That’s why the evolution of privacy regulations, or rules governing the protection of personal data, has reshaped how marketing teams operate.

According to IAB’s State of Data 2024 report, 82% of organizations say the makeup and structure of their teams have been impacted by legislation and changing data rules.

The default response is typically to focus more resources on legal teams or consultants. In this article, find out why consent management should matter more to marketers and how it can help boost their marketing performance.

Is your compliance tech stack holding your marketing team back?

That’s a problem worth examining.

The tools you use for consent management, generating privacy policies, and monitoring your setup don’t just affect your legal exposure but also your opt-in rates, analytics accuracy, brand trust, and your ability to run campaigns with reliable data. Those are marketing outcomes. And they deserve a marketing approach to what is seen as “compliance tools”.

Most marketing teams didn’t deliberately build their compliance stack. They assembled it piece by piece in response to regulation:
– an outdated privacy policy, drafted by a legal professional once or through an online template,
– a cookie banner and cookie policy when the ePrivacy came into force,
– legal text that hasn’t been updated or optimized with your processes in mind.

This is the patchwork stack, and it creates friction at every turn.

The hidden cost of a fragmented compliance setup

Think about consent rate as a marketing metric, because that’s what it is. Every percentage point of missed opt-in is a user you lose insight into.

On top of that, if you don’t properly comply with industry best practices such as the IAB’s Transparency and Consent Framework, your ability to attribute campaign performance or track conversions is affected. A poorly configured or underperforming consent banner makes that worse, and it’s a problem that sits squarely in the marketing team’s lap.

Lastly, the privacy landscape continues to evolve. With a fragmented stack, each change triggers a manual chain: understand the regulation, assess the impact across tools, update each separately, and verify consistency across environments. That’s time your team isn’t spending on core marketing activities.

Manual coordination between tools means:

• slower response when something changes,
• duplicated work: your marketing team builds a consent flow, your legal team checks it against the policy doc, your development team deploys it, and then the cycle repeats every time a regulation shifts or a new market comes into scope.

Invest in all-in-one compliance tools for your marketing growth

IAB’s research states that one of its four key focus areas for adapting to a privacy-aware ecosystem is to optimize your company technology stack for efficiency by identifying overlapping functionality and evaluating whether tools can be consolidated and simplified.

Meanwhile, Think with Google research on privacy-forward marketing makes the commercial stakes clear: people are willing to share their data when they can see the value and trust the company. Your ability to deliver that experience depends on the tools for managing consent and transparency.

Tanneasha Gordon, Data & Digital Trust Leader at Deloitte, declares for Think with Google:

“Today’s digital privacy landscape offers a tapestry of opportunities and technologies to those willing to adapt […]. Marketing leaders should consider empowering their teams to invest in privacy-first solutions and experiment with technologies […]. Find the right partners, establish processes, and innovate with privacy-preserving technology.“

Reduced complexity as a competitive edge

One connected platform means one configuration, one dashboard, one update when laws change. Your marketing and legal teams share the same source of truth, cutting the back-and-forth that delays launches.

Fewer tools mean fewer failure points and no risk of a touchpoint being out of sync with another.

Reallocate resources into your compliance infrastructure

When privacy is managed in one place, every hour recovered is an hour your team can spend building core marketing activities.

Andreea Mandeal, our Chief Marketing Officer at iubenda, has seen this play out firsthand:

“Speed comes from handling compliance early. Teams that ‘stay agile and fix it later’ almost always end up slowing themselves down with rework, blocked launches, or emergency legal reviews, and that’s coming from experience. When consent, privacy, and compliance are built in from day one, product, marketing, and growth teams can move faster with confidence. You test more, ship more, and scale without hitting invisible walls. Getting it right upfront saves time, money, and rework later.”

The companies adapting fastest are investing in training, not just tools. According to IAB, 63% of organizations are now training staff on first-party data collection, and 54% on privacy compliance and privacy-preserving technology.

Marketing teams that build this literacy internally move faster. Knowing how consent works, which data you can use, and how regulations affect your measurement setup reduces the dependency on legal review cycles. You also get to understand what you can test or improve to get a better consent rate, for instance.

Use compliance tools that offer performance-related features

Regulation isn’t settling down. A platform that handles it well also comes with marketing features most teams overlook. Your banner is a legal obligation, but also a conversion surface.

Compliance tech comes with features that directly impact your performance, for example:

• Consent rate analytics: Track opt-in rates by page, geography, and device. Understand where you’re losing users before they even engage with your content.
• Banner A/B testing: Test copy, layout, and timing to improve opt-in rates. A better-performing banner means a larger measurable audience.
• Geo-targeted consent flows: Serve different banner experiences and languages by region based on local regulations, without rebuilding your setup each time.
• Regulatory updates without the sprint: When laws change, the platform updates. Your team moves on.

Trusted solutions built for the long term

Not all privacy tools are built the same way. When evaluating options, look for signals that a platform is complete and designed for durability, not just current requirements. The platform should:

• stay ahead of where the market is going, not just where it is today. E.g., a provider with IAB’s Transparency and Consent Framework (TCF) is on top of requirements for advertising in Europe and building to stay there,
• cover what marketing teams need to manage in one place, like consent and preferences management or records, related analytics, legal document management like privacy policies or terms. These tools work together, which means updates are consistent and your team manages everything from one dashboard.

For marketing teams that want to move fast, improve opt-ins, and measure in a reliable and privacy-friendly way, the right compliance infrastructure is the foundation.

Consent management is a marketing performance question because the compliance tools that manage data practices and user consent to marketing activities like content personalization or tracking play a key role in your opt-in rate, ad serving, brand trust, or first-party data strategy. These aren’t only compliance outputs but marketing metrics.

See how iubenda’s connected set of digital compliance solutions helps your marketing team move faster as you scale

The post Why your consent management setup is a marketing performance question appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The report also tells us that, in response, European marketers have made customer retention their primary focus, above new customer acquisition.

Retaining an existing customer costs less than acquiring a new one, and in a period of constrained budgets, doubling down on loyalty makes economic sense.

As displayed on the chart below, 43% of marketers in Europe said customer retention was their top or second priority in 2025.

Apart from focusing on the visible mechanics (loyalty programs, re-engagement campaigns, personalized offers), we think transparency and trust are worth a much closer look to improve retention. Here’s why.

The trust gap is a retention problem

Here’s the uncomfortable truth: only 34% of consumers believe companies are honest about how they use their data (Deloitte, 2023).

When trust is that low, even the best retention strategy has a ceiling. Loyalty programs, personalized emails, exclusive offers: they all depend on people believing your intentions are good.

Transparent data practices close that gap because the way a company handles data is a visible signal of how it respects its customers.

In Europe, this matters more

With strong regulations like the General Data Protection Regulation (GDPR), awareness of data rights is higher in Europe than almost anywhere else.

A consent banner that buries the “reject” option, a privacy policy written in dense legal language, an email list with no real way to update preferences: these experiences reduce engagement and result in less willingness to share information voluntarily.

It’s also worth noting that the same Nielsen report found European marketers to be the only region globally to rank transparency, not accuracy, as their top priority for measurement technology. If you value transparency in the tools you use, it follows to ask whether you’re extending the same standard to the people you’re marketing to.

Where data experiences quietly erode trust

Most marketing teams genuinely care about trust, but compliance often stays on the back burner. Instead, it’s best to bring data process design into your customer experience strategy rather than treating it as a back-office concern.

Some of the most common patterns:

• Pre-ticked boxes: A legal issue in most European markets, and a trust issue. It signals that the default assumption is that customers will agree, rather than that they’re being given a genuine choice.
• No way to adjust preferences: Someone who consented to all marketing communications two years ago may now only want product updates. If the only option is a full unsubscribe, the company loses the contact entirely when a more granular preference would have kept the relationship alive.
• Cookie banners that obscure the reject option: Customers increasingly recognize dark patterns. When the “accept all” button is prominent and the alternative is buried, visitors get frustrated and attribute it to the brand.
• No straightforward way to unsubscribe: When it takes more than a few seconds to find the unsubscribe link, or when the process requires multiple confirmations, customers notice. Sometimes the link isn’t even present. The experience communicates that leaving is inconvenient by design.
• Consent language that explains nothing: When consent language is vague, people can’t make an informed choice, and over time they become more suspicious.

These accumulate into a picture of how a company treats customers, and that picture has a direct effect on retention.

What a more transparent approach looks like

Some easy fixes that can have a great impact on trust:

• Consent banners that offer a genuine choice: Both options equally accessible, with language that explains what’s actually being collected and why. This is the minimum standard under GDPR, but many implementations still fall short in practice.

• A privacy preference center: Rather than a binary opt-in or opt-out, a preference center lets customers decide what they want to receive and how. Someone who reduces their preferences is still a subscriber, on their own terms. That’s a stronger signal of intent than a passive opt-in from years ago. For marketers, it also means having customer lists that are more reliable.
• A privacy policy written to be read: Most companies draft privacy policies to satisfy legal requirements, not to communicate clearly. A policy in plain language, organized visiaully so a non-specialist can find what they’re looking for, functions as evidence of transparency rather than just a legal document.

Why giving people control tends to increase engagement, not reduce it

The “Privacy by design: the benefits of putting people in control” report by Google concludes that:

“There are strong privacy practices that brands can deploy to increase feelings of control, and the most effective combinations have a notable positive impact on more than just feelings of control (…) Our study suggests brands that can offer these experiences will, over time, see a positive snowball effect — people will feel in control, which increases brand trust and boosts brand preference. Brands that neglect privacy risk the opposite scenario.”

Trust is built through the cumulative experience of interactions with your brand:

Let’s admit it, it can sound counterintuitive, but giving people more control doesn’t reduce engagement, quite the opposite.

For example, having a clear preference center refines your audience into people who actually want to hear from you, and that audience converts better. This is essential to keep in mind for your retention strategy.

iubenda: built for global compliance, designed for trust

We built our professional tools around the idea that consent and privacy infrastructure should function as a brand asset, not just a compliance requirement.

In practice, that means:

• Consent banners built to meet legal requirements: Designed to give customers the right information and a genuine, understandable choice.
• Privacy widget: Meaningful control over what users have agreed to, with a straightforward way to adjust those choices at any time. Available as a small icon on all your pages to be paired with your accessibility widget.
• Privacy and Cookie Policy Generator: Clean and readable policies in plain language, updated to reflect changes in the law as they happen.

Inspire more trust in your brand and improve retention

The post European marketers are betting on retention. Privacy could be the edge they’re not using yet. appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

That’s why the European Commission’s “Digital Omnibus” proposal has been getting so much attention. The headlines can be dramatic (“cookie banners are going away”), but the real story is more practical: the Commission is trying to reduce consent fatigue by looking at how consent is usually collected and simplifying the legal requirements around it.

Below is what matters most for publishers, what the proposal promises, what’s still unclear, and why pay-or-ok models are likely to stay central either way.

The EU’s proposal in a nutshell

The Digital Omnibus proposal (published 19 November 2025) is the Commission’s attempt to simplify parts of the EU’s digital and privacy framework. One key shift: cookie-related rules, now part of the ePrivacy Directive, would move into the General Data Protection Regulation (GDPR), so businesses are not struggling to keep up with too many scattered legal requirements.

On cookie consent specifically, the proposal suggests:

• Consent still matters for marketing. Advertising, profiling, cross-site tracking, and most third-party analytics remain “opt-in” scenarios.
• Fewer repeated prompts. The proposal supports clearer banner standards (including making “Reject” as easy and visible as “Accept”) and limiting how often you can re-prompt after a refusal.
• A long-term push toward browser or OS-level choices. A new system was proposed: “machine-readable” consent signals, so a user could set preferences once at the browser level, and websites would need to read and apply them.

