France’s DPA flagged top alternatives to third-party cookies and highlights rules for appropriate use
France’s CNIL published a news article discussing alternatives to third-party cookies, providing background regarding the “end of third party cookies”, rules for using new tracking techniques, and indicating a continued special interest in enforcement in this area. Need a little more context? The CNIL includes a short explanation of the difference between first-party and third-party cookies, the use of third-party cookies in advertising, why we are talking about the end of third-party cookies, and what alternatives have developed as the shift away from third-party cookies became eminent. CNIL includes a disclaimer style note at the end of the article that the use of these tracking technologies warrant “SPECIAL ATTENTION FROM THE CNIL” – indicating that CNIL will keep a close eye on businesses using these techniques to make sure they implement such techniques in a compliant manner.
Alternative techniques discussed include:
- Internal cookies and digital fingerprinting:
- Internal cookies: URL calls to an advertiser via a site’s internal cookies (rather than third party cookies) to obtain information about visitors to the site
- Digital fingerprinting: browser and device information like screen size and operating system alone can make it possible to distinguish between users and track them
- Single Sign-On (SSO): A method of authentication used to allow an individual to sign in to a number of sites and services with a single set of credentials. Even though the use of SSO was not developed as a means of replacing cookies, it can be used to create a picture of the user’s navigation between those different sites and services.
- Unique identifiers: Tracks users through the use of hashed deterministic data.
- Ad targeting by cohort: Solutions that aim to reproduce what advertisers currently gain from cookies in a less invasive manner, in principle. One example of this is Google’s FLoC.
Rules to follow when using these techniques: Don’t forget the ePrivacy Directive (protects communications of individuals – private communications and terminal equipment)
- Must ensure consent is a free and informed choice for the user no matter where the information comes from or technique used (browser v. terminal)
- Ensure users keep control of their data, and think about this from the earliest stages of implementation (think privacy-by-design)
- Do not process sensitive personal data, and in particular, ensure groups targeted do not lead to indirect discrimination.
- Remain responsible for the implementation of these techniques
Norway Data Protection Authority and Norway’s Consumer Agency want to see changes in proposal for new local cookie legislation
Norway’s Data Protection Authority (DPA) and Norway’s Consumer Agency submitted a joining consultation response to the Ministry of Local Government and Modernization’s proposed new Electronic Communications Act. The Act would govern consent requirements for cookies and similar tracking technologies. The joint consultation (i) highlights how difficult and/or time consuming it can be for users to stop this kind of tracking, and at the same time, the personal data collected from these practices makes up a significant portion of the data collected by Norwegians; (ii) emphasizes that the proposed Act needs to more clearly specify consent requirements; and (iii) requests the DPA be in charge of all aspects of regulating the use of cookie technologies
Lasso-ing $: 850 footballers want to be compensated by data collection firms that have been trading their data over the past six years
These athletes are sending a message to the sports industry that the way data collection firms use and share performance data needs to change. They sent letters to 17 data collection firms, expressing their belief that their data was improperly used. Going forward, they want to require companies using their performance data to pay an annual fee. The footballers argue that the use of their personal information (e.g., height) would not be excused in other industries. No formal legal action has been taken, yet.
Ireland’s Data Protection Authority (the Data Protection Commission or DPC) will have an increased budget in 2022
The Irish government will be increasing the DPC’s budget by 22% in 2022 (an additional EUR 4.1) for a total budget of EUR 23.2. DPC Commissioner Helen Dixon indicates this funding is crucial for upcoming increased enforcement by the DPC, particularly in the context of the DPC’s role as the EU lead supervisory authority for many of the world’s largest tech companies. The increased budget will allow the DPC to hire 40 new staff focused on investigation, technology, and legal.
