Week of August 23, 2021

–

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

uK announces plans for data law “SHAKE-UP”

UK Digital Secretary Oliver Dowden announced plans to develop a “world-leading data policy” that departs from GDPR in the wake of Brexit, including:
• Prioritizing “data adequacy” partnerships with the U.S., Australia, South Korea, Singapore, Dubai and Colombia
• Naming John Edwards, New Zealand’s serving Privacy Commissioner as the preferred new Information Commissioner
• Reforming data laws “so that they’re based on common sense, not box-ticking”

The UK government said it will launch a consultation on changes in the coming weeks. An EU spokesperson reportedly responded to the announcement by warning that it could rescind the UK’s adequacy standing with the EU if there is “justified urgency” threatening EU citizens as a result of the changes departing too far from the EU’s GDPR.

OUR TAKE

It’s too soon to say how this will affect the digital advertising industry. If the intention is to adjust privacy laws to have a more meaningful impact on both consumers and businesses, the resulting changes could lead to more responsible data practices and streamlined innovation. On the other hand, new requirements that don’t contemplate practical application in the digital marketing ecosystem could have the negative effect of creating further complexity for businesses — not to mention confusing, inconsistent experiences for consumers. 

MALTA GUIDANCE ON COOKIE CONSENT

The Malta Information and Data Protection Commissioner released a Guidance Note on Cookies Consent Requirements for compliance with the ePrivacy Directive and GDPR.

The Guidance lays out a non-exhaustive list of non-compliant practices, including “cookie walls” that require users to “accept all cookies” in order to access the site; pre-ticked boxes; and consent triggered by scrolling or swiping (as opposed to clicking a button). 

OUR TAKE

Malta’s guidance is consistent with guidance we’ve seen from other data protection authorities (e.g., the CNIL in France), highlighting the GDPR’s definition of consent as “freely given” and an “unambiguous indication of the data subject’s wishes” in the context of the ePrivacy Directive. 

ICO enforcement of the UK Children’s Code

In anticipation of the UK Age Appropriate Design Code (commonly referred to as the Children’s code) coming into force September 2, the ICO announced its intention to be proactive in requiring organizations to tell them how their services are in line with the code, reminding of the ICO’s powers to investigate or audit organizations “should the circumstances require”. The ICO highlighted “inappropriate adverts” as a use of children’s data (among others) that they’ve identified as potentially causing harm to children, particularly in social media, video and music streaming and video gaming sectors. 

OUR TAKE

The UK Age Appropriate Design Code is paving the way for a focus on children’s privacy that we’re already starting to see in other parts of the world. As the ICO mentions, the Children’s code has influenced legislation in the United States and Ireland, as well as fundamental policy changes from major tech companies like Google and Facebook. 

IAB Europe vendor enforcement

IAB Europe announced a new TCF Vendor Compliance Program to identify and enforce against non-compliant vendors registered with the TCF, starting September 1. The enforcement program includes a 28-day cure period for initial violations and a suspension policy for vendors that fail to cure identified breaches or that are notified of more than 3 breaches in a 12-month period. IAB Europe has had a similar compliance program for registered CMPs in place since 2019.

OUR TAKE

The new program is likely welcomed by TCF participants who take the TCF Policies seriously and rely on other participants to ensure consistent data practices across the digital advertising ecosystem. 

UNITED STATES

COPPA claims against Angry Birds developer

New Mexico Attorney General Balderas filed a federal lawsuit against Rovio Entertainment, developer of the Angry Birds game, alleging violations of the federal Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act (UPA) for collecting personal information from children and transferring it to third-party ad networks through SDKs. 

OUR TAKE

AG Balderas has been aggressively focusing on children’s privacy over the last couple of years, having previously filed a complaint against the Tiny Labs app developer and several associated ad networks (see story below) and having filed and then appealed a lawsuit against Google regarding its collection of personal data through its educational tools. Balderas also joined 43 other states Attorneys General in a letter this past May urging Facebook to abandon its plans to create a version of Instagram for Children. 

Google’s children’s privacy settlement

Google reportedly settled claims by New Mexico’s Attorney General that its mobile ad platform, AdMob, knowingly facilitated collection of data through apps aimed at children in violation of UPA and COPPA (see above story). The terms of the settlement are undisclosed. 

OUR TAKE 

Similar claims against MobPub, Inmobi and AppLovin were dismissed last year based on insufficient evidence that the companies knew the apps were aimed at children. Although COPPA applies strict liability (regardless of knowledge) to apps or websites directed to children that collect personal information without parental consent, a third-party service (like an ad network or SDK) that collects personal information from an app or website is not in violation of COPPA unless it has actual knowledge that the app or website is directed to children. 

The district court held last year that communications between the Ad Network SDKs and their servers containing persistent identifiers, the app developer name, and the app title were insufficient to establish actual knowledge, even with app names like “Fun Kid Racing”, because the communication was an automated transmission of data signals, “not the communication of comprehensible information from which a sentient being might ascertain the child-directed content” of the apps. 

However, unlike the other Ad Network defendants, Google allegedly reviewed the content of the apps in question on multiple occasions, including when they were submitted and accepted into Google’s Designed for Families program on Google Play, which required that participating apps “be relevant for children under the age of 13”. The court held that these reviews gave Google “a first-hand awareness or understanding of the child-directed nature of those apps”, which the court held to be sufficient to allege actual knowledge that the apps were directed to children. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.