A lot of questions arose from the proposal and will probably find their answer in future publications by the European Commission around the topic. In the meantime, the proposal will continue its journey through the EU legislative process.

There will likely still be a series of legal and technical requirements for websites to handle, like informing users of their practices around data and privacy, blocking cookies when no consent is given, etc.

Why cookie consent is crucial for publishers

As a publisher, you sit in a different reality than many other website owners.

Your model is often some mix of ad-funded access, subscriptions (hard paywalls, freemium), or hybrids (memberships, logged-in experiences).

Cookie consent affects all of it, but the pressure point is usually advertising.

• If you can’t collect valid cookie consent where it’s required, you may lose the opportunity to serve ads altogether.
• If consent is partial, you may not be able to serve ads personalized to the user. It’s less probable for users to click.
• If the consent experience is too heavy, takes too much time to load, the user may go through your content before your high-value, above-the-fold ads display. It’s less probable for users to click.

All the above can have a high negative impact on your revenue.
That’s why, as a publisher, you should make sure to curate your cookie consent processes.

Consent processes are so important for you, and yet they’re a strong pain point for your visitors. The reality is that most people don’t want to decide about cookies. They want the article, the video, the recipe.

Repeating that same decision on every new site is a fast track to the frustration that the EU’s proposal targets: fewer repeat prompts, clearer UI expectations, and, eventually, more centralized preference signals.

A special exemption granted to media providers

Here’s the part you probably immediately noticed: a carve-out for “media service providers”.

In the proposal’s logic, if users are given the possibility to broadcast a global “reject tracking” signal from their browser, ad-funded media could take a hit.

In other words, if the user were to deny consent at the browser level to advertising, for instance, media providers would not be able to display ads, which is usually their main source of revenue.

So the proposal suggests that media service providers should not be obliged to respect those globally-transmitted signals (in view of the need to finance media through advertising) and could still ask for consent in the usual way, whether through a traditional banner, a pay-or-ok model, etc.

There’s a tricky nuance here to be aware of: media service providers would not have to respect global consent rejection signals set by users. This, of course, doesn’t mean that they would be exempt from general consent rules like informing users or letting them update their preferences through a banner. Only that the signal mechanism might not be binding the same way for that category.

Some publishing platforms may not be subject to this exemption.

At these early stages of the proposal, there is still some uncertainty around the boundaries and scope of the media service provider definition. Make sure to seek expert advice to understand if you wouldfall within the exemption.

Pay-or-ok model: why it won’t disappear

If you work in media, you already know the trend: pay-or-ok is everywhere. And the user behavior is predictable: “I’ll just consent, because I don’t want to pay.”

When the “free” option is funded by ads and tracking, many readers will choose it.

Paywall? Pay-or-ok? Here’s a quick refresher for those who are new to these terms.

A paywall controls access to content. Users must pay (or subscribe) to read, watch, or listen. In short: Pay to access content.

A pay-or-ok model links access to content directly to consent for tracking. Users can either pay (usually via subscription) or consent to advertising and tracking. Advertising revenue replaces subscription revenue for users who choose “ok.” In short: Pay with money, or pay with data.

We can argue that pay-or-ok doesn’t help reduce consent fatigue. The annoyance of the banner and making a choice is still there. In general, EU privacy discussions keep scrutinizing “consent or pay” models to make sure they are fair (consent is freely given).

Regulators pay attention to whether the user genuinely has a choice, how pricing and alternatives work, and whether pressure is applied.

So even if the Omnibus proposal would give media service providers room not to honor global reject signals, pay-or-ok design will still be under a microscope. The question shifts from “can you show a banner?” to “is the choice fair, clear, and defensible?”

Subject to future clarifications of the media service provider definition, Consent Management Platforms may remain central for publishers as they would still need a reliable and compliant infrastructure to manage cookie release, consent walls, and pay-or-ok logic if it’s not done in-house.

What the proposal means for publishers now

The best you can do now is the following:

• Stay informed and monitor further developments, as this is just a proposal. It’s not law yet.
• Keeping your consent flows, preference handling, and internal documentation practices in check could help reduce future implementation effort.

Existing legal obligations still apply, and you don’t need to change anything because of the headlines. It’s a multi-year transition, and publishers will likely operate in a hybrid world for a long time.

Even if adopted, this won’t be a “flip the switch” moment. The legislative path is long, and clarifications will come in time. Requirements would start to take effect several months after entry into force.

Parts of the proposal have sparked some debate and will have to be addressed. For publishers, the biggest uncertainty is also the most basic: who counts as a “media service provider”?

Early commentary has already pointed out that this carve-out may be challenging to apply in practice and could be open to misuse. The exemption shouldn’t create a blanket legal basis for tracking and other marketing activities.

iubenda is an all-in-one, scalable privacy compliance infrastructure that can help you improve your marketing performance and grow confidently.

Our team works by your side to help optimize your consent rate and processes, to support your revenue growth.

Disclaimer: This article discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of February 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.

The post What publishers should expect from the EU’s Digital Omnibus proposal appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On this page, you can find information about which data from the products you use can be exported, in which formats, as well as known restrictions, technical limitations, and details on international governmental access and jurisdiction.

• Dataset: team admin details, activated and installed products, timestamp of the user’s takeout request, email addresses of team members and their roles, payment history and subscription plan details for each website, owner information, site business and service preferences, metadata about Cookie Banner installation (color, positioning, etc.), CS analytics (page views, consent percentage, etc.), custom clauses, CPL, metadata about widget installation, export of Whistleblowing Management Tool requests and related data (text, email, phone number, etc.), export of Data Subject Rights Management Tool data (user consents, etc.), and export of Newsletter Opt-in Booster subscriptions (creation date, subject, source).
• Formats: JSON
• Standards/specs: UTF-8
• Notes: clauses protected by intellectual property rights are non-exportable; the dataset above includes data relating to all products, therefore some of the listed data may apply only to specific products.

Jurisdiction to which the ICT infrastructure deployed for data processing of services is subject: Italy.

To ensure the lawful and secure handling of EU-held non-personal data, we have established the following technical, organisational, and legal safeguards to prevent international governmental access or transfers that would conflict with EU or Member State law:

• Technical measures: cryptography; EU Cloud; EU-only key management; access management with admin access from EEA only; yearly audits; ISO 27001 certification.
• Organisational and legal measures: business continuity and incident management procedures; cloud security procedures; designated legal team to assess any government requests; employees' training; suppliers' qualification and monitoring procedure; data deletion policy; records of requests maintained; notice to customers.

If you would like to know more about the measures in place, please refer to Annex I of the DPA at this link.

The post Data Export Register – Dataset, Formats, Standards, Jurisdiction appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The European Commission published its Digital Omnibus Regulation proposal on November 19, 2025. For anyone working in digital compliance, this is worth paying attention to.

The proposal aims to simplify and modernize Europe’s regulatory framework by amending several key laws, including the GDPR, ePrivacy Directive, Data Act, NIS2, eIDAS, DORA, and CER.

The text will evolve as it moves through the EU legislative process. But the trajectory is promising, and we’re committed to helping you understand what’s ahead.

Before we dive in, here’s what you need to know: this is a proposal, not law. The text is at an early stage and may change substantially as it moves through the EU legislative process. The principles and obligations outlined aren’t yet in force or enforceable. Until the Regulation is formally adopted, the existing legal framework (including the GDPR and other relevant laws) continues to govern data processing activities.

View timeline: From proposal to law (click to expand)

Cookie consent gets a refresh

The proposal moves the ePrivacy cookie rule into the GDPR as new Article 88a. Consent remains the general rule for storing or reading information on devices, but with important updates.

Here’s what’s changing:

• No-consent exceptions added: A closed list now covers transmission, strictly-necessary cookies, first-party audience measurement for your own services, and security of the service or device.
• One-click accept and reject required: Cookie banners must make both options equally easy to choose.
• Six-month cooling-off period: Sites can’t keep re-asking users after they refuse consent for at least six months, unless something relevant changes in your processing activities.

What’s not changing:

• Consent stays central: You’ll still need consent for advertising, profiling, cross-site tracking, and third-party analytics. The proposal doesn’t weaken these requirements.

Machine-readable preference signals

Article 88b introduces something new: machine-readable preference signals. Think browser settings that communicate consent or objection automatically. Controllers will need to honor these signals, and browser vendors will gradually need to support them.

This could fundamentally change how consent flows across the web, moving some choices upstream to the browser level while maintaining user control.

GDPR updates worth noting

The proposal brings several practical changes to the GDPR:

Personal data and pseudonymization

The definition of personal data is narrowed. The key question becomes whether a given controller or recipient has the means to “reasonably ” identify someone. Just because someone else can identify a person doesn’t automatically make that data personal for everyone.

What this means: The Commission, working with the European Data Protection Board (EDPB), can adopt criteria for when pseudonymized data no longer counts as personal data for specific entities.

Right of access gets anti-abuse protections

Article 12 is amended so controllers may refuse access requests or charge a reasonable fee where requests are clearly abusive. This covers scenarios like:

• Harassment campaigns
• Speculative compensation claims
• “Pay me and I’ll withdraw the request” schemes

The burden of proof stays with the controller.

Transparency exceptions for low-risk situations

For low-risk, obvious situations (like local craftspeople or small clubs), controllers may rely on a wider exception where there are reasonable grounds to assume people already have the necessary information.

Standardizing DPIAs and breach notifications

The EDPB must propose EU-wide lists of processing that does or doesn’t require a Data Protection Impact Assessment (DPIA), plus a common template and methodology. The same goes for high-risk data breach notifications: a standard template and criteria that the Commission will turn into implementing acts.

Why this matters: This standardization could reduce compliance complexity, especially for organizations operating across multiple EU member states.

AI and personal data

The proposal’s recitals clarify that using personal data to train, test, and validate AI systems can rely on legitimate interest under Article 6(1)(f). The catch: you need a strict balancing test and safeguards in place.

Required safeguards include:

• Transparency about AI training use
• Unconditional right to object
• Privacy-preserving techniques
• Additional protections based on risk level

A narrow derogation is added for incidental special-category data in AI training sets where removal would be disproportionate. In those cases, the data must be strongly protected and not used to infer or disclose sensitive information. The usual Article 9(2) grounds still apply where special-category processing is actually needed.

Other changes to note

Single EU entry point for incident reporting

A single EU entry point is created for cybersecurity and personal data incident reporting. GDPR controllers will use it for breach notifications, cutting duplicate reporting under NIS2, GDPR, eIDAS, DORA, and CER.

The benefit: This consolidation addresses a real pain point for organizations juggling multiple reporting obligations.

Data Act adjustments

The Data Act gets several updates:

• Stronger trade-secret safeguards
• Business-to-government (B2G) data sharing is limited to public emergencies
• Lighter regime for some cloud contracts
• Open Data Directive and Data Governance Act folded into it

The Platform-to-Business Regulation (P2B) is repealed as largely superseded by newer platform rules.

What this means for your business

This proposal points to where EU privacy regulation is going, and it’s a future we welcome.

Greater user control. Streamlined requirements. Standardization that actually helps. These aren’t just policy goals; they’re the foundation of what we’ve been building at iubenda since the beginning.

“The Digital Omnibus is not law, yet. And until it is, GDPR and ePrivacy compliance remains exactly as you know it. What will not change, even under the future regime, is the need for a robust operational layer translating legal requirements into technical enforcement. That’s still your CMP. Global signals and automation don’t replace CMPs; they make them indispensable, because someone still needs to bridge abstract rights and concrete code.”

Giulia Stancampiano, Product Legal Manager Privacy, iubenda

We’re committed to playing an active role as this proposal takes shape, helping ensure it works in practice for businesses and their customers alike.

The legislative process takes time, but we’ll be with you every step of the way, turning regulatory change into clear, actionable guidance.

Frequently asked questions

What is the Digital Omnibus Regulation?

