Weekly Privacy News Update – Episode 04


France’s DPA flagged top alternatives to third-party cookies and highlights rules for appropriate use

France’s CNIL published a news article discussing alternatives to third-party cookies, providing background regarding the “end of third party cookies”, rules for using new tracking techniques, and indicating a continued special interest in enforcement in this area. Need a little more context? The CNIL includes a  short explanation of the difference between first-party and third-party cookies, the use of third-party cookies in advertising, why we are talking about the end of third-party cookies, and what alternatives have developed as the shift away from third-party cookies became eminent. CNIL includes a disclaimer style note at the end of the article that the use of these tracking technologies warrant “SPECIAL ATTENTION FROM THE CNIL” – indicating that CNIL will keep a close eye on businesses using these techniques to make sure they implement such techniques in a compliant manner.

Alternative techniques discussed include:

  • Internal cookies and digital fingerprinting:
    • Internal cookies: URL calls to an advertiser via a site’s internal cookies (rather than third party cookies) to obtain information about visitors to the site
    • Digital fingerprinting: browser and device information like screen size and operating system alone can make it possible to distinguish between users and track them
  • Single Sign-On (SSO): A method of authentication used to allow an individual to sign in to a number of sites and services with a single set of credentials. Even though the use of SSO was not developed as a means of replacing cookies, it can be used to create a picture of the user’s navigation between those different sites and services.
  • Unique identifiers: Tracks users through the use of hashed deterministic data.
  • Ad targeting by cohort: Solutions that aim to reproduce what advertisers currently gain from cookies in a less invasive manner, in principle. One example of this is Google’s FLoC.

Rules to follow when using these techniques: Don’t forget the ePrivacy Directive (protects communications of individuals – private communications and terminal equipment)

  • Must ensure consent is a free and informed choice for the user no matter where the information comes from or technique used (browser v. terminal)
  • Ensure users keep control of their data, and think about this from the earliest stages of implementation (think privacy-by-design)
  • Do not process sensitive personal data, and in particular, ensure groups targeted do not lead to indirect discrimination.
  • Remain responsible for the implementation of these techniques

Source: CNIL

Norway Data Protection Authority and Norway’s Consumer Agency want to see changes in proposal for new local cookie legislation

Norway’s Data Protection Authority (DPA) and Norway’s Consumer Agency submitted a joining consultation response to the Ministry of Local Government and Modernization’s proposed new Electronic Communications Act. The Act would govern consent requirements for cookies and similar tracking technologies. The joint consultation (i) highlights how difficult and/or time consuming it can be for users to stop this kind of tracking, and at the same time, the personal data collected from these practices makes up a significant portion of the data collected by Norwegians; (ii) emphasizes that the proposed Act needs to more clearly specify consent requirements; and (iii) requests the DPA be in charge of all aspects of regulating the use of cookie technologies

Sources: IAPP, Datatilsynet, Consultation statement

Lasso-ing $: 850 footballers want to be compensated by data collection firms that have been trading their data over the past six years

These athletes are sending a message to the sports industry that the way data collection firms use and share performance data needs to change. They sent letters to 17 data collection firms, expressing their belief that their data was improperly used. Going forward, they want to require companies using their performance data to pay an annual fee. The footballers argue that the use of their personal information (e.g., height) would not be excused in other industries. No formal legal action has been taken, yet.

Sources: IAPP, BBC

Ireland’s Data Protection Authority (the Data Protection Commission or DPC) will have an increased budget in 2022

The Irish government will be increasing the DPC’s budget by 22% in 2022 (an additional EUR 4.1) for a total budget of EUR 23.2. DPC Commissioner Helen Dixon indicates this funding is crucial for upcoming increased enforcement by the DPC, particularly in the context of the DPC’s role as the EU lead supervisory authority for many of the world’s largest tech companies. The increased budget will allow the DPC to hire 40 new staff focused on investigation, technology, and legal.

Sources: IAPP, DPC

Ireland: Irish Data Protection Commission endorses Facebook’s approach to data protection

Irish Data Protection Committee (DPC) issued a draft decision against Facebook, with a proposed fine of EUR 36 million because Facebook’s terms of service did not include sufficient information needed to satisfy GDPR transparency requirements. Facebook takes the position it relies on the “performance of a contract” legal basis for processing personal information under GDPR by including specifics about their data processing activities in its legal terms.

Privacy advocates like Max Schrems (also the complainant in this matter) find Facebook’s approach an attempt to bypass GDPR requirements an obvious attempt to create a loophole, effectively switching from “consent” to “contract” when GDPR went into effect. Schrems is concerned that without regulator intervention, allowing Facebook to take this position opens the door for any company to write about the processing of data into a contract to avoid obtaining consent from data subjects. While the Irish DPC is the lead supervisory authority for Facebook, the GDPR includes mechanisms for EU DPAs to take action if they believe the DPC’s action is insufficient

In this case, the draft decision is expected to reach the European Data Protection Board (EDPB). If it does, the EDPB will review the draft decision and members could overrule the DPC.

Sources: Euractiv, IAPP, NOYB

California: Next public meeting for the California Privacy Protection Agency agenda published

The next public meeting will be on October 18, 2021. The agenda for the meeting includes:

    • Introduction of newly appointed Executive Director of the CPPA, Ashkan Soltani
    • Updates from the following subcommittees: Start-up and Administration, Rulemaking Process, New CPRA Rules, Update of CCPA Rules, Public Awareness, and Guidance

Sources: IAPP, CPPA, Agendas

China announces draft regulations for the use of algorithmic recommendation technology

The draft regulations are called the Internet Information Service Algorithmic Recommendation Management Provisions. They consist of a series of 30 articles, which set out rules for use of such algorithms online and address things like search filtering, personalized recommendations, user rights, and more. They were released following the passage of China’s Personal Information Privacy Law (PIPL) and will apply to PIPL along with three other Chinese privacy & security laws (the Cybersecurity Law, the Data Security Law, and the Internet Information Services Management Rules). Right now we do not know if we should expect updated drafts or when these regulations would go into effect. The Cybersecurity Agency of China is tasked with supervision, management, and enforcement. The IAPP reviewed the scope and purpose of these new regulations in great depth, click the link below to read more if interested!

Source: IAPP

Alexa, appeal that fine

Amazon filed the appeal at the Luxembourg Administrative Tribunal challenging the ~$865 Million fine issued in July. Amazon is arguing there was no data breach or other similar exposure that would justify the penalty.

Sources: IAPP, Bloomberg

FTC primed to discuss internet service provider’s privacy practices

In 2019, the Federal Trade Commission issued orders to seven internet service providers to look into their privacy practices (AT&T, AT&T Mobility, Comcast Cable Communications, Google Fiber, T-Mobile U.S., Verizon Communications, and Cellco Partnership). Specifically, the FTC sought to learn more about the type of data collected, if any data is shared, how customers can access, correct, and delete their data, internal policies for the handling of the data, and whether the data is aggregated, anonymized or de-identified. The FTC ultimately looked into six of those major ISPs and three of their advertising affiliates. On October 21, the FTC will hold an open meeting to present on the findings of those investigations.

Sources: IAPP, FTC

Privacy Tech

Cytrio raises $3.5 million in seed funding, launches SaaS privacy rights management platform for mid-market companies.

Sources: IAPP, TechCrunch

Further reading from this week:

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources