On June 28, 2019, the French Data Protection Authority (CNIL) released its 2019-2020 action plan on ad targeting (action plan);1 among other things, the CNIL announced that it will issue new cookie guidance later this month and that, once the guidance is published, companies will have a 12-month grace period to come into compliance.

Background

When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed stricter conditions for obtaining valid consent to process personal data. In short, consent must be freely given, specific, informed, and unambiguous. Individuals must also be able to withdraw their consent at any time. The European Data Protection Board (EDPB) issued guidelines to further clarify the “do’s and don’ts” for obtaining valid consent (consent guidelines), including that scrolling down or swiping through a website is not enough to obtain valid consent. Rather, consent must be obtained via a clear and affirmative action, such as clicking on an “I agree” button.Continue Reading The CNIL Announces Its 2019-2020 Action Plan on Ad Targeting

On June 20, 2019, the UK’s Data Protection Authority (ICO) published a report on adtech and real-time bidding. The report highlights the main problems faced by the industry when applying the General Data Protection Regulation’s (GDPR’s) stringent requirements, and calls for further engagement on these issues by the different adtech players in the space.

Background

When the GDPR became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. Both the GDPR and PECR govern how data is collected and further processed in the online advertising industry, including requiring notice and a legal basis for processing. The PECR specifically applies to the use of cookies and similar technologies and sets out the rules for consent to use these technologies.Continue Reading The ICO Publishes Its Stance on Adtech and Real-Time Bidding

In July 2018, the French data protection authority (the CNIL) issued two public formal notices against two marketing platform providers—

Teemo1 and Fidzup2—for failing to obtain valid consent under the General Data Protection Regulaton (GDPR) for the use of location data for profiling and targeted advertising.3 The CNIL gave the two French companies three months to change their practices to comply with EU data protection law. On October 3, 2018, the CNIL closed the matter against Teemo,4 as it considered that its updated practices now comply with the GDPR.5 The actions provide an indicator as to how Data Protection Authorities (DPAs) may approach enforcement under the GDPR.
Continue Reading France: CNIL Issues Formal Notices Against Two Marketing Platforms for Lack of Valid Consent for the Processing of Location Data

ThinkstockPhotos-178868654The Federal Trade Commission (FTC) recently approved a new method for website operators and mobile application developers (“operators”) to obtain parental consent to collect personal information from children.1 Under this new method, which is the first to use biometric identifiers to verify that a parent is providing consent for a child, the FTC will permit operators to use facial recognition technology to compare an image of the person providing consent with an image of verified photo identification, such as a drivers’ license or passport. If the two images match, the user is verified and can provide consent for the child to use the website or mobile application.
Continue Reading FTC Approves Facial Recognition as Method of Obtaining Parental Consent to Collect Children’s Information

ThinkstockPhotos-503916682-webOn July 10, 2015, the Federal Communications Commission (FCC) released its long-anticipated Declaratory Ruling and Order1 addressing twenty-one petitions and requests seeking clarification of, and relief from, various provisions of the Telephone Consumer Protection Act (TCPA) and the FCC’s implementing regulations.2 The order provides some much-needed clarity in certain areas, but commentators have generally concluded that the order has broadened the reach of the TCPA and inserted uncertainty in other areas, making calling or texting consumers an increasingly risky business practice.
Continue Reading FCC Issues Omnibus TCPA Declaratory Ruling and Order Addressing Numerous Issues Regarding Calling and Texting Consumers

On January 15, 2014, the Federal Trade Commission (FTC) announced that Apple, Inc. had agreed to pay a minimum of $32.5 million in full refunds to consumers to settle allegations that the company was billing customers for purchases that children made from the company’s App Store without parental consent.1 According to the FTC, since at least 2011, thousands of children had unwittingly racked up significant App Store charges without their parents’ knowledge because the company’s billing procedures allowed users to incur unlimited in-app charges for a 15-minute window after downloading new software onto a device.2
Continue Reading Apple Agrees to Refund at Least $32.5 Million to Settle FTC Complaint Alleging That It Charged Kids’ In-App Purchases Without Parental Consent