The Digital Omnibus is a proposal from the European Commission that amends and harmonizes multiple EU digital laws, most notably the GDPR and the ePrivacy Directive, to reduce complexity, improve coherence, and modernize outdated provisions.

Is the Digital Omnibus Regulation in force?

No. The Digital Omnibus is still a proposal at an early stage of the EU legislative process. It may be substantially amended before adoption. Until it becomes law, existing regulations like the GDPR continue to apply.

When will the Digital Omnibus become law?

 There’s no fixed timeline.  EU legislative procedures typically take 12–30 months. Once adopted, the Regulation enters into force 20 days after publication. Its new obligations apply in stages (e.g., 6 months for the new cookie rules, 24 months for machine-readable signals).

Does the Digital Omnibus replace the GDPR?

No. The Digital Omnibus amends and updates the GDPR rather than replacing it. It proposes changes to specific articles, such as cookie consent rules and data breach notification procedures.

What changes to cookie consent does the Digital Omnibus propose?

The proposal would require one-click accept and reject options, preventing repeated consent prompts for at least six months after a refusal, and introducing machine-readable preference signals. It also moves the cookie rules into the GDPR (new Article 88a) and clarifies which limited purposes may rely on non-consent exceptions, such as first-party aggregated audience measurement and security.

Will I still need a cookie banner under the Digital Omnibus?

Yes. Consent management systems remain essential for handling user choices, managing proof of consent, and applying preferences correctly. What would change is that some users who set browser-level preferences may not see a banner, as the system would read their existing preference instead. However, media service providers may still request consent even when a global ‘reject’ signal is present.

How does the Digital Omnibus affect AI and personal data?

The proposal clarifies that using personal data to train AI systems can rely on legitimate interest under Article 6(1)(f), provided strict safeguards are in place: transparency, unconditional right to object, and privacy-preserving techniques. It creates a new Article 88c GDPR.

Do I need to do anything right now?

No immediate action is required. Your compliance obligations under GDPR and other existing laws remain unchanged. We recommend staying informed as the proposal evolves, and we’ll keep you updated on any developments that affect your compliance work.

The post Understanding the Digital Omnibus Regulation proposal: what it means for privacy and compliance appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

As an app developer, you must comply with several requirements before publishing your apps and games on the main platforms like Google Play.

The Developer Policy Center is the central hub where Google Play outlines all these rules. It’s divided into sections that you can easily navigate to understand your requirements across various categories.

We’ve put together an overview of these requirements below, with links to the corresponding sections in Google’s policy.

Restricted content

Before submitting an app to Google Play, ensure it complies with content policies and local laws. Restricted content can take many forms, which we have outlined below.

Child endangerment

Google Play’s Child Endangerment policy bans any app that allows child sexual abuse material (CSAM) or enables exploitation, grooming, sextortion, trafficking, or sexualisation of minors.

Apps that target or appeal to children cannot include adult themes like violence, harmful activities, or body-shaming cosmetic features.

Social and dating apps must follow strict child safety standards. They need to:

• Clearly prohibit child sexual abuse and exploitation in their Terms of Service or community guidelines
• Offer in-app reporting mechanisms
• Act quickly to remove CSAM
• Comply with child safety laws
• Appoint a dedicated child safety contact

These rules are designed to protect children and hold developers accountable. Read more about the Child Safety Standards policy here.

Inappropriate content

Google Play’s Inappropriate Content policy bans apps that promote or include:

• Sexual content or explicit material
• Profanity or hate speech
• Gratuitous violence or violent extremism
• Bullying, harassment, or other harmful behavior

Apps cannot:

• Exploit sensitive events like disasters or deaths
• Sell or promote dangerous products such as firearms or explosives
• Sell marijuana, THC products, or unregulated tobacco and alcohol products, especially when targeting or encouraging minors

Some limited exceptions apply to content with educational, documentary, scientific, or artistic (EDSA) value, but it must not be gratuitous or exploitative.

Financial services

Google Play’s Financial Services policy aims to stop deceptive or harmful financial products.

The policy:

• Bans short-term personal loans that must be repaid in 60 days or less
• Bans high-APR loans in the U.S. with an APR of 36% or more
• Requires lenders to provide proof of licensing where needed

Personal loan and earned wage access (EWA) apps must:

• Clearly disclose repayment terms, APR, fees, and privacy practices
• Avoid requesting sensitive permissions like contacts or location

Real-money gambling and illegal activity

Real-money gambling apps like daily fantasy sports and gamified loyalty programs are allowed, but only under strict rules.

Other real-money games or contests involving wagers or real-world prizes are generally not allowed, unless they are part of approved pilot programs.

Gambling apps must:

• Be free to download
• Hold valid licenses in every jurisdiction where they operate
• Prevent underage access
• Display clear responsible gambling information
• Not use Google Play Billing for gambling transactions

Loyalty programs are allowed if they:

• Are tied to real transactions
• Follow fixed, transparent rules
• In non-game apps, disclose odds or selection methods for chance-based rewards

Gambling ads are permitted only if they follow local laws, do not target minors, and meet responsible gambling standards.

User-generated content

User-generated content (UGC) is any content users create and share inside your app that other users can see (including apps that act as browsers/clients for UGC platforms).

Apps with UGC must:

• Require users to accept Terms of Use before creating or uploading UGC
• Clearly define and ban objectionable content and behaviors in their policies
• Have ongoing, effective moderation suited to the type of UGC (with stricter controls for things like DMs, augmented reality, or public feeds)
• Offer in-app tools to report and block content and users, and act on reports
• Include safeguards so monetization does not encourage bad or harmful user behavior

Health content and services

Google Play’s Health Content and Services policy bans apps that expose users to harmful or misleading health information, unsafe medical claims, or unapproved substances.

Health and medical apps must:

• Provide accurate information and clear disclosures
• Include a privacy policy and use permissions responsibly
• Clearly state any required hardware or devices
• If providing regulated or research functions, give proof of approvals, affiliations, or ethics compliance when required

Apps may not:

• Sell prescription drugs without a valid prescription
• Promote unapproved health products
• Spread health misinformation

Blockchain-based content

Blockchain‑based content includes tokenised digital assets stored on a blockchain. Apps that offer these must follow strict rules. In particular:

• Cryptocurrency exchanges and wallets must use certified services and operate in regulated jurisdictions
• Apps must clearly declare any tokenised assets in the Play Console

• Cryptomining on user devices is not allowed
• NFT features must avoid gambling-like mechanics and should enhance gameplay, not act as wagers or purely speculative assets

AI-generated content

AI-generated content is material created by generative AI, such as chatbots or AI-made images and videos.

Apps using AI must:

• Follow all Google Play policies
• Prevent harmful or restricted content, including child exploitation and deceptive behavior
• Provide in-app reporting tools so users can flag offensive content, and use these reports to improve moderation and filters

Intellectual property

Apps and developer accounts may not infringe on others’ intellectual property rights (such as trademark, copyright, patent, trade secret, or other proprietary rights), or encourage users to do so.

Common violations include using:

• Cover art from music albums, video games, or books
• Marketing images from movies, TV shows, or video games
• Photos taken from a public figure’s social media
• Full reproductions or translations of books that are not in the public domain

Other requirements

You’ll find below other sections from Google Play’s policy that might be of interest to you.

Targeting children

Before submitting an app that targets children to the Google Play Store, you are responsible for ensuring your app is appropriate for children and compliant with all relevant laws.

SDKs

Third-party software development kits have several requirements and restrictions. If you include an SDK in your app, you are responsible for ensuring that their third-party code and practices do not cause your app to violate Google Play Developer Program Policies.

Monetization and ads

Google Play supports a variety of monetization strategies to help developers and users, including paid distribution, in-app products, subscriptions, and ad-based models. It requires you to comply with policies on payments, subscriptions, ads, and the Families Ads Program.

Store listing and promotion

Some additional guidelines relate to app promotion, metadata, user reviews and installs, user and content ratings, and news‑related apps.

Main restrictions

Dive deeper and find all details in the Google Play Developer Policy Center and the full Developer Program Policy

The post An overview of Google Play’s requirements and restrictions for app submission appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Change was in the air. On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal. You can think of it as an update of Europe’s privacy rulebook, including laws like the GDPR and ePrivacy Directive, to make them easier to apply without lowering protection for people.

Simplification, but without weakening privacy rights

It’s no secret. Everyone knows today’s cookie banners can be frustrating. Repeatedly clicking on a banner for every new site you visit is not valuable. The Commission wants to change this.

The Digital Omnibus proposal aims to simplify and modernize several key existing privacy laws. The idea is to reduce friction, improve user experience, while keeping strong user rights.

The proposal suggests:

• One-click “accept” and “reject” options at the same level on cookie banners (no multiple layers), and not asking again as long as consent is valid, or for at least six months after a refusal. This reduces repetitive consent requests that build “consent fatigue.”
• Smarter “central cookie management mechanisms”, so users can set their privacy preferences once, in a simple interface. This could mean browser- or OS-level “privacy switches”. A user might choose “reject tracking” or “only essential cookies” once, and websites would read and respect that preference automatically.
• Cookie rules to be moved into the GDPR, and a review of which situations can rely on exceptions (no consent needed), for example for security purposes, or basic, first-party, aggregated audience measurement.

What this means in practice

If you run a website, app, or online campaigns, there’s no need to panic. Quite the opposite. Compliance processes will become simpler for you and your users. Plus, this is still a proposal, not a final law:

• You do not need to change anything yet because of the Digital Omnibus.
• Your current obligations under the GDPR and other laws remain unchanged for now.
• You still need your cookie banner and CMP now and under the new rules, even if they may operate differently.

Realistically, most people won’t adopt browser-level settings immediately.

Over the years, users who have set global preferences may not see a banner at all, except when it needs to be displayed for specific purposes. Others, who haven’t set anything, will interact with banners as usual.

The proposal mentions that if you’re a media service provider, you will not be required to respect global preferences since you rely heavily on advertising to remain financially sustainable.

We recommend staying informed as the proposal moves through the EU legislative process. It’s currently expected to start applying sometime between 2026 and 2027. Here’s the European Commission’s announcement.

iubenda is ready and remains your trusted partner to keep privacy central but simple

At iubenda, we’re all about making compliance simpler for digital professionals. We keep both your business goals and your users’ privacy in mind in everything we do.

Rest assured, as privacy experts, we’re here to handle both the technical and legal details so you don’t have to. We’ll keep supporting you with all aspects of digital compliance, not just cookies.

Stay tuned. We’ll inform you of any updates and help you implement them quickly and confidently.

The post The European Commission’s proposal for new cookie rules: our first look at potential implications appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On 19 November 2025, the European Commission presented the Digital Omnibus Regulation proposal as part of its wider Digital Package.

By amending cornerstone laws such as the GDPR, the ePrivacy Directive, the Data Act, and the AI Act, the proposal targets practical issues around things like cookies and consent, personal data, and AI. The purpose is clear: simplify and modernize the EU’s digital framework.

At the same time, the proposal has triggered intense public debate. Some view it as a necessary update to keep Europe competitive and reduce friction for users and businesses; others warn against any perceived “rollback” of fundamental rights.

In this context, the voices of those who build and operate digital compliance every day are crucial.

As a Consent Management Platform (CMP), we sit at the intersection of regulation, technology, and user experience. That’s why we are actively contributing to the discussions shaping the Digital Omnibus.

Why the Omnibus matters

The Commission frames the Digital Omnibus as a competitiveness and simplification initiative, intended to cut red tape and give organisations clearer, more coherent obligations across the digital landscape.

For privacy and cookies in particular, the proposal is designed to:

• Limit consent fatigue and limit repetitive, confusing banner requests.
• Reduce compliance costs by simplifying time-consuming and costly legal requirements.
• Align overlapping laws, especially where the GDPR and ePrivacy Directive currently interact in complex ways.
• Provide legal clarity on areas that have proven vague or outdated in practice.

