Developing a privacy compliance program is an essential, if often daunting, compliance step for organizations of all sizes, and across all industries. InfoLawGroup partner Justine Young Gottshall and her co-author recently updated their an in-depth practice note on this topic. The updated version is published by Practical Law and available here.
On Friday, October 14, 2016, Attorney General Kamala D. Harris announced the launch of a new tool for consumers to report alleged violations of the California Online Privacy Protection Act (CalOPPA). CalOPPA requires companies doing business in California (even if operating from outside of California) to post compliant privacy policies and abide by the promises in those policies. The press release announcing the launch of the new tool mentions a specific focus on the “internet of things” as well as how companies are sharing information they collect about users. The tool allows consumers to fill out an online form and submit it to the AG’s office.
A new study from the Future of Privacy Forum is cited in the press release. The study calls out that while a significant percentage of mobile apps now have privacy policies, health and fitness apps that collect sensitive PII are less likely to have privacy policies than others. The study also found that apps are not properly disclosing their information sharing practices. The AG (in coordination with research conducted by Carnegie Mellon University) is reviewing a number of apps in the Google Play store for legal compliance.
We should all expect new enforcement actions coming from the CA AG’s Office in the near term.
Join Justine Young Gottshall for the 2016 Privacy + Security Forum at the George Washington University Marvin Center. Ms. Gottshall will speak on Tuesday, October 25th on the panel entitled The Internet’s Digital Advertising Architecture: From Cookies to Addressable TV and the privacy issues in between. For more information, visit https://privacyandsecurityforum.com/.
Partner Justine Young Gottshall was interviewed regarding key issues for mobile apps in the Cybersecurity Law Report on August 3, 2016 (note that subscription or registration for a free trial required to access full article).
Just five months after the Federal Trade Commission (“FTC”) released its Native Ads Policy Statement, the National Advertising Division of the Better Business Bureau (“NAD”) has followed suit and issued a decision in its investigation of Joyous Inc.’s (“Joyous”) native advertising practices (NAD Case #5956, 05/19/16).
In its routine monitoring, the NAD explored the formatting and placement of Joyous ads in the Style Watch section of the online version of People Magazine, as well as claims about the efficacy of its products. While Joyous discontinued the efficacy claims at issue, the NAD conducted a complete analysis of the native advertising content on People.com.
InfoLawGroup announces that it has formalized its Privacy in M&A practice group, which brings together its experienced attorneys to work closely with clients on the privacy and security issues that can arise when purchasing, investing in, or merging with another entity. While we have been addressing these issues for some time and across related practice areas, we believe a more formalized practice group will allow us to better serve our clients. This is an area growing in importance, as data is increasingly a significant asset for the selling and acquiring companies. For more information, please contact Justine Young Gottshall or Mark Paulding.
The British electorate has voted to leave the European Union, rejecting the pleas of all major political parties and most business, media, and legal experts across the political spectrum. Prime Minister Cameron announced that he will resign in October and that his successor will then work out the details of withdrawal from the EU.
What does this mean for US-based multinationals and other global companies that do business in Europe, often from a base in the UK? Specifically, what is the impact on handling information across the English Channel and across the Atlantic?
The FTC announced today that it reached a settlement with mobile ad network InMobi. InMobi offers a software-development kit (SDK) that its third-party app-developer customers can integrate into their mobile applications. The SDK allows InMobi to target advertisements to app users based on data collected and allows the app developer to thereby better monetize its advertising inventory.
The FTC alleged that – after representing to its developer customers that it would collect location information only after an app user opted into such collection – InMobi broadly collected location data from all app users, even those who denied an app’s request to collect such data. Notably, the FTC did not allege that InMobi simply ignored a user’s decision and accessed device location data anyway. Instead, the FTC alleged that InMobi built a mechanism whereby it could effectively sidestep the consumer’s choice and determine his or her location through means other than direct access to device location data.
Four years in the making, the European Union’s General Data Protection Regulation (GDPR) obtained its final legislative approval on April 14, and the final text was published in the Official Journal yesterday. It will be enforced after a two-year transition, beginning on May 25, 2018, replacing the national laws and regulations based on the venerable 1995 EU Data Protection Directive and reaching companies that target EU consumers from outside the EU.
While the GDPR largely retains the principles and terminology of the 1995 Directive, it also adds some new principles with uncertain consequences, such as a stricter concept of consent, a requirement for data portability, and a “right to be forgotten.” At the same time, if offers hope for a greater level of uniformity across Europe, which multinational enterprises may welcome, as well as relief from registration burdens that have persisted in many countries (although this is offset by a new obligation to notify security breaches).