Google recently announced that beginning next year it will require Android mobile apps to provide privacy disclosures. These disclosures will live in a new “safety section” in Google Play. The requirements include disclosing:

  • What information the app collects and how information is used;
  • How the app protects information and if it uses encryption;
  • If information is shared and if users have a choice about sharing;
  • If users can request data deletion; and
  • If the disclosures made in the safety section have been verified by an independent third party.


Continue Reading Time to Update Your Privacy Disclosure Creation Checklists? Google Will Add to Mobile Privacy Disclosure Requirements

As of this week, Apple’s requirements for apps to follow its AppTrackingTransparency are now in effect. These requirements went hand-in-hand with the iOS 14.5 launch, and impacts how an app can track users and access their advertising device IDs. In particular, consumer consent is now required if the app collects consumer information and shares it with others “for purposes of tracking across apps and web sites.” Apple has provided developers with specific implementation steps, which will be reviewed when apps are submitted to Apple for approval. As part of the submission, companies need to explain why they want to track users, as required under Apple’s guidelines.
Continue Reading Apple’s App Tracking Transparency Now In Effect

As many who have been tracking CCPA are aware, the law requires training employees who handle consumer inquiries, and ensuring that employees understand how to help consumers exercise their rights. Since most of those rights requests are arriving by web page, email, and phone, it is unlikely that rights requests will slow in the face of COVID-19. Indeed, it is possible that they may increase. Employees will thus still need training, something many companies had anticipated doing in-person.

Coronavirus


Continue Reading Turn On the Camera Part Three: Fulfilling CCPA Training Obligations in the Face of COVID-19

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy

The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.
Continue Reading UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.

The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Continue Reading Connected Toys, COPPA, and What’s Next

The Better Business Bureau’s Online Interest Based Advertising Accountability Program announced that that it will require interest-based video ads to provide notice and choice to viewers as of April 1, 2018, as we reported in our Advertising blog, in compliance with the Digital Advertising Alliance’s self-regulatory principles for interest-based advertising. As providers of interest-based video ad networks and services gear up for the deadline, there are three core areas to think about. First, the basics, are you engaging in interest-based advertising in the serving of your video ads? Now is the time, in advance of the April 1 date, to have these conversations with your business teams. Second, if the answer is yes, how are users being provided with notice? Is the notice compliant with the DAA Principles? For example, is it up-front? Does it direct users to a location where they can get more detailed information about your activities? Third, how are users being provided with choice? For those who engage in other types of interest based advertising, these steps will sound familiar. But expanding the conversation with marketing to video advertising may be new.
Continue Reading How to Prepare Interest-Based Video Ads for the April 1 Deadline

The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing digital devices. COPPA requires collecting parental consent before collecting personally identifiable information from children online. The definition of “personal information” under COPPA is broad, and includes audio files. Arguably, then, online operators would need parental consent before children “submitted” audio files, including in the form of conducting verbal searches or giving verbal instructions to their connected device.
Continue Reading FTC Gives COPPA Guidance on Voice Recordings