Engaging in discussions with the European Commission

Speaking with a united CMP voice: our joint submission to the Commission

When the Commission opened its call for evidence and public feedback on its initiative, it explicitly invited stakeholders to share concrete ideas for simplifying rules without weakening protection.

As a leading European CMP, we joined forces with other CMP providers to submit a joint response to the Commission. Our goal was to ensure that the practical reality of consent management on the ground is reflected in the future legal framework.

In our joint feedback, we stress a core point:

It must be recognised that online consent goes beyond cookies. CMPs play a key role in obtaining consent for all non-essential treatment of data, for all types of technologies.

We argue that the conversation must move from “cookie banners” to “consent infrastructure”. If the EU goes toward central consent management inside browser mechanisms, it should promote an interoperable model.

Users should be able to choose trusted tools that can communicate seamlessly with browsers and apps to provide a transparent user experience.

European CMPs stand ready to support the Commission in designing practical, future-proof solutions that combine ease of compliance for businesses with genuine control for users, creating a model of European digital trust by design.

Concretely, we recommend that any future rules:

• Require browsers that offer central consent features to expose open APIs that CMPs can use. CMPs will still be needed to determine whether cookies and tracking technologies can be installed, to manage proof of consent, and to apply consent or refusal correctly.
• Protect genuine, granular consent. GDPR consent must remain specific, contextual, and be collected in a transparent way by neutral, independent tools.
• Simplify without centralising power. As reinforced in the Digital Markets Act, simplification must not mean concentrating control of the consent layer in a handful of browsers, which would risk gatekeeper issues.

Bringing real-world insights: our technical contribution

Following our joint feedback, key contributors, including our CPTO and Head of Frontend Engineering, took part in a dedicated roundtable with European Commission policymakers.

Matteo Colucci, our Head of Frontend Engineering, says that “the main purpose of the meeting was to open a dialogue between the European Commission and CMPs”, to ensure that all perspectives were taken into account.

He describes that participants brought hands-on implementation experience into the room, clarifying:

• The essential role of banners and CMPs in enabling users to exercise their rights.
• What really drives consent fatigue and how it could be improved (accessing user preferences across multiple contexts).
• That any new model must keep transparency central and make sure users are aware of and know how to exercise their privacy rights.

The Commission is meeting with a broad range of stakeholders, like advertisers and publishers, and we expect further discussions.

In the words of our CPTO Filippo Barra, “the Commission demonstrated its willingness to leverage industry expertise and collaborate with CMP counterparts.”

The post Inside the Digital Omnibus: our experts’ contributions appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is the Digital Omnibus?

The Digital Omnibus proposal is the European Commission’s plan to simplify and modernize several key EU digital laws, including the GDPR and the ePrivacy Directive.

The goal is to reduce friction and improve user experience, without weakening people’s rights.

It touches a wide range of topics: cookies and consent, use of personal data and AI, pseudonymization, and GDPR rights.

A big focus is on fixing today’s consent experience. The Commission knows that constantly clicking through cookie banners on every new site is quite tedious. The Omnibus proposal tries to ease that pain while keeping a robust privacy framework in place.

What practical changes should marketers expect?

The main changes you should be aware of concern cookie banners and consent, as well as how preferences are expressed.

1. Central consent mechanisms and signals

To reduce being prompted with the banner repeatedly, the proposal looks at “central cookie management mechanisms”, such as browser or OS-level privacy settings. Think of a simple switch like:

• “Reject tracking”
• “Only essential cookies”

Users could set this once, and websites would then read and respect that choice automatically via machine-readable signals.

2. Cookie rules moving into the GDPR and clarifying consent exceptions

The rules on storing or accessing information on a user’s device (cookies and similar tech) are expected to be moved into the GDPR and paired with clearer exceptions where no consent is needed. Key examples:

• Strictly necessary cookies, for the transmission of a communication or to provide a service the user explicitly requested.
• First-party, aggregated audience measurement, when you measure your own audience for your own use only, without sharing or selling the data, and without using it for other unrelated purposes.

3. Updated banner rules to reduce consent fatigue

Here’s what The Omnibus suggests:

• When a banner is needed, a single-click “Reject” option must be as visible and easy as “Accept” (this requirement was already commonly enforced at a member-state level).
• You can’t re-ask for consent while it remains valid.
• If a user refuses, you can’t re-prompt them for the same purpose for at least 6 months.

Will cookie banners disappear?

No. The European Commission wants to avoid users being prompted with banners again and again, not to remove consent or banners altogether.

In practice:

• Banners will still be the main way most users give consent, especially those who never touch browser/OS privacy settings. Some users will set global preferences; in those cases, your CMP can read the signal and skip the banner.
• You will still need a Consent Management Platform or equivalent system to enforce whether tracking can run, keep proof of consent, and let users review and update their choices.

What should marketers do now?

No action is needed now. The Digital Omnibus is still a proposal, not a final law. Until it’s adopted and the application dates arrive:

• Your current obligations under the GDPR and ePrivacy remain unchanged.
• You do not need to change your setup because of the Omnibus.

When will the proposal take effect?

The proposal was published on 19 November 2025, but it is not yet law. The text can change substantially at any stage during European Parliament and Council negotiations.

If and when it is adopted, it will apply in stages. Each requirement will apply months after entry into force (from 6 to 48 months).

The Omnibus is intended to be an EU Regulation, meaning it will apply directly and uniformly across all Member States.

So this is a multi-year transition, not an overnight change. You’ll have time to adapt, and your digital compliance tool, including iubenda, will guide you through the practical steps.

The post Your questions answered: what the EU Omnibus proposal means for marketers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But GDPR compliance is about more than avoiding fines. It’s about building trust with your customers – showing them that their personal data is safe in your hands. In a time when data breaches and privacy scandals can seriously damage a brand’s reputation, being compliant gives you a competitive edge.

What Does GDPR Mean for E-Commerce Businesses?

The GDPR applies to any business that processes personal data of individuals in the EU and that includes nearly every e-commerce shop. Whether you’re running a small online store or managing a large retail platform, if you’re collecting names, email addresses, payment details, or tracking customer behavior through cookies, the regulation affects you.

But what exactly does “processing personal data” mean?

According to the GDPR, personal data is any information that can identify an individual directly or indirectly. This includes obvious identifiers like names and email addresses, but also IP addresses, location data, purchase history, and even behavioral data gathered through analytics tools.

Your responsibilities as a shop owner

As an e-commerce business, you are considered the data controller, meaning you determine the “why” and “how” of processing personal data. That comes with legal responsibilities:

• You must have a lawful basis for every data processing activity, from sending newsletters to handling payments.
  
  
• You need to inform users transparently about what data you collect and why – typically through a clear and accessible privacy policy.
  
  
• You are required to protect that data through technical and organizational measures.
  
  
• And you must enable your customers to exercise their rights, including the right to access, delete, or correct their data.
  
  

Non-compliance can be costly: regulators can impose fines of up to €20 million or 4% of your global annual revenue whichever is higher. But more importantly, failing to comply can undermine customer trust, damage your brand, and cause irreversible harm to your business.

The good news? GDPR compliance is manageable especially if you understand the core principles and build a privacy-first infrastructure.

What does GDPR compliance require in practice?

For e-commerce businesses, GDPR compliance isn’t just about adding a checkbox or updating a privacy policy. It’s about building a transparent, secure, and user-centric data ecosystem across your entire online shop from checkout to backend infrastructure.

Transparency starts with clear communication

Every online shop processes personal data, whether it’s a shipping address, email, or even a behavioral profile for product recommendations. According to the GDPR, you must clearly explain what data you collect, why, and on what legal basis. That information needs to be presented in a privacy policy that’s easy to understand and easy to find.

For example, if you use behavioral analytics to improve your shop, you need to state that explicitly, including who provides the tool (like Google Analytics or Hotjar), whether data is transferred internationally, and how long it’s stored. Tools like Privacy and Cookie Policy Generator make it easier to generate legally accurate, tailored policies that evolve with your tech stack.

Consent is more than a popup

Under GDPR and the ePrivacy Directive, you can’t simply notify users about tracking — you need active, informed consent for non-essential cookies. That includes analytics, A/B testing, marketing pixels, and embedded third-party content.

What does that look like in practice? A compliant cookie banner that doesn’t pre-tick boxes, provides granular choices (e.g., marketing vs. functional), and stores consent logs for audit purposes. It also needs to be revocable at any time, with just one click.

The same applies to email marketing: opt-in must be voluntary and documented. No soft opt-ins. No bundled checkboxes. No tricks.

Only collect what you need

GDPR is built on the idea of data minimization: collect only the personal data necessary for a specific purpose. That means reviewing all data fields on your forms and checkout pages.

Do you really need a customer’s phone number for a downloadable product? Do you store newsletter sign-ups indefinitely, even if a user never confirms?

Limiting data collection reduces your legal risk and increases user trust. It also makes compliance with other GDPR requirements (like data access or erasure) much easier in the long run.

Security isn’t optional

Article 32 of the GDPR requires businesses to implement “appropriate technical and organizational measures” to protect personal data. That’s not just a legal obligation; it’s also essential for brand trust and customer retention.

These measures include:

• Encrypting all data in transit with SSL/TLS certificates,
  
  
• Strong access controls with role-based permissions,
  
  
• Regular updates and patching of your shop system and plugins,
  
  
• Protection against attacks, such as firewalls and malware scanners,
  
  
• Secure backups and recovery strategies in case of data loss.
  
  

The challenge for many businesses is that these technical safeguards often depend on their infrastructure partner.

Empowering your users

Finally, GDPR gives users clear rights, including the right to access their personal data, correct inaccuracies, request deletion, or receive a copy in a portable format. As a shop owner, you must ensure these rights can be exercised easily and efficiently.

This means:

• Establishing internal workflows to process requests within the 30-day GDPR deadline;
• Mapping how data flows through your shop and third-party tools;
• Clearly listing user rights in your privacy policy, ideally with a direct contact form or DPO email address.

Example: If a customer requests deletion of their account, your system should trigger a checklist — remove order history from the frontend, anonymize transactional data where legally required, and confirm completion via email.

These steps not only fulfill your legal obligations but also demonstrate transparency, strengthening user trust and reducing the risk of formal complaints or supervisory intervention.

Why your hosting infrastructure matters more than you think

When we talk about GDPR compliance in e-commerce, most businesses immediately think of cookie banners, privacy policies and email opt-ins. All of that is important, but there’s a deeper layer that’s often overlooked: your technical infrastructure.

GDPR doesn’t just regulate what data you collect, it also regulates how you store, protect, and process that data. And much of that happens on the server level.

A secure online shop starts with the foundation — hosting. According to the GDPR, hosting providers are generally considered processors because they process personal data on behalf of others, regardless of whether they actively access it.

That means:

• You must conclude a data processing agreement (DPA) in accordance with Art. 28 GDPR.
• The provider should host in compliance with GDPR, ideally within the EU.
• Certifications such as ISO 27001 or SOC 2 provide additional security and transparency.

If your server is located outside the EU, if backups aren’t encrypted, or if your shop shares resources with unknown third parties, you may be exposed to compliance risks without realizing it.

That’s why the choice of hosting provider is not just about performance or price, it’s about trust, transparency, and legal accountability.

Questions you should ask:

• Where are the servers physically located?
  
  
• Who has access to customer data and how is it logged?
  
  
• Are security updates handled proactively?
  
  
• Can you get audit logs or proof of data protection measures if needed?
  
  

If your hosting provider can’t answer these questions clearly, it’s time to reconsider.

maxcluster: GDPR-ready infrastructure for e-commerce

For high-performance shops that need legal certainty, maxcluster offers an e-commerce-focused hosting platform. Here’s how they support your GDPR compliance:

• 100% EU hosting: All servers are located in ISO 27001–certified data centers in Germany. No hidden third-country transfers.
  
