Industry Updates

Google tests way to overcome the ad-targeting gap between mobile web users and mobile app users 

Google is set to begin testing a new method of targeting tablet and smartphone users that connects the separate tracking mechanisms that track what people do on the mobile web and in mobile apps respectively. Until now, advertisers have been forced to treat individual mobile users as two unconnected people. According to the confirmation of Google's spokesman to various media publications, "as an alternative to less transparent methods, we're doing some tests to help businesses run consistent ad campaigns across a device's mobile browser and mobile apps, using existing anonymous identifiers, while enabling people to use the established privacy controls on Android and iOS."

The new mobile ad-targeting method is different than the one which made headlines a year ago, when the company reported to be testing a replacement for the cookie, the primary technology used to track web users from site to site and to aim certain ads at them. The new mobile method is different. Instead Google is taking the cookie dropped in a mobile web browser and connecting it with the mobile app equivalent of a cookie. Once those identifiers are connected, Google will be able to show the same ads to consumers whether they are using a mobile browser or an app, and will be able to recognize consumers who saw one ad in an app and show them a follow-up ad on a mobile site.

TRUSTe and Disconnect launched Visual Privacy Icons to help make Privacy Policy information easier to understand

Additional standardization related to privacy policies has been launched in the industry. Disconnect, a developer of popular consumer privacy software, and TRUSTe, the data privacy management company, announced the launch of Privacy Icons, that assist people to quickly understand how websites handle their data.

According to Disconnect’s announcement, “not many people read privacy policies, butthese are legally important documents that communicate what’s going on with your personal information. Privacy Icons translates these complicated policies into terms people can easily understand, including how their data is collected, shared, and protected by the websites they visit and the services they use.”

The Privacy Icons software shows users a set of icons in the browser for every site they visit and for every search result. The icons are simple visual cues that provide a quick and easy way for users to understand the most important data practices of a given website.

Icons indicating data collection and expected uselocation tracking and data retention are powered by data from the TRUSTe Privacy Policy Database, which includes an in-depth analysis of the privacy policies of thousands of websites around the world. Additional icons indicate whether or not a site (i) is  TRUSTe certified andchildren’s privacy certified, (ii) supports HTTPS by default, (iii) complies with a user’s DoNotTrack (DNT) browser preference, and (iv) is still vulnerable to the Heartbleed bug. Websites can submit requests to be included by visiting this page.

Google Chrome Extensions Quality came into force

Last month (July 22, 2014) Google started to enforce the new change in its Chrome Web Store policy, according to which extensions must have a "single purpose", otherwise they will be blocked.

The company published a set of Frequently Asked Questions to help clarify how the changes will affect in practice the way extensions should be developed and distributed. Google clarified that “single purpose” can refer to one of two aspects of an extension:

  1. An extension can have a single purpose limited to a narrow focus area or subject matter (for example, “news headlines", "weather", "comparison shopping"). If the extension has a narrow focus area or subject matter, then it can offer various functions related to that focus area or subject matter,

or

  1. An extension can have a single purpose limited to a narrow browser function (for example, "new tab page", "tab management", or "browser history"). If the extension is implemented in a single function, then it can offer content or features related to different areas or subjects. 

Google has also clarified that, subject to the rules below, extensions are allowed to make changes to the start page, homepage and new tub as well as to the default search settings:

  • In the case of the start page, the homepage and the new tub settings, if the purpose of an extension is to modify one narrow function of the browser(either the start page, homepage or new tab page, for example), and it does only that, then it would be compliant with the single-purpose policy.
  • Additionally, if the single purpose of an extension is search as the narrow focus areaand nothing more, then it can offer various functions related to search, including changes to default search settings. 
  • Similarly, in the case of search settings, if the only purpose of an extension is to change the default search settings, then it would be compliant with the single purpose policy.  
  • Additionally, if the purpose of an extension is limited to one focus area or subject matter, then it can have various functions related to that one area or subject matter, including changes to start page, homepage and new tab page. 
  • Google also noted that beginning with the July release of Chrome, the only way to programmatically change the homepage, search provider or startup page settings in Chrome on Windows will be via an extension that uses the Settings Override API.

