HFN Technology & Regulation Client Update June 2017 Dear Clients and Friends, We are pleased to introduce you to our June edition of the Technology & Regulation Client Update, which includes several industry and regulatory developments in the fields of technology compliance, digital advertising, content and information privacy regulations. Amongst other things, you can read about: The recent revamp to Apple's App Store Review Guidelines; Google's new policies regarding data protection as required by the EU-US Privacy Shield; Google's plan to start blocking ads contradicting the Coalition for Better Ads' best practices; The FTC's new COPPA compliance plan for businesses; YouTube's new policies concerning advertiser-friendly content, which focus on hateful and "incendiary" content; and The settlement agreement with the largest health insurance company in the US regarding a massive data breach, which included a record payment of $115 million. Kind regards, Ariel Yosefi, Partner Co-Head - Technology & Regulation Department Herzog Fox & Neeman If you have an important regulatory or industry compliance update you would like to share with the industry, let us know. Apple Updated Its App Store Review Guidelines TOPICS: App Industry Compliance, App Store, In-App Purchase, Ratings, Reviews, Privacy, Binary Options Apple has recently released an updated version of its App Store Review Guidelines. These guidelines assist developers to determine which apps will be accepted or rejected following their submission to the App Store. Highlighted below are the key changes in the new guidelines: Data Collection and Storage: App's description should allow users to know what types of access (e.g., location, contacts, calendar, etc.) are requested by the app, and what aspects of the app will not work if the user does not grant permission; Data Use and Sharing: Developers may not attempt, facilitate, or encourage others to identify users or reconstruct user profiles based on data that has been collected in an "anonymized", "aggregated", or otherwise non-identifiable way; Binary Options: Apps that facilitate binary options trading are not permitted on the App Store. Developers should instead consider a web app (if such trading is legal under the relevant jurisdiction); In-App Purchase: Apps may use in-app purchase currencies to enable customers to 'tip' digital content providers in the app; App Store Reviews: Custom review prompts are not allowed. Developers should use the provided API to prompt users to review their app; this functionality allows customers to provide an App Store rating and review without the inconvenience of leaving the app; Subscriptions: Developers who offer an auto-renewing subscription must provide ongoing value to the customer, and the subscription period must have a duration of at least seven days and be available across all of the user’s devices; and Software Requirements: Apps must run on the most current OS. Developers should keep their apps up-to-date and ensure that they phase out any deprecated features, frameworks or technologies that will no longer be supported in all future versions of an OS. It should be noted that Apple has combined the iOS and Mac App Store guidelines into a single document. This modification represents an overall strategy of treating Apple’s platforms as being dealt with on a comprehensive basis. Google Updated its YouTube Advertiser-Friendly Content Guidelines TOPICS: Adtech Industry Compliance, YouTube, Digital Advertising Following its announcement in March this year to review and strengthen policies for ad-supported content on YouTube platform (see our previous related Client Update), Google has recently published updated guidelines that include a new focus on hateful and "incendiary" content. The updated version of the guidelines provides significantly more detail regarding the existing ineligible content types (such as, inter alia, controversial issues and sensitive events, drugs and dangerous products or substances, harmful or dangerous acts, inappropriate language, sexually suggestive content, and violence) as well as content that can be monetized on YouTube and further clarification regarding these guidelines. Moreover, in its new guidelines, Google added additional types of content that are not eligible for advertising on the YouTube platform: Hateful Content: Content that promotes discrimination or disparages or humiliates an individual or group of people on the basis of the individual's or group's race, ethnicity, or ethnic origin, nationality, religion, disability, age, veteran status, sexual orientation, gender identity, or other characteristic associated with systematic discrimination or marginalization; Inappropriate Use of Family Entertainment Characters: Content that depicts family entertainment characters engaged in violent, sexual, vile, or otherwise inappropriate behavior, even for comedic or satirical purposes; and Incendiary and Demeaning Content: Content that is gratuitously incendiary, inflammatory, or demeaning. For instance, video content that uses gratuitously disrespectful language that shames or insults an individual or group. In addition to the policies and guidelines above, Google has enumerated a few best practices for creating advertiser-friendly content. Finally, Google clarified that while it remains the case that videos which comply with YouTube's Terms of Service and Community Guidelines can remain on the platform, the advertiser-friendly content guidelines focus on what is specifically eligible for advertising. Accordingly, content that does not comply with AdSense Policies and the YouTube's ad-friendly guidelines will not be eligible for advertising. We would be happy to provide further advice and recommendations concerning the required steps, to ensure compliance with the applicable obligations and their scope. Google Released New Guidelines on Data Protection TOPICS: App Industry Compliance, Google Play, Data Protection, Privacy Shield, European Union, United States Google has recently published new guidelines concerning data protection as required by the EU-US Privacy Shield (in this regard, you can also see our related special Client Update from last year). According to the new guidelines, developers who access, use, or process personal information made available by Google that directly or indirectly identifies an individual and that originated in the European Union or Switzerland ("EU Personal Information") must: Comply with all applicable privacy, data security, and data protection laws, directives, regulations, and rules; Access, use or process EU Personal Information only for purposes that are consistent with the consent obtained from the individual to whom the EU Personal Information relates; Implement appropriate organizational and technical measures to protect EU Personal Information against loss, misuse, and unauthorized or unlawful access, disclosure, alteration and destruction; and Provide the same level of protection as is required by the Privacy Shield Principles. It should be emphasized that developers must monitor their compliance with the above conditions on a regular basis. Moreover, if, at any time, developers cannot meet these conditions (or if there is a significant risk that they will not be able to meet them), then they must promptly notify Google by email, as well as immediately either cease processing EU Personal Information or take reasonable and appropriate steps to restore an adequate level of