  
• 24/7 proactive monitoring: Security issues are identified and resolved before they become a problem with real-time alerting and patch management.
  
  
• Differentiated authorization management ensures that only authorized individuals can access specific types of data.

More than 1,500 online shops trust maxcluster to keep their data and their customers’ data secure. Whether you run on Magento, Shopware, WooCommerce or a custom stack, they tailor your infrastructure to meet legal, technical, and business requirements.

Hosting is the foundation of compliance

The most polished privacy policy or elegant cookie banner won’t protect your customers if your server is compromised. True compliance starts with the infrastructure that powers your shop.

Choosing the right hosting provider is one of the most impactful and often overlooked steps toward GDPR compliance. And it’s one of the few that directly supports both your legal duties and your business resilience.

Conclusion

Let’s face it: GDPR compliance isn’t always simple. It requires attention to detail, technical expertise, and ongoing effort. But it’s also a chance to strengthen your business by building trust, reducing risk, and ensuring that your operations are future-proof.

As an e-commerce business, your responsibility goes beyond just installing a cookie banner or copying a privacy policy template. You’re expected to actively protect personal data through secure processes, transparent communication, and reliable infrastructure.

Here’s what you can start doing today:

• Review your privacy policy and data collection workflows
  
  
• Make sure all tools and processors are GDPR-compliant
  
  
• Implement robust data security practices (incl. 2FA, access control, backups)
  
  
• Choose a hosting provider that supports your compliance goals, not just your performance needs
  
  

And if you’re looking for a hosting partner that understands both e-commerce and compliance, maxcluster is here to support you. Our infrastructure is built for high-performing online shops with high standards both technical and legal.

With the right foundation, GDPR isn’t a roadblock. It’s your competitive advantage.

The post GDPR Compliance in E-Commerce: What Online Shops Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Ready? Let’s jump straight into what’s changed.

New plan for our accessibility widget

Our AI-powered accessibility widget now has a Standard Plan, ideal for high-traffic websites or advanced needs like preset accessibility profiles.

• Up to 1 million monthly pageviews
• Preset profiles (vision impairment, ADHD, and more)
• 10% discount with annual payment

See the difference between Lite and Standard

The Standard Plan is available on new subscriptions and coming soon to pre-2023 legacy ones.

Clauses update for mobile apps and e-commerce

Two important updates in our Terms and Conditions Generator:

Mobile apps

A new Google Play clause on child abuse prevention was added for social and dating apps. You can include it in the generator under “Acceptable Use” and “Mobile App”.

E-commerce

The EU’s ODR platform for online shopping disputes was shut down on July 20, 2025. This clause will be fixed the next time you update your Terms and is no longer available for new projects.

Access your dashboard

Coming soon: Custom position and style in our Accessibility Widget

We’re putting the final touches on two major updates coming in the next few weeks:

• Custom positioning & styling. Match the widget’s appearance to your site’s look and feel.

• Enhanced iubenda widgetLet users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,200+ users.

In case you’ve missed it

Google is enforcing Consent Mode

Avoid losing data in Google Ads and Analytics with our certified solution.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Read the guide for more details.

1-Click Shopify Installation

Bring iubenda’s cookie banner to your Shopify store in seconds. Just one click, no manual coding. Check our guide for more information.

The post New plan for the Accessibility Widget and updated clauses in our T&C Generator (August-September 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

1-Click Shopify Installation

Privacy Controls and Cookie Solution

Adding iubenda’s cookie banner to your Shopify store is now easier than ever:

• One click – Connect Shopify in one click.
• Automatic app installation – The system installs our app and embeds all necessary code for you.
• No code – No more multiple code snippets or manual integrations: just configure your cookie banner.

Already installed your cookie banner? No action needed—this update is for new and ongoing installations.

Try 1-Click Shopify Installation

Coming soon: More powerful, customizable accessibility widget

Accessibility Widget

We’re putting the final touches on major updates to Accessibility Widget (formerly Accessibility Solution), your AI-powered tool for making websites more accessible with ease.

Here’s what’s coming in the next few weeks:

• Custom positioning & styling: Match the widget’s appearance to your site’s look and feel.
• Enhanced iubenda widget: Let users manage both accessibility and privacy preferences from one place.

Improve your website’s accessibility

Already trusted by 3,000+ users.

In case you’ve missed it

Control access with teams

We’ve updated our Teams feature, allowing you to create teams to organize your projects and easily move sites between teams.

1-Click WordPress Installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Try it now or read the guide.

The post 1-Click Shopify Installation, improved Accessibility Widget, and more (July 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Server-side tracking is emerging as a more effective solution. Introduced in 2020, it gained popularity over the past years due to higher transparency and the ability to address these problems.

How data loss and privacy regulations affect the performance of marketing campaigns

Browser restrictions, such as ITP in Safari, ad blockers, and privacy regulations, can result in a significant loss of data when running marketing campaigns. In the long run, it can have such consequences:

• Worse targeting and personalization. Highly personalized ad campaigns are becoming more challenging with restricted access to data on user behaviour and interactions with your website.
• Less precise conversion attribution. The restrictions on data tracking affect the accurate measurement of campaign performance and conversion attribution across different channels. Missing attribution data often leads to unassigned traffic in Google Analytics 4. 
• Inefficient campaign optimization. Inaccurate data prevents marketing platforms from optimizing ad campaigns effectively. It results in a decrease in key marketing metrics such as return on ad spend (ROAS) and conversion rates (CR).
• Insufficient marketing budget management. Business owners may waste a lot of money on campaigns that don’t bring the expected results, and the lack of reliable data makes it harder to spot such campaigns and optimize them.

Why server-side tracking is a game-changer for agencies 

To improve data quality and comply with privacy regulations, agencies use server-side tracking. Server-side tracking allows collecting data (user interactions or website events) directly from the user’s device to the server. This tracking method eliminates the need to rely on third-party services, offering more control over the data.

User data is gathered once consent is granted. Data from the website is transmitted to a cloud server, which then forwards it to third-party vendors and analytics platforms. The server acts as an intermediary, serving as a proxy between the website (or other data sources) and external tracking tools.

How server-side tracking works

Server-side tracking provides agencies with accurate information about user behavior. In this way, Farmasave, with the help of Tag Manager Italia, could reduce the gap between backend data and Google Analytics 4, cutting the discrepancy from 20% to just 6%. This improvement raised the accuracy of the data displayed and analyzed in GA4 to 94%.

Agencies can improve campaign cost-efficiency by using server-side tracking. For instance, this tracking method implementation helped increase the conversion rate of Decathlon Italia’s Facebook Ads campaigns while lowering the cost per click.

Consent management configuration on the server side allows tracking user consent more effectively. For example, by optimizing the layout of the cookie banner and configuring server-side tracking, MecShopping was able to double user consent rates from 24% to 50%.

Server-side tracking implementation path 

Implementing server-side tracking includes the following steps:

1. Choose a tag management system. The most versatile and popular is Google Tag Manager (GTM). It provides a wide range of tags, clients, and variables for the server GTM container, making it easier to implement server-side tracking for third-party platforms. With GTM, you get full control over your data.
2. Decide on a hosting platform for a server GTM container. There are a few options. The first platform that comes to mind for GTM users is Google Cloud Platform (GCP). However, the hosting price on platforms like GCP is higher compared to third-party platforms like Stape. In addition, this hosting platform offers other benefits, such as a Demo account to pitch clients, an  Agency account to manage clients’ containers in one place, or built-in Analytics to measure the impact of server-side tracking setup.
3. Configure server-side tracking for the required platform. The configuration process will depend on the platforms your client uses (Meta, Google Ads, GA4, TikTok, etc.). Setting up tracking via a server GTM container requires more effort, but gives full flexibility. You’ll need to create a server container, configure clients and tags, and set up the connection to the web container. For agencies, this type of setup is ideal when you want to standardize tracking across multiple clients or build custom logic tailored to specific use cases. To get the most out of server-side tracking, it’s important to also add a protection layer for tracking scripts. For example, Stape provides additional features like Custom Loader (to increase resistance to ad blockers) and Cookie Keeper (to extend cookie lifetime in browsers like Safari). In combination with a custom tracking domain setup, you can improve data accuracy and conversion attribution for your clients.
4. Set up a server-side consent management. That’s an essential step, as server-side tracking still requires asking for the user’s consent before data collection. One of the most popular server-side Consent Management Platforms is iubenda. It is an easy-to-use platform that prioritizes privacy in its approach to collecting and processing user data. In addition, it is a highly customizable solution, so you can create an appealing design while staying compliant with data regulations.

Conclusion 

Data regulations such as GDPR and CCPA, the rise of ad blockers, and browser restrictions on cookie lifetime change the way the data is collected. Server-side tracking is a solution that lets agencies track data accurately. 

With the proper configuration, clients can get precise data and stay compliant with regulations. Explore how to configure server-side consent management using iubenda and GTM in Stape’s blog post and start benefiting from complete control over the data collection process.

The post How agencies can grow with server-side tracking: drive better ROAS without compromising privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Make your site more accessible with no extra code needed!

Our AI-powered widget (formerly known as Accessibility Solution), designed to make your website more accessible with just a few clicks, is now Accessibility Widget with a big update!

We’ve simplified the embedding process—now there’s just one script for both the cookie banner and the accessibility widget. That means that making your site more accessible is really easy: If you’re already using our cookie banner, no extra code or code edits are required to install the accessibility widget.

Improve your website’s accessibility

Over 2,200 users have already trusted Accessibility Widget to enhance their website’s accessibility.

In case you’ve missed it

Control access with teams

We’ve updated our Teams feature, and now you can create teams to organize your projects and move sites between teams with ease.

1-Click WordPress installation

Install a cookie banner and legal documents on WordPress with one click, no coding required. Read the guide for more details.

Easy cookie banner setup for Shopify

Adding iubenda’s cookie banner to your Shopify store is now a breeze. Just install our new Shopify app, paste your Privacy Controls and Cookie Solution code, and you’re done. No coding needed! Read the guide for more information.

The post Accessibility Widget upgrade, improved teams, and a brand new Shopify app (June 2025) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

1. Privacy Sandbox: Allows user targeting by cohort and interest based on browsing data.
2. Substitute Identifiers: Deterministic or probabilistic identifiers.
3. Contextual Targeting: Uses keywords and natural language processing techniques.
4. Cohort Targeting: Creates audience segments.
5. Retail Media: Advertising spaces offered by distributors.
6. First-Party Data Environments: Uses proprietary user data.
7. Paywall Trackers: Paid business models generating additional revenue.

Each model is analyzed based on technical integration, user acceptability, advertiser needs, privacy merits, and economic sustainability.

Emerging Trends and Competitive Dynamics

The study highlights two main trends:

1. Evolution favors players with significant proprietary data, such as distributors and closed environments.
2. Open Internet players will need multiple complementary solutions, leading to technical complexity and interoperability challenges.

The evolution also poses significant competitive challenges. Large platforms define privacy as banning tracking outside their ecosystems, benefit from strong vertical integration, and face interoperability issues with multiple devices.

New Actors and Business Models

New entrants like Internet service providers are emerging, and value will be captured by a wider range of solutions. The researchers do not foresee the end of the open Internet, but increased data-sharing constraints outside closed environments.

Implications for Data Privacy and Market Dynamics

The study concludes that large publishers will be in a better position than smaller ones, who will need to cooperate or merge to reach critical mass and address interoperability issues.

CNIL’s cooperation with the Competition Authority is crucial for monitoring market changes, identifying privacy and competition risks, and developing regulatory synergies. Their joint approach was published in a December 2023 declaration.

Renewed Role of Data

The upcoming changes will not significantly reduce tracking but will renew the role of personal data through new types of data, sharing channels, and synchronization methods. The CNIL will closely monitor compliance with these evolutions, particularly the use of purchase data for advertising purposes.

