HFN Technology & Regulation Client Update
Dear Clients and Friends,
We are pleased to introduce you to our March edition of the Technology & Regulation Client Update, which includes several notable regulatory and industry developments in the fields of digital advertising, cryptocurrency advertising, data privacy, cybersecurity and technology compliance.
These include the following:
Developments in the Facebook-Cambridge Analytica case, including FTC
investigation and data usage limitation measures announced by Facebook;
Implementation tools and policy changes following the GDPR by Google and IAB;
The new EU Anti Internet Geo-Blocking Regulation;
Google's prohibition on advertising of ICO, cryptocurrencies services and binary
options, and FTC enforcement against deceptive cryptocurrency schemes;
GDPR related updates to the UK data protection authority's guidelines on direct
marketing and children's personal information; and
PayPal's settlement with the FTC over privacy misrepresentation
Ariel Yosefi, Partner Co-Head - Technology & Regulation Department Herzog Fox & Neeman
If you have an important regulatory or industry compliance update you would like to share with the industry, let us know
"Cambridge Analytica" Case: Facebook is Under FTC's Investigation; Announced New Measures to Protect Users Data
TOPICS: Personal Data, Facebook, Federal Trade Commission, United States
Following the publications according to which personal data of 50 million Facebook users was obtained and misused by the British data analytics firm, Cambridge Analytica, for the purpose of analyzing and tailoring advertisements during the US presidential campaign in 2016, the Federal Trade Commission ("FTC") has made a statement regarding its concerns about Facebook's privacy practices. In its statement, the FTC confirmed that is has initiated an open, non-public investigation about Facebook's privacy practice.
Earlier, and following the publications, Facebook has published its response, in which it declared that in order to prevent future abuse of Facebook's platform and misuse of their users' data, the company will take immediate compliance actions to set a higher privacy standard. These actions include the following: Review Facebook's platform: Facebook will act to reduce data access by investigating
all apps that had access to a large amount of information before the company started to review apps that request certain data in 2014. Facebook will also conduct a full audit of any app with suspicious activity and ban developers who misused personal information from its platform; Tell people about data misuse: Facebook obliges to let its users know in cases where apps have misused their data, as well as when their data might have been accessed. Further, if Facebook removes an app for misusing data, it will publish who used it; Turn off access for unused apps: In cases where a Facebook's user has not used a certain app within three months, Facebook will prevent the app from accessing their information; Restrict Facebook login data: In the next version of Facebook, the company will limit the data that an app can request without an app review to include only name, profile photo and email address. A request for any further information will require Facebook's approval; Encourage people to manage the apps they use: Facebook will make the users' choices about which apps are connected to their accounts and their scope of permission to the app more prominent and easy to manage; and Reward people who find vulnerabilities: Facebook will expand its "bug bounty program" so that users could also report if they find misuses of data by app developers.
Facebook noted that some of these updates are related to new data protection laws coming into effect in the EU, when the last event has accelerated Facebook's efforts in protecting private information and making the platform safer.
We would be happy to advice on any questions that may arise from Facebooks' new enforcement actions.
Google Introduces Dramatic Changes Concerning User Consent in Preparation to GDPR
TOPICS: Personal Data, App Industry Compliance, Digital Advertising, Google, General Data Protection Regulation, European Union
In preparation to the entering into force of the European General Data Protection Regulation ("GDPR"), Google has announced significant changes to its advertising policies and data sharing practices. The changes announced by Google include the following:
Changes in Google's ad policies - Google has announced that in order to comply with the GDPR consent requirements, and in addition to the update of its EU consent policy that will require publishers to take extra steps in obtaining consent from their users, it will launch a solution to support publishers that want to advertise non-personalized ads (therefore may not require obtaining consent from end users) and plans to publish proposed consent solutions after consulting with relevant industry groups.
Changes in Google's contract terms - based on Google's classification of its status as a controller or a processor of personal data (as per the different products and their data usage purposes), Google announced that soon it will introduce controller-controller terms for DFP and AdX services for customers who have online terms, that will govern the applicable data processing activities. Further, Google will publish new terms for AdSense and AdMob for customers who have online terms. Google has also notified that in regard to its services of Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, it has already released the data processing terms.
We would be happy to advise on any questions concerning Google's updated policies.
EU Anti Internet Geo-Blocking Regulation is Entering into Force
TOPICS: Consumer Protection, Geo-blocking, European Union
Last month, the European Union has enacted the final EU regulation 2018/302 on addressing unjustified geo-blocking and other forms of discrimination based on customers' nationality, place of residence or place of establishment. This Regulation aims to realize the full potential of the EU internal market as an area without internal frontiers by addressing unjustified geo-blocking. As explained in the Regulation, this discriminatory practice of preventing online services from online customers based on geographic reasons constitutes significant barriers to cross-border trade.