protection. Google Joined the Coalition for Better Ads and will Block Non-Compliant Ads TOPICS: Adtech Industry Compliance, Google, Coalition for Better Ads, Chrome, Digital Advertising, Ad Blocking, Whitelisting Ads Google recently announced that it has joined the Coalition for Better Ads, an industry group dedicated to improving online ads. The Coalition released earlier this year Initial Better Ads Standards for Desktop and Mobile Web which provide clear, public, data-driven guidance as to how the industry can improve ads for consumers. In this regard, Google has stated that it planned to support this initiative by, inter alia, providing new tools for publishers. First, the new Ad Experience Report assists publishers understand how the Better Ads Standards apply to their own websites, by providing screenshots and videos of annoying ad experiences which Google has identified in order to make it easier to find and "fix" the issues. Google's new best practices guide sets out three golden rules for building better experiences:: Be Immediate: People are more likely to engage when ads are loaded quickly and do not slow down content. By applying the Accelerated Mobile Pages ("AMP") framework to advertising, AMP Ads offer a more efficient way to build, serve and measure responsive ads; Be Immersive: Ad experiences that seamlessly blend with a user's content experience are less likely to annoy them. Native advertising offers the opportunity to deliver ads that fit the form and function of your site's content. Responsive Native ads can even scale across devices and screens; and Be Relevant: Programmatic technology allows advertisers and publishers to deliver more relevant ads based on consumers' interests, helping them stay more engaged on your site. Second, with Funding Choices, which are currently available in beta version in a limited number of countries, publishers can show a customized message to visitors using an ad blocker, inviting them to either enable ads on their site, or pay for a pass that removes all ads on that site through the new Google Contributor. Google's new best practices guide sets out several tips for publishers on crafting the right message for their audience: Keep it short and to the point; Speak to your audience in your own voice; Give visitors multiple opportunities to see your message - they will not necessarily convert the first time; Be open and honest, not accusatory and emphasize how ads support your site; Avoid jargon; Remind regular visitors of how often they come to your site. One good way to do this is to use an article counter; and Treat your visitors with respect. The goal is to create a positive browsing experience that keeps them coming back. Furthermore, Google has enumerated the following five steps to engage with people who block ads: Remove negative ad experiences from your site; Learn why people use ad blockers on your site; Plan your strategy using whitelist requests, article counters or paywalls; Design your whitelist request messaging around your audience; and Monitor how people respond to your strategy. Finally, Google stated that it planned to have its browser Chrome stop showing ads (including those owned or served by Google) on websites that are not compliant with the Better Ads Standards, commencing in early 2018. The FTC Updated Its COPPA Compliance Plan for Business TOPICS: Children's Privacy, Security, Consumer Protection, Federal Trade Commission, United States The US Federal Trade Commission ("FTC") has recently released an update to its guidance titled "Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business" for businesses about complying with Children's Online Privacy Protection Rule ("COPPA") in order to reflect developments in the marketplace – for instance, the introduction of internet-connected toys as well as other devices for children. Highlights of the notable changes in the FTC’s updated guidance are as follows: New Business Models: As technologies advance, companies have new ways of collecting data, some of which might affect their obligations under COPPA (for instance: voice-activated devices that collect personal information); New Products Covered by COPPA: COPPA can apply to the increasing list of connected devices which make up the Internet of Things (in addition to its application to websites and mobile apps). This includes connected toys as well as other products designed for children which collect personal information (e.g., voice recordings or geolocation data); and New Methods for Obtaining Parental Consent: Obtaining parents’ permission before gathering personal information online from children under 13 has always been a significant component of COPPA. The new guidance discusses two newly-approved methods for obtaining parental consent – first, asking knowledge-based authentication questions; second, using facial recognition to obtain a match with a verified photo ID. We would be happy to provide further advice and recommendations concerning the required steps, to ensure compliance with the applicable obligations and their scope. Anthem Agreed to Pay Record $115 Million to Settle U.S. Lawsuits Over Data Breach TOPICS: Healthcare Data Breach, Cyber Security, Insurance, Health Insurance Portability and Accountability Act, District Court, Department of Insurance, California, United States Anthem, Inc., the largest US health insurance company, has recently agreed to pay a record $115 million to settle a class-action lawsuit stemming from a 2015 data breach in which the personal information (including names, birthdays, Social Security numbers, addresses, email addresses and employment and income information) of nearly 80 million employees and current and former members was compromised. The settlement must still be approved by a US District Court in San Jose, California. A report from the California Department of Insurance found that the initial breach occurred in February 2014 after an employee opened a phishing email containing malicious content. The cyber attacker was likely acting on behalf of a foreign government. The report also concluded that the company had taken reasonable measures prior to the data breach to protect its data and employed a remediation plan resulting in a rapid and effective response to the breach once it was discovered. As part of the settlement, the health insurer agreed to provide people affected by the data breach with two years of credit monitoring (in addition to the two years of credit monitoring they already received), as well as to give cash compensation for individuals who already enrolled in credit monitoring. The company also agreed to cover the out-of-pocket costs victims have incurred due to the data breach. Additionally, the company agreed to allocate funds for cyber security improvements, including modifying its current cyber security systems. According to a statement by the company, it did not admit to any wrongdoing or any harm to individuals as a result of the cyber attack. This substantial settlement emphasizes the necessity for constant vigilance of corporate IT systems, especially in those sectors which maintain data subject to Health Insurance Portability and Accountability Act (HIPAA). Given the increased focus on enforcement lately seen as well as the potential legal liability for non-compliance (on this regulatory focus, please see, inter alia, our April 2017 Client Update, and January 2017 Client Update), companies must prioritize data security as among their highest priorities.