Market Skepticism Towards “No-Consent” Solutions

The researchers note skepticism towards “no-consent” solutions, which may still involve personal data processing and are less favored by advertisers. These solutions require strong regulatory support to become viable alternatives.

Uncertain Market Choices

The market has not yet settled on clear choices, with multiple emerging solutions still in testing phases. The recent delay in ending third-party cookies in Chrome from July 2024 to January 2025 adds to this uncertainty.

Economic Approach to Reduce Uncertainty

In conclusion, the study shows that current uncertainties are driven by the economic strategies of major digital players and regulatory changes. The consent rule is well-integrated, and the market is exploring various competitive solutions. The CNIL’s plan of action shows that user refusal rates for targeted advertising have stabilized below 40%.

The study provides valuable insights for CNIL’s regulation of targeted advertising, demonstrating its commitment to engaging with market actors to develop appropriate regulatory tools.

The post Online Advertising: CNIL Prepares for Business Model Changes appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Charges Against Avast

Back in February, the FTC filed a complaint against UK-based Avast Limited and its Czech subsidiary. The complaint highlighted that Avast collected users’ browsing data through their browser extensions and antivirus software without adequate notice or consumer consent. Despite promising protection from online tracking, Avast failed to inform consumers that it was selling their re-identifiable browsing data to over 100 third parties through its subsidiary, Jumpshot.

Key Provisions of the FTC Order

The finalized FTC order mandates several significant actions by Avast:

1. Cease Data Sales: Avast and its subsidiaries are prohibited from selling, disclosing, or licensing any web browsing data for advertising purposes.
2. Financial Penalty: Avast is required to pay $16.5 million, which is expected to provide redress to affected consumers.
3. Data Deletion: Avast must delete all web browsing information transferred to Jumpshot and any derived products or algorithms.
4. Consumer Consent: The company must obtain explicit consent from consumers before selling or licensing browsing data from non-Avast products.
5. Consumer Notification: Avast is required to notify consumers whose data was sold without consent about the FTC’s actions.
6. Comprehensive Privacy Program: Avast must implement a privacy program that addresses the misconduct identified by the FTC.

The FTC’s Role in Consumer Protection

The FTC’s decision underscores its commitment to promoting competition and safeguarding consumer privacy. By holding companies accountable for deceptive practices, the FTC ensures that consumers are protected from misleading conduct and that their data privacy is respected.

How iubenda Can Help

In light of this news, it’s crucial for businesses to have transparent and compliant data privacy practices. Iubenda offers comprehensive solutions for privacy and cookie policies, terms and conditions, and internal privacy management. Ensure your business complies with the latest regulations and avoid hefty fines like Avast.

Protect your business and your customers’ data with iubenda’s easy-to-use compliance solutions. Learn more about how iubenda can help you stay compliant.

The post FTC Finalizes Order Against Avast: What This Means for Consumer Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This development is distinct from recent legislative efforts aimed at banning TikTok in the United States unless ByteDance divests its ownership. The focus of the FTC’s investigation has been on potential violations of the FTC Act and the Children’s Online Privacy Protection Act (COPPA), which set stringent guidelines for the collection and handling of personal information from children under the age of 13.

In an unusual move, the FTC has publicly acknowledged referring the case to the DOJ, citing a significant public interest in transparency for this particular matter. This case highlights ongoing concerns about data privacy and the protection of minors in the digital age, reflecting the heightened scrutiny of tech companies’ practices regarding user data.

Ensure Compliance and Protect User Privacy with iubenda

This landmark decision by the Dutch Court of Amsterdam emphasizes the critical need for obtaining explicit user consent for cookie placement and adhering to stringent data protection regulations. To safeguard your business and ensure compliance with GDPR, the Telecommunications Act, and other relevant laws, it is essential to have a robust cookie consent solution in place.

iubenda offers comprehensive tools and services designed to help your business navigate the complexities of data privacy laws. From creating legally compliant cookie banners to managing consent records effectively, iubenda simplifies compliance so you can focus on your core activities.

Don’t risk non-compliance. Start using iubenda today to ensure you are always ahead in protecting your users’ privacy and maintaining regulatory compliance.

The post FTC Escalates TikTok Complaint to DOJ Over Alleged Children’s Privacy Violations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This decision emphasizes that, according to Article 11.7a of the Telecommunications Act, any placement of cookies requires prior consent from the data subject. This is in alignment with the requirements for processing personal data under the General Data Protection Regulation (GDPR). The ruling was based on evidence showing that, out of 52 websites visited by the plaintiff, 19 placed cookies on the plaintiff’s device either without prior consent or even after consent had been explicitly refused.

Furthermore, the Court clarified that Article 11.7a of the Telecommunications Act applies to any individual or entity that stores or accesses information on a user’s device. This means that even when third parties are involved in placing cookies, the website provider has certain obligations. In this case, the cookies were placed due to agreements between the Defendants and third-party operators. Crucially, the Court found that the Defendants had not taken adequate measures to prevent third parties from placing cookies without user consent.

Consequently, the Court concluded that the Defendants violated both the Telecommunications Act and the GDPR by allowing cookies to be placed on the plaintiff’s device without proper consent. This ruling underscores the importance of obtaining explicit user consent before placing cookies and highlights the responsibilities of website providers in ensuring compliance with data protection regulations.

Protect Your Business and Stay Compliant with iubenda

This landmark ruling by the Dutch Court of Amsterdam highlights the critical importance of obtaining explicit user consent for cookie placement and adhering to data protection regulations. Ensure your website is fully compliant with GDPR, the Telecommunications Act, and other relevant laws by implementing a robust cookie consent solution.

iubenda offers comprehensive tools and services to help your business navigate the complexities of data privacy laws. From creating legally compliant cookie banners to managing consent records, iubenda simplifies compliance so you can focus on what you do best.

Don’t leave your business at risk.

Get started with iubenda today and ensure you’re always one step ahead in protecting your users’ privacy and maintaining regulatory compliance.

The post Dutch Court Ruling: Tech Giants Must Cease Unauthorized Cookie Placement appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key Points:

• Pause on AI Training: Meta has decided to halt its plans to use data from EU and UK users to train its AI systems.
• Regulatory Pushback: This decision follows pressure from the Irish Data Protection Commission (DPC) and the UK’s Information Commissioner’s Office (ICO), both expressing concerns over Meta’s plans.
• DPC Statement: The DPC welcomed Meta’s pause and emphasized continued cooperation with other EU data protection authorities to address the issue.

Meta faces significant obstacles in Europe due to stringent GDPR regulations, unlike in the U.S., impacting its ability to use user-generated content for AI training. Last month, Meta began informing users about changes to its privacy policy, intending to use public content on Facebook and Instagram for AI training starting June 26. Privacy activist group NOYB filed 11 complaints, arguing Meta’s actions violated GDPR, particularly regarding opt-in vs. opt-out consent.

Meta claimed that using user data for AI training falls under “legitimate interests,” a GDPR provision, but has faced legal challenges with this argument in the past. Users were notified of changes through standard notifications, which were easy to miss. The process to object to data use involved multiple steps and required users to justify their objection, rather than offering a straightforward opt-out option.

In response to the DPC’s request, Meta stated:

“We’re disappointed by the request from the Irish Data Protection Commission (DPC), our lead regulator, on behalf of the European DPAs, to delay training our large language models (LLMs) using public content shared by adults on Facebook and Instagram — particularly since we incorporated regulatory feedback and the European DPAs have been informed since March. This is a step backwards for European innovation, competition in AI development and further delays bringing the benefits of AI to people in Europe.”

The ICO stressed the importance of maintaining public trust in privacy rights when using generative AI and committed to ongoing monitoring of major AI developers, including Meta. This pause on AI training using European user data is a significant move in response to regulatory scrutiny, highlighting the ongoing tension between innovation and data privacy.

Meta’s pause is part of a broader context where companies are eager to use vast amounts of data to train AI systems. Other companies like Reddit and Google are also navigating similar regulatory landscapes. Meta plans to continue discussions with the DPC and ICO to find a compliant approach to using user data for AI training in Europe.

The post Meta Pauses AI Training Plans Using European User Data Due to Regulatory Pressure appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Web development tools and frameworks are software packages or libraries that assist developers in creating, testing, and deploying websites and web applications. They offer pre-written code, templates, and functionalities, streamlining the development process and improving user experience.

These tools save time and effort by providing pre-made solutions for common tasks, ensuring consistency across projects, and optimizing performance and cross-browser compatibility. This blog explores the various types of web development tools and frameworks, their key features, and their benefits for developers and businesses.

What Is a Web Development Framework?

A web development framework is a set of tools, libraries, and best practices designed to streamline the development process for web applications. These frameworks, often following specific architectural patterns, offer ready-to-use components, enabling faster and more consistent application creation.

Web development frameworks typically include features such as:

1. Code libraries: Pre-written code snippets that developers can use to perform common tasks without writing them from scratch.
2. Architectural patterns: Frameworks often follow specific architectural patterns, such as Model-View-Controller (MVC) or Model-View-ViewModel (MVVM), to help organize code and separate concerns.
3. Utilities and tools: Frameworks provide a set of tools and utilities to automate tasks, handle common functionalities like routing and authentication, and optimize performance.
4. Security features: Many frameworks come with built-in security features to help developers protect their applications from common web security threats.
5. Community support: Frameworks often have active communities of developers who contribute to the framework, offer support, and share resources and best practices.

Developers can benefit from increased productivity, code reusability, and maintainability. Frameworks also help ensure consistency across projects. It enables faster development cycles and provides a standardized way of building web applications.

Popular web development frameworks include Angular, React, Vue.js for front-end development, and Django, Ruby on Rails, and Laravel for back-end development. These frameworks have gained popularity due to their robust features, scalability, and community support, making them go-to choices for developers building modern web applications.

Understanding Web Development Tools

Web development tools are software applications that aid developers in creating, testing, and maintaining websites, offering various functionalities to streamline the development process and boost productivity.

Popular web development tools and their functionalities

• Code Editors: Tools like Visual Studio Code, Sublime Text, and Atom provide features like syntax highlighting, code completion, and debugging capabilities.
• Version Control Systems: Git is a widely used version control system that helps developers track changes in their codebase, collaborate with team members, and manage different versions of their projects.
• Package Managers: npm for Node.js and Yarn are package managers that simplify the process of installing, updating, and managing dependencies in web projects.
• Browser Developer Tools: Built-in tools in web browsers like Chrome DevTools and Firefox Developer Tools allow developers to inspect and debug web pages, test performance, and optimize code.
• CSS Preprocessors: Tools like Sass and Less enable developers to write CSS more efficiently by using features like variables, mixins, and nesting.
• Task Runners: Tools like Gulp and Grunt automate repetitive tasks such as minification, compilation, and optimization of code.
• Testing Tools: Frameworks like Jest, Mocha, and Selenium help developers write and run tests to ensure the functionality and quality of their code.

How web development tools streamline the development process

• Automation: Tools automate repetitive tasks, reducing manual effort and saving time.
• Code Quality: Tools help maintain code quality by providing error checking, code formatting, and best practice recommendations.
• Collaboration: Version control systems and collaboration tools facilitate teamwork and enable developers to work together seamlessly.
• Quality Assurance and Testing: Development tools offer debugging capabilities, testing frameworks, and performance analysis tools to identify and fix issues quickly. Testing tools and code analysis features improve code quality and help catch bugs early in the development cycle.
• Efficiency: By providing templates, snippets, and shortcuts, web development tools increase efficiency and enable developers to work more productively.
• Consistency: Tools help maintain consistency in coding standards, project structure, and best practices.
• Productivity: By streamlining workflows and providing helpful features, tools boost developer productivity and creativity.
• Collaboration: Version control systems and collaboration tools facilitate teamwork and enable smooth communication among team members.

