Data Security

Subscribe to Data Security

One of the next big items in Europe will be the expansion of “ePrivacy,” (which, among other things, regulates the use of cookies on websites). While the ePrivacy reform is still being worked on by EU lawmakers, one of the items the ePrivacy Regulation is expected to update is the use of “cookie walls.” Recently, the Austrian and UK data protection authorities (DPAs) issued enforcement actions involving the use of cookie walls, albeit with different findings and conclusions.

Cookie Walls

A cookie wall blocks individuals from accessing a website unless they first accept the use of cookies and similar technologies. The practice of using cookie walls is not prohibited under the current ePrivacy Directive.

However, the European Data Protection Board (EDPB), the successor to the Article 29 Working Party, has issued a non-binding opinion that the use of cookie walls should be prohibited under new EU ePrivacy rules. The EDPB argues that cookie walls run contrary to the General Data Protection Regulation (GDPR): “In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.”


Continue Reading

As close observers of the implications of privacy law on companies’ data collection, usage and disclosure practices, we at Socially Aware were among the many tech-law enthusiasts anticipating the U.S. Supreme Court’s recent decision in Carpenter v. United States, in which the Court held that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more.

Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.

Background

Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions.
Continue Reading

Companies that offer services, whether online or offline, to consumers on a subscription or other automatic renewal basis should be aware that such offers are heavily regulated at both the federal and state levels. A recent amendment to Section 17602 of California’s Business and Professions Code provides a good opportunity for businesses that make subscription offers to review their practices. As of July 1, 2018, the obligations under California law will expand in two ways that may require businesses to update those practices.

The first change relates to the information that businesses must provide to consumers regarding the terms of a subscription offer. The current law already requires a business to provide certain information about the renewal process—such as the amount of the recurring charges, the length of the renewal period, and the cancellation policy—both before the consumer accepts the agreement, and afterwards in an acknowledgement. The amendment provides that, as of July 1, 2018, if the offer includes any free trial or gift component, the information provided to consumers must also include a “clear and conspicuous explanation of the price that will be charged after the trial ends or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial.”
Continue Reading

After British police unsuccessfully tried to get the blogging platform WordPress.com to remove offensive and threatening posts, the deputy leader of the UK’s Labour Party vowed to urge changes that would make the country’s laws less tolerant of online abuse.

As bipartisan U.S. legislation to prevent the appearance of foreign-entity-funded political ads on social media

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here.
Continue Reading

Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.

In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.

A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program.
Continue Reading

As Socially Aware readers know, privacy and data security issues are among the most critical legal issues confronting companies that do business online. With ransomware attacks and hacking incidents on the rise, and with privacy and data security laws becoming increasingly burdensome, companies are spending more time and resources than ever before addressing privacy and

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap.
Continue Reading

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially

In the most recent edition of his CyberSide Chat series, Socially Aware contributor Andy Serwin discusses ransomware attacks, including:

  • the reasons why ransomware attacks are becoming more common;
  • the types of ransomware attacks companies should prepare to address; and
  • the strategies that companies can employ to help guard against, and to help mitigate the damage