such as Google's research regarding ad injections ,Google's limitations on changing Chrome settings, Google Chrome’s features for blocking and muting auto play video ads and Google adding new “Unwanted Software Cleanup” Features in Chrome. This month, Google announced that its browser, Chrome, will soon automatically prevent webpages from unexpectedly navigating to a new page. According to Google, frustrating and unwanted redirects, when a website suddenly loads a new page in order to force its visitors to view ads is often due to third-party content embedded in the original page which is invariably not intended by the page's author. Google will also prevent a different type of redirects, in the case where clicking on a new link not only opens a new tab but also causes the original page to navigate to a different, unintended webpage. Such unwanted redirections in the main tab will be blocked and Chrome will show a notification, regarding the blocking, in an info-bar. These steps will be introduced as part of Chrome versions 64 and 65. Additionally, in early 2018, stricter policies will be introduced by Google when the Chrome's pop-up blocker will begin to target more sophisticated website techniques in hiding redirects, such as play buttons that actually send users to a new page, transparent overlays on websites that result in numerous pop-ups appearing, redirect buttons disguised as download links or new tabs when a user clicks anywhere on the page. We would be happy to advise on any questions that may arise regarding Google’s updated policies. Publication by the French Data Protection Authority of a Compliance Pack on Connected Vehicles TOPICS: Connected Vehicles; the French Data Protection Authority, EU General Data Protection Regulation, France, European Union The French Data Protection Authority (“CNIL”) published its compliance pack on connected vehicles (the “Pack”). The Pack was developed by CNIL in consultation with 21 stakeholders from the automotive, insurance and telecoms industries, as well as public authorities. The Pack applies to connected vehicles for private use only (not to Intelligent Transport Systems) and provides guidance to data controllers on how to integrate data protection by design and by default into their production pipeline, enabling data subjects to have effective control over their data. Data controllers must adhere to the Pack, both in accordance with the current French legislation as well as the upcoming EU General Data Protection Regulation (the “GDPR”). The CNIL distinguishes between three scenarios for processing personal data: o “IN -> IN” scenario: the data collected in the vehicle remains in that vehicle and is not transmitted with a service provider (e.g., an eco-driving solution that processes data directly in the vehicle to display eco-driving tips in real time on the vehicle’s dashboard). o “IN -> OUT” scenario: the data collected in the vehicle is shared outside of the vehicle for the purposes of providing a specific service to the individual (e.g. "Pay as you drive” contract with an insurance company). o “IN -> OUT -> IN” scenario: the data collected in the vehicle is shared outside of the vehicle in order to trigger an automatic action by the vehicle (e.g., dynamic “Information on traffic” with the calculation of a new route following a car incident on the road). Within the Pack, CNIL analyzes the above scenarios and provides recommendations that include, inter alia, the data processing purposes, the legal bases which controllers can rely upon, categories of data that can be collected, required retention period, recipients of the data and use of processors, content of the notice to data subjects and the applicable rights of data subjects with respect to the processing. We would be happy to provide further advice and recommendations concerning the compliance Pack and its implications. For further details and recommendations published regarding the GDPR, see our update on How to prepare to the new EU General Data Protection Regulation, as well as our recent GDPR Compliance Playbook. Securities and Exchange Commission Warns Celebrities on Endorsing Virtual Currency TOPICS: Digital Advertising, Influencer Marketing, Virtual Currencies, the Securities and Exchange Commission, United States Influencer marketing is challenged with a growing tide of compliance and regulatory scrutiny led by regulators across the world, as well as the leading internet platforms. In our previous updates we reported regarding the Federal Trade Commission’s educational letters and 21 warning letters, sent to social media influencers whose posts on Instagram might have violated the Commission’s Endorsement Guides. Added to this regulatory trend is a warning issued by the Securities and Exchange Commission ("SEC"). Earlier this month, the SEC issued a warning to celebrities who are endorsing new virtual currencies by encouraging the public to purchase stocks and other investments. These endorsements may be unlawful if they do not disclose the nature, source, and amount of any compensation paid, directly or indirectly, by the company in exchange for the endorsement. The SEC warning states that the celebrities could be violating a multiple number of laws, including antifraud regulations and rules that govern investment brokers. Celebrities who have been warned were issuing the digital currencies through initial coin offerings (ICOs). This warning follows a wave of enforcement brought by the SEC earlier this year when the SEC filed civil fraud actions against 27 companies for the fraudulent promotion of stocks. Additionally, more than 250 articles were published, allegedly without proper disclosures regarding compensation received by the companies they were promoting. Seventeen parties have agreed to settlements with penalties ranging from US$2.2 million to US$3 million based on the severity and frequency of the actions. According to the SEC’s warning, in the future, celebrities may face action for violations of the antitouting and anti-fraud provisions of the Federal securities laws, namely participating in an unregistered offer and sale of securities, if they do not disclose the nature, source, and amount of compensation paid, directly or indirectly, by the company in exchange for the endorsement. These actions demonstrate the importance of adhering to the new developed regulatory requirements in the influence marketing sphere. You can read more about the key issues in our special client update titled "Influencer Marketing: Rules of Engagement". Google Updates its Misrepresentation Policy TOPICS: Adtech Industry Compliance, Advertising Policies, Google Google has updated its Misrepresentation Policy in order to clarify its position on ads that mislead or trick the user into interacting with them. The goal of the misrepresentation policy is to not allow ads or destinations that intend to deceive users by excluding relevant information or giving misleading information about products, services, or businesses. As part of the update, Google has expanded the scope of what is not allowed under "ads depicting features that do not work" and as such, it now includes: close buttons, text input boxes, multiple choice options. Additionally, image ads that show "Download" and "Install" buttons are no longer allowed on Google’s advertising network. Release by the Electronic Frontier Foundation of its Implementation Guide for “Do No Track Policy” TOPICS: Privacy, Do No Track Policy, Electronic Frontier Foundation The Electronic Frontier Foundation ("EFF") has released the implementation guide for its “Do Not Track” ("DNT") policy. The guide provides detailed information on how to apply the DNT policy in practice. EFF's approach in this policy is to achieve a balance between the protection of users’ privacy and the ability of websites to deliver the functionality which users want. DNT policy implements this by the following means: o Excluding the use of unique identifiers for cross-site tracking; o Limiting the retention period of log data to ten days. The short retention period gives sites the time they need for debugging and security purposes, and to generate aggregate statistical data; and o As an exception – the DNT policy allows the site to retain any data necessary to complete the transaction when the user's interactions with the site necessitate collecting more information, such as in the case of posting comments, making a purchase, or clicking on an ad. The guide also identifies potential pitfalls of websites that do not intentionally create the potential leakage of users’ data by integrating third-party content and relying on third-party services, such as content delivery networks or analytics. The guide catalogs providers of compliant services. EFF believes that knowledge achieves a difference between willing tracking and non-consensual tracking. Accordingly, users should be able to choose whether they are prepared to renounce their privacy in exchange for using a site or a particular feature. We will be happy to advise on any questions regarding the implementation guide and the DNT policy.