Incorporating the optimized themes can streamline the development process, improve the visual appeal and functionality of your web projects, and ultimately contribute to a better user experience and increased conversions. Continuous learning, adaptation, and the strategic use of tools are essential for staying competitive, delivering high-quality web solutions, and achieving success in the dynamic field of web development.

Different types of web development frameworks and their characteristics

There are several types of web development frameworks, each designed to cater to different needs and preferences of developers. Here are some common types of web development frameworks along with their characteristics:

1. Full-Stack Frameworks:

Characteristics:

• Full-stack frameworks provide tools and libraries for both the front-end (client-side) and back-end (server-side) development.
• They typically include features like routing, templating, database integration, authentication, and more.
• Full-stack frameworks aim to provide an all-in-one solution for building web applications, making it easier for developers to work on both ends of the application.

Examples:

• Django (Python)
• Ruby on Rails (Ruby)
• Laravel (PHP)
• ASP.NET (C#)

2. Front-End Frameworks:

Characteristics:

• Front-end frameworks are focused on the client-side development of web applications, including user interface (UI) design and interactivity.
• They provide pre-built components, styling libraries, and tools for creating responsive and interactive user interfaces.
• Front-end frameworks often follow component-based architectures and promote reusability of UI elements.

Examples:

• React.js
• Angular
• Vue.js
• Svelte

3. Back-End Frameworks:

Characteristics:

• Back-end frameworks are designed for server-side development, handling tasks such as routing, data processing, authentication, and interacting with databases.
• They provide tools for building APIs, handling business logic, and managing server-side operations.
• Back-end frameworks often follow architectural patterns like MVC (Model-View-Controller) for organizing code.

Examples:

• Express.js (Node.js)
• Flask (Python)
• Spring Boot (Java)
• Django REST framework (Python)

4. Microframeworks:

Characteristics:

• Microframeworks are lightweight frameworks with minimal features, focusing on simplicity and flexibility.
• They are suitable for building small to medium-sized applications that do not require the complexity of full-stack frameworks.
• Microframeworks allow developers to pick and choose the components they need for their projects.

Examples:

• Sinatra (Ruby)
• Slim (PHP)

5. Real-Time Frameworks:

Characteristics:

• Real-time frameworks enable the development of applications that require real-time data updates and communication between clients and servers.
• They often include features like WebSockets, event-driven architecture, and pub/sub mechanisms for handling real-time interactions.
• Real-time frameworks are commonly used for chat applications, online gaming, collaborative tools, and live dashboards.

Examples:

• Socket.io (Node.js)
• Meteor.js
• SignalR (ASP.NET)

Each type of web development framework has its own set of characteristics and use cases. Developers can choose a framework based on the specific requirements of their project, their familiarity with the technology stack, and the level of customization and control they need for their web applications.

Comparison of Top Web Development Tools and Frameworks

When comparing top web development tools and frameworks, it’s important to consider factors such as ease of use, performance, scalability, community support, and suitability for specific project requirements. Below is a detailed comparison of some leading tools and frameworks, along with their pros and cons for various web development projects:

1. React.js:

Pros:

• Virtual DOM for efficient updates
• Component-based architecture for reusability
• Strong community support and ecosystem

Cons:

• Steep learning curve for beginners
• Requires additional libraries for state management (e.g., Redux)

2. Angular:

Pros:

• Full-featured framework with built-in tools
• Two-way data binding for real-time updates
• Dependency injection for modular development

Cons:

• Complex and opinionated structure
• Steeper learning curve compared to other frameworks

3. Vue.js:

Pros:

• Lightweight framework with easy integration
• Simple syntax and gentle learning curve
• Two-way data binding and virtual DOM

Cons:

• Smaller ecosystem compared to React and Angular
• Limited corporate backing compared to Angular

4. Node.js:

Pros:

• Server-side JavaScript runtime for building scalable applications
• Non-blocking I/O for high performance
• Large package ecosystem with npm

Cons:

• Single-threaded nature can limit CPU-bound tasks
• Requires careful handling of callback functions for asynchronous operations

5. Visual Studio Code (VS Code):

Pros:

• Lightweight and feature-rich code editor
• Extensive customization through extensions
• Built-in Git integration and debugging tools

Cons:

• Can be resource-intensive for larger projects
• Some features may require configuration for optimal use

Best Practices for Using Web Development Tools and Frameworks

Using web development tools and frameworks effectively requires following best practices to ensure efficient development, maintainable code, and successful project outcomes. Here are some best practices for utilizing web development tools and frameworks:

Understand the Tool or Framework:

Take the time to learn the ins and outs of the tool or framework you are using. Understand its core concepts, features, and best practices to leverage its full potential.

Follow Coding Standards:

Adhere to coding standards and guidelines recommended by the tool or framework’s documentation. Consistent coding practices improve code readability and maintainability.

Optimize Performance:

Implement performance optimization techniques provided by the tool or framework to ensure fast loading times and optimal user experience.

Use Version Control:

Utilize version control systems like Git to track changes, collaborate with team members, and revert to previous versions if needed. Follow branching strategies for efficient development workflows.

Modularize Code:

Break down your code into modular components to promote reusability, maintainability, and scalability. Follow best practices like component-based architecture for front-end frameworks.

Handle Errors Gracefully:

Implement error handling mechanisms to provide informative error messages and gracefully handle unexpected situations. Use tools like error boundaries in React.js to catch errors.

Security Considerations:

Follow security best practices to protect your application from common vulnerabilities like cross-site scripting (XSS) and SQL injection. Sanitize user inputs and use secure authentication mechanisms.

Testing and Quality Assurance:

Write unit tests, integration tests, and end-to-end tests to ensure code quality and functionality. Use testing frameworks and tools to automate testing processes.

Optimize for Accessibility:

Ensure your web application is accessible to users with disabilities by following accessibility guidelines like WCAG (Web Content Accessibility Guidelines). Use semantic HTML and ARIA attributes.

Monitor Performance:

Monitor your application’s performance using tools like Lighthouse, Chrome DevTools, or performance monitoring services. Identify bottlenecks and optimize performance accordingly.

Continuous Learning and Improvement:

Stay updated with the latest trends, updates, and best practices in web development. Attend conferences, workshops, and online courses to enhance your skills and knowledge.

Documentation:

Document your code, project structure, and configurations to facilitate collaboration, onboarding new team members, and future maintenance. Use tools like JSDoc for documenting JavaScript code.

By following these best practices, developers can effectively utilize web development tools and frameworks to build high-quality, efficient, and maintainable web applications. Consistent application of these practices throughout the development process can lead to successful project outcomes and improved developer productivity.

Boost Your Coding Skills with These Essential Web Development Tools

Mastering web development tools and frameworks is crucial for creating efficient, scalable, and high-performing web applications. Developers should adhere to coding standards, optimize performance, handle errors gracefully, and prioritize security and accessibility.

Continuous learning and adaptation are vital for success in the tech industry. Integrating tools like the Debutify theme for Shopify can optimize user experience, increase conversions, and streamline the development process. By combining technical expertise with a commitment to continuous growth, developers can create innovative web solutions and drive business success.

The post The Ultimate Guide to Choosing the Right Web Development Framework for Your Project appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• Children’s Online Privacy Protection Act (COPPA);
• Health Insurance Portability and Accountability Act (HIPAA);
• Data Privacy and Security Act;
• Identify Theft Enforcement and Protection Act;
• Data Broker Law;
• Biometric Identifier Act; and
• Deceptive Trade Practices Act, will be the primary focus of the data privacy team.

Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law.

said Attorney General Paxton.

Stay compliant with iubenda
Learn more about there Texas Data Privacy and security act here.

The TDPSA isn’t the only US privacy law you need to care about — there are others that are already being enforced

The post Data Pri­va­cy and Secu­ri­ty Ini­tia­tive to Pro­tect Tex­ans’ Sen­si­tive Data  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In recent years, the threat of cyberattacks on online shops has dramatically increased. Businesses of all sizes have become targets for hackers who steal sensitive customer data and can cause significant financial damage. Online security is one of the most critical issues that you should not only consider, but must address. Not every company can afford a specialist for this topic. Nevertheless, there are numerous ways in which you can ensure the security of your online shop and adequately protect it from hacker attacks.

Almost weekly, hacker attacks occur around the world, and even large companies are not always protected from such attacks. A notable example of a hacker attack on online shops is the incident at Thalia in 2022. Thalia, a popular online bookseller, fell victim to a cyberattack in which hackers used a brute-force attack to gain access to thousands of customer accounts.

What is a brute-force-attack?

In a brute-force attack, an attacker attempts to gain access to a system or account by systematically trying every possible password combination until the correct password is found. The attacker uses automated programs or scripts to try a large number of passwords in a short period of time. This type of attack is particularly effective against weak passwords, as the attacker can simply try all possible combinations until the right one is found. The more complex and longer a password is, the longer it usually takes to be cracked by a brute-force attack.

Brute-force attacks can be conducted in various ways, such as on websites, email accounts, and encrypted data. It is a widespread and dangerous method through which hackers gain access to sensitive information.

What is a magecart-attack?

Another significant phenomenon is the so-called Magecart attacks. Magecart is a group of hackers that specializes in inserting malicious code into the payment forms of online shops. Such attacks have already stolen data from millions of customers, leading to substantial financial losses for the affected companies.

The security of your online shop is not just about protecting sensitive customer data; it is also a crucial factor in maintaining your customers’ trust and thereby the success of your business. A successful hacker attack can not only lead to financial losses, but can also profoundly shake the confidence of your customers and damage your reputation.

Moreover, many countries have legal obligations to adhere to data protection regulations and to securely store personal data. Violating these regulations can result in hefty fines and jeopardize the survival of your business.

How can I enhance the security of my online shop?

You have various options to enhance the security of your online shop. Some measures you can implement on your own, while others should be handled by your hosting provider. It is always advisable to discuss with your current host about ways to improve security and ensure that you are always up-to-date. Your checklist to protect your online shop:

1. SSL certificate
   Ensure that your online shop uses a valid SSL certificate to establish a secure and encrypted connection between the customer’s browser and your server. An SSL certificate (Secure Sockets Layer) is a digital certificate that encrypts and authenticates the security of a website. It serves to create a secure connection between the user’s browser and the server hosting the website. Essentially, an SSL certificate encrypts sensitive data transmitted between the user’s browser and the server, meaning that even if a hacker intercepts the data traffic, the information cannot be easily read or understood. SSL certificates are primarily used for e-commerce websites, online banking, social networks, and other sites where the transfer of sensitive information such as personal data, credit card details, or passwords is required. Additionally, an SSL certificate indicates to website visitors that the site is legitimate and their data is securely transmitted. You can obtain an SSL certificate from various certificate authorities (CAs) offered by most web hosting providers. Some web hosting providers also offer free SSL certificates, while others provide paid options with advanced features and security levels. It is crucial to ensure that the SSL certificate is issued by a trusted certification authority to guarantee the security and authenticity of your website.
   
   2. Regularly updates
   Keep your e-commerce platform and all used plugins or extensions up to date to close known security vulnerabilities.
   

• Regularly visit the official website of your e-commerce platform (such as Shopware, Magento, WordPress, etc.) to look for new plugins or extensions. Many platforms have a marketplace or library where developers publish their extensions.

Sign up for newsletters or notifications on your e-commerce platform’s website. Often, platforms regularly send updates and announcements about new plugins or extensions via email.