Ireland: Irish Data Protection Commission endorses Facebook’s approach to data protection
Irish Data Protection Committee (DPC) issued a draft decision against Facebook, with a proposed fine of EUR 36 million because Facebook’s terms of service did not include sufficient information needed to satisfy GDPR transparency requirements. Facebook takes the position it relies on the “performance of a contract” legal basis for processing personal information under GDPR by including specifics about their data processing activities in its legal terms.
Privacy advocates like Max Schrems (also the complainant in this matter) find Facebook’s approach an attempt to bypass GDPR requirements an obvious attempt to create a loophole, effectively switching from “consent” to “contract” when GDPR went into effect. Schrems is concerned that without regulator intervention, allowing Facebook to take this position opens the door for any company to write about the processing of data into a contract to avoid obtaining consent from data subjects. While the Irish DPC is the lead supervisory authority for Facebook, the GDPR includes mechanisms for EU DPAs to take action if they believe the DPC’s action is insufficient
In this case, the draft decision is expected to reach the European Data Protection Board (EDPB). If it does, the EDPB will review the draft decision and members could overrule the DPC.
California: Next public meeting for the California Privacy Protection Agency agenda published
The next public meeting will be on October 18, 2021. The agenda for the meeting includes:
- Introduction of newly appointed Executive Director of the CPPA, Ashkan Soltani
- Updates from the following subcommittees: Start-up and Administration, Rulemaking Process, New CPRA Rules, Update of CCPA Rules, Public Awareness, and Guidance
China announces draft regulations for the use of algorithmic recommendation technology
The draft regulations are called the Internet Information Service Algorithmic Recommendation Management Provisions. They consist of a series of 30 articles, which set out rules for use of such algorithms online and address things like search filtering, personalized recommendations, user rights, and more. They were released following the passage of China’s Personal Information Privacy Law (PIPL) and will apply to PIPL along with three other Chinese privacy & security laws (the Cybersecurity Law, the Data Security Law, and the Internet Information Services Management Rules). Right now we do not know if we should expect updated drafts or when these regulations would go into effect. The Cybersecurity Agency of China is tasked with supervision, management, and enforcement. The IAPP reviewed the scope and purpose of these new regulations in great depth, click the link below to read more if interested!
Alexa, appeal that fine
Amazon filed the appeal at the Luxembourg Administrative Tribunal challenging the ~$865 Million fine issued in July. Amazon is arguing there was no data breach or other similar exposure that would justify the penalty.
FTC primed to discuss internet service provider’s privacy practices
In 2019, the Federal Trade Commission issued orders to seven internet service providers to look into their privacy practices (AT&T, AT&T Mobility, Comcast Cable Communications, Google Fiber, T-Mobile U.S., Verizon Communications, and Cellco Partnership). Specifically, the FTC sought to learn more about the type of data collected, if any data is shared, how customers can access, correct, and delete their data, internal policies for the handling of the data, and whether the data is aggregated, anonymized or de-identified. The FTC ultimately looked into six of those major ISPs and three of their advertising affiliates. On October 21, the FTC will hold an open meeting to present on the findings of those investigations.
Cytrio raises $3.5 million in seed funding, launches SaaS privacy rights management platform for mid-market companies.
Further reading from this week:
- Study: Consumers are taking a more active role in protecting their privacy (IAPP)
- Apple CEO Tim Cook focuses on privacy, education and advocacy during Silicon Slope Visit (IAPP, SLTrib)
- Study: Marketers plan dream-tech, 39% of consumers on board (IAPP, ZDNet)
- Canada: Bill 64 on modernizing Quebec’s privacy law – Why it matters and how to prepare (Dentons)
- More on Quebec’s Bill 64 (IAPP)
- European Union: Digital Services Act, Digital Markets Act updates – Members of the European Parliament long way from having a common position on relevant proposals (IAPP, Financial Times, Politico)
- United Kingdom: UK ICO publishes second draft chapter on privacy-preserving practices (IAPP, ICO)
- United States: U.S. Senators’ open door to a private right of action in federal privacy law (IAPP, Brookings.edu)