The Regulation contains the following obligations: Access to online interfaces: A trader shall not use technological measures to block or
limit a customer's access to the trader's online interface for reasons related to the customer's nationality, place of residence or place of establishment. In addition, a trader shall not redirect a customer to a different version of the trader's online interface, based on the above geo-characteristics; Access to goods or services: A trader shall not apply different general conditions of access to goods or services for reasons related to the customer's nationality, place of residence or place of establishment in regard to delivery of the goods, electronic supplied services given by the trader and physical services within the territory of the trader's Member State. Notwithstanding, traders can still offer different general conditions of access (including sale prices) to different Member States or within a Member State or to specific groups of customers as long as it is on a nondiscriminatory basis; Non-discrimination for reasons related to payment: A trader shall not apply different conditions for a payment transaction for a reason related to geographical reasons, where the transaction is made through an electronic transaction in a currency that the trader accepts.
The new Regulation will enter into force in 3 December 2018.
We would be happy to advise on the legal and practical implications of the new EU GeoBlocking Regulation.
Google Bans ICO and Bitcoin Advertisements
TOPICS: Adtech Industry Compliance, Cryptocurrency, Initial Coin Offerings, Binary Options, Contracts for Difference, Forex, Google
In continuation of our report from last December on Google's fight against "unwanted ads", Google announced that starting June 2018, it will update its financial services advertising policy to prohibit ads for binary options and synonymous products; as well as cryptocurrencies and related content (including but not limited to initial coin offerings (ICOs), cryptocurrency exchanges, cryptocurrency wallets, and cryptocurrency trading advice).
In this move, Google joins Facebook, which published last month a new policy that prohibits ads promoting cryptocurrencies, ICOs and binary options (see our related update here).
Further, according to the new advertising policy, advertisers offering Contracts for Difference (CFDs), rolling spot forex, and financial spread betting will be required to be certified by Google before they can advertise through AdWords. Certification is only available in certain countries and in order to be certified, advertisers will need to: Be licensed by the relevant financial services authority in the country or countries they
are targeting; Ensure their ads and landing pages comply with all AdWords policies; and Comply with relevant legal requirements, including those related to complex
speculative financial products.
In addition, the new policy will prohibit the advertising of aggregators and affiliates for CFDs; rolling spot forex; financial spread betting; binary options and synonymous products; and cryptocurrencies and related content.
We would be happy to provide further advice and recommendations concerning the new Google financial services advertising policies.
ICO Updated its Direct Marketing Guidelines following GDPR Requirements
TOPICS: Personal Data, Marketing, General Data Protection Regulation, Information Commissioner's Office, United Kingdom, European Union
The UK's Information Commissioner's Office ("ICO") has updated its Direct Marketing Guidelines following changes stemmed from the GDPR.
Some of the key amendments made in the updated guidelines, are as follows:
Consent The definition of consent: While the key elements defining consent remain unchanged,
the GDPR made it clear that the indication must be unambiguous and involve a clear affirmative action. The GDPR also contains specific provisions on keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract; Implied consent: The GDPR requires that consent will be given by an affirmative act. Though, the option of an "implied" consent is still lawful under the GDPR in some circumstances, particularly in more informal offline situations. In addition, the GDPR bans the practice of bundling up a consent as a condition of service unless it is necessary for this service; Opt-in and opt-out boxes: Pre-ticked opt-in boxes are not sufficient for consent under the GDPR. The GDPR does not specifically ban opt-out boxes, but as they are materially similar to pre-ticked boxes, the ICO sees them as unlikely to comply with the GDPR; Indirect (third-party) consent: Any third-party controllers who will rely on the consent must be named - listing categories of organizations will not suffice for valid third-party consent under the GDPR; Withdraw consent: Under the GDPR there is an obligation of notifying the users about their right to withdraw consent to direct marketing; Proof of consent: The ability of demonstrating that each individual has consented to the processing of his data for the specific purpose is required;
Marketing calls and marketing text and emails The right to opt-out: The GDPR gives individuals the right to object the processing of
their personal data for the purposes of direct marketing at any time, and in an easy procedure; Business-to-business text and emails: if it includes processing individual's personal data, the individual has a right to object to this processing at any time;
Lead generation and marketing lists Generating leads: Under the GDPR lead-generators are required to be able to prove
obtaining valid consent; Selling a marketing list: Any third-party controllers who will be relying on consent must
be named. Under the GDPR there must be proof of an individual's consent to processing their data for that purpose; Buying a marketing list: In case of buying a "consented" marketing list, the consent request must have identified the buyer specifically; In house marketing lists: The GDPR obliges to keep detailed records that demonstrate what the individual has given his consent to; and
Suppression: A controller can hold a suppression list which contains just enough information to ensure that individuals' right to object is respected, and as long as the list is not held for direct marketing purposes but for compliance.
We would be happy to provide further advice and recommendations concerning the new ICO Direct Marketing Guidelines.
Promoters of Deceptive Cryptocurrency Schemes were Shut Down
TOPICS: Online Marketing, Cryptocurrencies, Deceptive Financial Scheme, Federal Trade Commission, United States
The federal court in Florida had decided to halt the activities of four individuals who were acting individually and in concert for promoting a series of promoted deceptive moneymaking schemes involving cryptocurrencies.
In a complaint filed by the FTC, the FTC alleged that the defendants promoted chain referral schemes known as Bitcoin Funding Team and My7Network. Using websites, YouTube videos, social media and conference calls, the defendants promised big rewards for a small payment of bitcoin or Litecoin.
The FTC alleged, that the structure of the schemes ensured that few would benefit, while in fact, the majority of participants would fail to recoup their initial investments. Participants could only generate revenue by recruiting new participants and convincing them to also pay cryptocurrency.
In its complaint, the FTC charged that the defendants violated the FTC Act's prohibition against deceptive acts by misrepresenting the chain referral schemes as bona fide moneymaking opportunities and by falsely claiming that participants could earn substantial income by participating in the three schemes.
As requested by the FTC, the court has also issued a temporary restraining order and frozen the defendants' assets pending trial.
ICO Updated its GDPR Guidance to Address Children's Personal Information
TOPICS: Children Personal Data, General Data Protection Regulation, Information Commissioner's Office, United Kingdom, European Union
The UK's ICO Guide to GDPR has been updated to include additional, child specific considerations from detailed Guidance on Children and the GDPR, the public consolation for which ended on February 28.
The guidance's aim is to provide a detailed practical guidance for UK organisations that are processing children's personal data under the GDPR. The ICO defines a child as anyone under the age of 18 and in some circumstances, anyone under 13. The guidance contains some new guidelines in order to comply with the GDPR, which include the following: When offering online services directly to children under the age of 13, a verification
that the consent was provided by the holder of parental responsibility for that child is needed; An obligation to write clear privacy notices in an easy language that children will be able to understand what will happen to their personal data and which rights they have; When using children's data for the purpose of marketing, it is important that marketing targeted directly at or featuring children should not contain anything that is likely to result in their physical, mental or moral harm; In most circumstances, it is forbidden to make decisions about children that are based solely on automated processing if they might have a legal effect on them. In case of profiling children, they must be provided with clear information about the using in their personal data; and If an individual wish to erase personal data that they provided as a child without fully understanding the implications of doing so, it will be considered as what "necessary" to protect the rights of the child. Therefore, the right to erasure seems to prevail over the other rights like freedom of expression for example.
We would be happy to provide further advice and recommendations concerning the ICO's guidelines and their scope. For further details and recommendations published by us on the GDPR, see our update on How to prepare to the new EU General Data Protection Regulation, as well as our GDPR Compliance Playbook.
PayPal Settles FTC Charges regarding Privacy Misrepresentation
TOPICS: Privacy, Data Security, Gramm-Leach-Billy Act, Federal Trade Commission, United States
The FTC has announced a settlement with PayPal with respect to allegations that it was misleading its customers about its privacy practices in its peer-to-peer service Venmo.
In its complaint, the FTC alleges that Venmo misrepresented the extent of privacy of the consumers' transactions. While Venmo offered its consumers the option of limiting who can view their transactions, some information regarding their transactions was displayed on Venmo's social news feed, whether consumers chose to limit it or not.
The FTC also alleged that until at least March 2015, Venmo misrepresented the extent of security it provided to consumer financial accounts. Even though the company was claiming that it uses "bank-grade security systems", the FTC found out that Venmo did not have any
written security program. The company also failed to notify their consumers that their password or email addresses were changed or that a new device had been added to their account, a practice which allowed hackers to quietly hijack accounts and withdraw thousands of dollars.
By using these practices, the FTC found that Venmo violated Gramm-Leach-Billy Act's Safeguards, which requires financial institutions to implement safeguards to protect the security, confidentiality, and integrity of customer information, and the related Privacy Rule, which requires financial institutions to deliver privacy notices to customers.
According to the settlement, Venmo is required to make specific disclosures about its transaction and privacy practices, and it will be subject to third-party compliance assessments for the next 10 years.
IAB Europe Launched Transparency and Consent Framework Draft
TOPICS: Digital Advertising, Personal Data, Consent, General Data Protection Regulation, The Interactive Advertising Bureau
The Interactive Advertising Bureau ("IAB") Europe published a draft of its GDPR Transparency & Consent Framework ("Framework") for public comments. The Framework is a cross-industry and aims to help publishers, technology vendors, agencies and advertisers meet with the GDPR requirements of transparency, user choice and consent where necessary. It includes technical specifications that will allow companies and consumers to have a greater control over the parties who access and process consumers personal data in the EU. The final version of the framework is expected to be released mid-April, following consultation with the industry.
The framework is the product of a working group which includes parties from the online advertising industry, both from demand and supply side of the online advertising ecosystem. Their key task was suggesting guidance and solutions on the requirement of the GDPR.
The framework draft is constituted of two documents: Cookie and vendor list format: this document covers the specifications regarding how
consent information is stored as a third-party cookie and which kind of information is stored. The offered consent solution involves a cookie that is stored as a third party cookie in the user's browser after the interaction between an end user and the Consent Manager Provider UI. This cookie includes the data for knowing which vendors and purposes did the user give consent for. Moreover, the framework states that a third-party cookie can't be a long term solution so that Consent Manager Providers should work towards standardizing a more futurelooking server-side consent retrieval mechanism; and
We will be happy to assist with understanding the new Framework and with its practical implementation.