​Google also clarified the implications of the policy on ad injunctions and stated thatbundling ad injection with some other type of functionality would violate the single purpose policy. Howeverif injecting ads is the single purpose of the extension and the extension is otherwise compliant with Chrome policiesthen it would be acceptable. For example, a “related articles” extension that adds sponsored links to articles related to a page which the user is visiting would be compliant with the single purpose policy because it has a single purpose limited to a narrow function of the browser.

The same goes for toolbars and the compliance of toolbars would depend on the functions of the toolbar. Such extension must adhere to the narrow single purpose of the extension. Broad, multi-purpose toolbars are not allowed.

In the FAQ published by Google, it has been clarified that the previous change in Chrome policies, according to which Chrome extensions must be hosted in the Chrome Web Store, initially applies only to Windows extensions. Likewise, the new Settings Override API will initially be made available only on Chrome for Windows.However, the single-purpose policy will apply to all Chrome extensions.

The FAQ page also includes an appendix with various examples of extensions that comply with the abovementioned guidelines.

Regulatory Developments in the United States

30 U.S. companies are said to be violating EU Private Data Transfer program 

Thirty U.S. companies — including Adobe, AOL and SaaS CRM — have been identified as being in probable violation of the Safe Harbor Agreement between the EU and the U.S., which governs the transatlantic transfer of personal data for commercial purposes.

The complaint was filed with the Federal Trade Commission (the FTC") by the U.S. consumer privacy rights organization, the Center for Digital Democracy ("CDD").

A brief announcement regarding the complaint and a copy of it can be found here.

The companies named in the complaint include companies from the AdTech world, including data brokers, providers of data management platforms and profilers and mobile marketers.

In its announcement, the CDD explained that "the Safe Harbor is based on a voluntary 'self-certification' process, in which companies that promise to provide clear 'notice' (of their data-collection practices and data uses) and 'choice' (giving consumers the opportunity to 'opt out' of practices they did not previously agree to) are then allowed to collect information from European consumers without strictly following the EU’s higher data-protection standards. The EU has itself recognized that the current Safe Harbor regime is inadequate, and has called for its revision".

Further, CDD’s claim with the FTC "calls for an investigation of 30 companies involved in data profiling and online targeting… that allow their corporate clients to analyze their own consumer information and combine it with outside data sources to produce detailed marketing insights…"

According to the CDD, "the Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutinyCompanies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor".

The FTC updated FAQ Guidance on COPPA 

The FTC published a revised Frequently Asked Questions page that provides companies with specific guidance for compliance with the Children’s Online Privacy Protection Act (”COPPA”) and reflects new guidelines (and clarifications) on the varying methods of parental consent. The guidance is available here

Florida’s strict new Data Breach Notification Law came into force 

On July 1, 2014, the Florida Information Protection Act of 2014 (“FIPA”) came into force. FIPA significantly expands the definitions of what constitutes personal information and a data breach and introduces a shortened deadline for providing notice to affected Florida residents, and creates unique document disclosure requirements.

This development is another reason to have appropriate data protection plans in place before a potential breach occurs. In addition, companies that actively collect personal information about Florida residents may need to update their data breach policies and procedures to ensure compliance with FIPA.

Some key provisions of FIPA are:

  • There is a general requirement to take "reasonable measures" to protect and secure personal information and to dispose of records (whether in paper or in electronic form) containing personal information once the records are "no longer to be retained."
  • The definition of a "breach" has been expanded from an "unlawful and unauthorized acquisition" of personal information to the "unauthorized access" of personal information. As such, Florida has become one of a few U.S. states where mere access to personal information without authorization, as opposed to actual theft, can trigger the breach notification requirement.However, according to FIPA, notice to affected individuals will not be required if, after appropriate investigation and consultation with relevant enforcement agencies, the affected company determines that the breach is unlikely to cause identity theft or other financial harm. Notice of such determination must be made to the Florida Department of Legal Affairs (“the Department”) within 30 days.
  • The definition of "personal information" has been expanded to include not only a name in combination with a social security number, driver's license number, financial account number, credit or debit card number, or similar identification number, but also to include the following new elements: (1) a username or email address in combination with a password or security question with an answer that would permit access to online accounts and (2) a name in combination with a passport number, health insurance policy number, or other health information or conditions. (Encrypted information is expressly excluded from this definition.)
  • The deadline to provide notice to individuals affected by a data breach has been shortened to 30 days. A 15-day extension of the 30-day deadline may be obtained from the Department upon a showing of good cause. Moreover, as with the previous statute replaced by FIPA, the notice may be delayed at the request of law enforcement agencies so as not to interfere with a criminal investigation.
  • In the case of a breach that affects more than 500 Florida residents, notice of the breach must be provided to the Department within 30 days.
  • Third-party agents that maintain systems containing personal information are required to notify the relevant data owners of a data breach within 10 days. If notice of a breach is sent to more than 1,000 Florida residents, then consumer credit reporting agencies must also be notified of the breach.
  • FIPA treats violations as unfair or deceptive trade practices under Florida law and sets forth civil penalties up to $500,000. 

Regulatory Developments in the Europe

Italy imposed new rules on Google over profiling the commercial behavior of Italian users

On July 10, 2014, the Italian Data Protection Authority issued a resolution ordering Google to comply with Italian privacy law in order to process personal data aimed at profiling its Italian end-users and their personality, analyzing consumption and commercial behavior.

Under the resolution, Google is required to implement specific rules referring to the privacy policy, consent and data retention:

  • Regarding prior information, Google is required to provide its end-users with a privacy policy that gives its end-users complete and transparent information regarding the use of their personal dataexplaining that their data is used and analyzed in order to profile their commercial behavior and is collectedby means of cookies and other identifiers for profiling such as fingerprinting.  
  • In addition, in order to use data of its end users for profiling and commercial advertising, Google is required to obtain the prior and informed consent even from authenticated users, such as users of Gmail service, and to ensure its users can exercise the right to object to the processing of their personal data where it is carried out for the purpose of sending advertising materials or direct selling or for the performance of market or commercial communication surveys.
  • Ultimately, Google is required to delete the data of end users, which have a Google account on request within a maximum period of two months if their data is stored in active systems or within a period of 6 months if their data is stored in back-up systems

Google must implement the resolution within 18 months from the date of notification of the resolution and must submit to the Italian Data Protection Authority its new standard of privacy policy and privacy protocol by September 30, 2014. 

EU to conduct review of Big Data potential within existing legal boundaries

The European Article 29 Working Party (a committee made up of representatives from EU privacy regulators) confirmed in a letter sent to the White House that the Working Party “intends to carry out its own assessment of the development of big data on the basis of the EU legal framework.”

The letter was sent in response to a report published in the U.S. in May on big data opportunities and privacy implications. The report recommended that Congress enact national data breach legislation, extend privacy protections to non-U.S. citizens, update the Electronic Communications Privacy Act and provide greater protections for student privacy. However, the report did not call for specific legislation to regulate Big Data. In the letter, the EU Article 29 Working Party stated that the U.S. report had identified a number of areas in which big data can work in practice, such as to improve health services, which are also relevant to ongoing debate within the EU.

According to the letter, the Working Party believes that a number of guidelines which it has issued in recent months on aspects of data protection law, including in relation to anonymisation techniques, purpose limitation and legitimate interest, are also "consistent with the analysis of some privacy concerns which are identified in the [US] report". The Working Party would cooperate with counterparts in the US on the actions needed to harness the potential of big data whilst ensuring "that EU as well as U.S. concerns are duly taken into consideration".