3. Strong passwords
Use strong, unique passwords for all administrator accounts and access points to your shop, and enable two-factor authentication if possible. A strong password should meet several criteria to ensure the security of your online shop:

• Length: A strong password should be at least 12 characters long. The longer the password, the more difficult it is for an attacker to crack it.
• Complexity: A strong password should include a mix of uppercase letters, lowercase letters, numbers, and special characters. Use a variety of characters to make the password more complex.
• Uniqueness: Never use the same password for multiple accounts or websites. Instead, use a unique password for each administrator account and every access point to your shop.
• Avoid dictionary words: Do not use easily guessable words or phrases, as they are susceptible to dictionary attacks. Instead, you can use a passphrase composed of a random combination of words to increase security. An example of a strong password could be: “Tr0tz!Gehe1mSe1n@”. This password meets all the above criteria as it is long, includes a mix of uppercase letters, lowercase letters, numbers, and special characters, is unique, and does not use easily guessable dictionary words.

In addition to using a strong password, it is advisable to enable two-factor authentication when possible. Two-factor authentication adds an extra layer of security by requiring a second verification step in addition to the password, such as a one-time password sent to your mobile phone.

4. Firewall and Security software

Install a firewall and reliable security software to protect your shop from malicious attacks. There are various firewall and security software solutions available for the e-commerce sector that can help safeguard your online shop from malicious attacks. Here are some popular options:

• Web Application Firewall (WAF):
  This type of firewall is specifically designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It helps defend against attacks such as SQL injection, cross-site scripting, and file inclusion.
• Antivirus and Antimalware Software:
  Comprehensive antivirus and antimalware solutions are essential for detecting and removing malicious software that could compromise your system. These tools provide real-time protection against a wide range of threats.
• Intrusion Detection and Prevention Systems (IDPS):
  These systems monitor network traffic for suspicious activity and block potential threats. They are crucial for identifying and responding to unauthorized attempts to access or manipulate your network.
• Security Information and Event Management (SIEM):
  SIEM systems provide real-time analysis of security alerts generated by applications and network hardware. They help in detecting, analyzing, and responding to security incidents and threats.
  
  Implementing these security measures can significantly enhance the protection of your online shop against a variety of cyber threats.

5. Review Payment Processing

Ensure that the payment processing in your shop complies with applicable security standards and is regularly monitored. The Payment Card Industry Data Security Standard (PCI DSS) typically sets the security standards for payment processing in your online shop. This standard was developed to protect sensitive credit card data and ensure that it is properly processed and stored. To ensure your payment processing meets the current security standards, you can take the following steps:

• Consult the official PCI DSS website:
  The official website of the PCI Security Standards Council provides comprehensive information about PCI DSS and the requirements for secure payment processing. Here, you can find detailed information about individual requirements and the corresponding controls.
• Contact your payment provider:
  Your payment provider should be able to provide information about the security standards applicable to the payment methods they support. They can also help you verify whether your payment processing meets these standards and whether adjustments are necessary.
• Hire a security service provider:
  You can also engage an external security service provider to conduct a comprehensive security audit of your payment processing and provide recommendations for improvements. These service providers often specialize in complying with security standards like PCI DSS and can offer valuable insights.
  

By following these steps, you can ensure that your payment processing is secure and compliant with the latest security standards, thus safeguarding your customers’ data and your business’s reputation.

6. Penetration Tests and Audits
Regularly conduct penetration tests and security audits to identify and address potential vulnerabilities in your shop. Penetration tests and security audits are essential tools for detecting security gaps and weaknesses in an online shop or other IT infrastructure. Here is an explanation of what they are and why they are important:

• Penetration Testing (also known as Ethical Hacking or Pen Tests):
  Penetration testing involves controlled attacks on a computer system or application conducted by authorized security experts. The goal of a penetration test is to assess a system’s security measures by applying various attack techniques that a potential attacker might use. This process reveals vulnerabilities and security flaws that could allow an attacker to penetrate the system or compromise sensitive data.
  
• Security Audits:
  Security audits are systematic reviews of a company’s security policies, procedures, and controls. They are performed to ensure that a company’s security measures are appropriately implemented and effective. Security audits can be conducted internally or externally and often involve a comprehensive review of security policies, access controls, network configurations, software patches, and more.
  

These practices are crucial for maintaining the integrity and security of your online operations, helping to protect both your business and your customers from potential cyber threats.

Our conclusion

The security of your online shop is not something to be taken lightly. With the increasing threat of cyberattacks, it’s essential to stay vigilant and proactive in safeguarding your business and your customers’ data. From implementing SSL certificates to regularly updating your e-commerce platform and using strong passwords, there are numerous steps you can take to enhance security. Additionally, measures such as installing firewalls, using reliable security software, reviewing payment processing standards, and conducting penetration tests and audits are crucial for identifying and addressing potential vulnerabilities. 

By taking these proactive steps and staying informed about the latest security practices, you can help ensure that your online shop remains secure and protected against cyber threats, providing peace of mind for both you and your customers. Remember, when it comes to online security, it’s always better to be proactive than reactive. For a comprehensive approach, consider companies like maxcluster, which offer robust solutions to address security issues efficiently. Security is a paramount focus for maxcluster, which interacts with over 1,500 customer online shops daily. They design and operate flexible, reliable, and high-performance Managed Web Clusters tailored for online shops with 24/7/365 support.

The post Security for online shops appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

So, what is the cost of cybercrime to your business? Is it something you need to lose sleep over? 

The answer is yes. Cyberattacks come at a huge price, both financial and reputational, and they can even put you out of business.

In this post, we’ll examine exactly how cyberattacks affect organizations, the true cost of cybercrime, and how you can avoid it.

Why is cybercrime a threat to businesses?

Cybercrime, data breaches and unsecure documents can pose a serious threat to businesses. Hackers who infiltrate your systems might steal money from the company. They might install ransomware, preventing you from accessing your own files and threatening to delete them unless you pay a ransom.

Cybercriminals could steal your intellectual property or financial records and make these available to your rivals. If confidential data about customers or employees is breached, your reputation will be damaged. You could face a hefty fine, plus the cost of compensating those affected.

Reputational damage leads to lost custom and a drop in revenue. On top of that, you’ll have to pay for system repairs or data recovery and invest in additional security measures. Your business insurance premiums may skyrocket after an attack.

But how much does a cyberattack cost an organization in dollars? The average cost of a data breach has risen to $4.45 million, and the estimated cost of cybercrime worldwide is expected to reach $13.82 trillion in 2028.

While you may think large organizations are most at risk from cybercrime, smaller businesses are often more vulnerable too as they may not have invested in robust protection, making them an easy target for hackers. The cost of cybercrime to businesses

Let’s take a closer look at the effects of cybercrime. 

Malware and network outages reduce employee productivity

If malware infiltrates your system or a network outage is caused, it will massively disrupt your operations. Should employees be unable to use essential applications, access important documents, or communicate with customers, their productivity will be severely impacted.

In the worst-case scenario, you’ll be paying staff to sit around while waiting for systems to be restored—you might even have to close the business briefly. Meanwhile, you’re missing out on potential sales.

Free-to-use image sourced from Unsplash

Cyberattacks can damage a company’s reputation

As we mentioned, cybercriminals often gain access to sensitive customer data—including names, addresses, and payment card details—and use it for nefarious purposes. Your clients could become understandably upset if their data is compromised, especially if it leads to financial losses or identity theft.

Even if personal data isn’t affected, a breach will change existing and potential customers’ opinions of your brand. If you can’t keep your business safe, why should they trust you with their money or information? You may also have to hike your prices to recoup costs.

Lax cybersecurity may lead to employee turnover

Employee records and payment information are also vulnerable. In the event of a data breach, HR records can be compromised, exposing sensitive employee data. Such breaches may lead to a loss of trust among current employees, potentially causing them to leave. Additionally, potential applicants might be deterred from applying.

It’s important to ensure the security of systems, like HR software, and maintain staff confidence in their privacy. It’s also crucial to train staff in cybersecurity so that they become confident in using your systems safely—for everyone’s peace of mind.

Customer notification costs after data breaches

If the worst does happen and customer data is compromised, you need to send a data breach notification to the affected parties as quickly as possible. Don’t delay or attempt to cover up the breach—many countries (including the European Union and all 50 US states) have strict laws governing customer notification.

Customer notification costs are one of the hidden costs of cybercrime. Addressing each impacted customer demands considerable time and effort, particularly as they often seek detailed information. Additionally, once the breach becomes public, it may damage the company’s reputation.

Substantial fines for data protection law violations

Most countries now have laws and regulations around data protection, such as GDPR and CPRA, and industry-specific standards, such as HIPAA for healthcare and GLBA for financial institutions. These hold organizations accountable for the protection of customer data. Penalties for non-compliance range from civil penalties to criminal prosecution.

In many cases, the fine will depend on the damage caused by a data breach. In 2021, Amazon fell foul of GDPR law and received a €746 million ($877 million) fine from officials in Luxembourg.

Free-to-use image sourced from Pixabay

Possible litigation costs for victims seeking redress

If their personal data has been stolen, customers may take legal action against your company. You could end up facing multiple lawsuits and have to pay attorney fees as well as compensation. And the cost can be eye-watering.

In 2021, T-Mobile faced a class action lawsuit following a data breach that affected around 77 million people. The business was told to pay a total of $350 million to fund claims, legal fees, and costs. The same year, Capital One agreed to pay $190 million to settle a class-action lawsuit over a data breach affecting 100 million people.

How to avoid cybercrime attacks

Here are some tips for preventing or at least lessening the impact of cybercrime.

Secure networks and devices by keeping software up to date

Any internet-connected network or device is at risk of cybercrime, while hackers often exploit vulnerabilities in older software. It’s vital to run the latest versions of systems and software, as the vendors will have installed security updates and patches.

A penetration test can reveal potential vulnerabilities in your system that could put you at risk. You also need to make sure you have adequate firewalls and technology to hide and secure your Wi-Fi networks. A secure VPN (virtual private network) offers further protection. 

Train employees on cybersecurity best practices

Human error often plays a part in cybercrime, so train all your employees to be cyber-safe and to recognize the signs of a potential attack. For example:

• not reusing or sharing passwords;
• not clicking on suspect emails;
• not using unsecured Wi-Fi networks in public places; and 
• reporting any unusual activity.

It’s important that training is ongoing to reflect new software or systems and the latest cyber threats. Support teams should know how to help customers stay safe and how to respond to a breach. Let your staff know that security is everyone’s responsibility.

Free-to-use image sourced from Pixabay

Write a cybersecurity policy for your business

To help employees stay safe, create a cybersecurity policy for your business and review it regularly as new threats emerge. This is a set of procedures, rules, and best practices and should cover potential risks, legal requirements, and consequences for non-compliance. Make the policy accessible to all employees and to the public—this demonstrates your commitment to data protection.

You should allocate part of your budget to training, upgrading any systems, and creating a robust cybersecurity policy. The long-term savings will far outweigh the initial cost. You can use expense management software to allocate and track this spending. Expense management software will also help you track and categorize expenses related to a cyber incident, allowing for a clear understanding of the financial impact.

Backup data regularly to recover from cyberattacks or data loss

Your business can’t function without essential data, so make sure it’s backed up regularly and that it can be restored. This means you can recover quickly in the event of an attack, and you’re less likely to be blackmailed with ransomware. Most cloud storage solutions provide automatic backups.

You should identify your essential data for priority backup and consider storing the backups in a separate location—such as tThe cCloud. This not only protects you against cybercrime but against data loss from natural disasters or human error.

Develop a cyber attack response plan

Sadly, the odds of suffering a cyberattack are high— that’s why it’s always best to have a response plan in place. This should clearly outline what you’ll do in the event of a breach, including how to contain it, who to report it to, and how you’ll contact customers and stakeholders.

It’s worth developing a version of the plan for each department and leaving some wriggle room in your budget to cover at least some of the costs if the worst happens.

Protect your business with preventative measures

The cost of cybercrime is high: financial consequences can include stolen money, loss of revenue, fines for breaching regulations, and even lawsuits against your company. It takes time and money to get your business back on track, from recovering data to recovering your reputation.

Taking preventative action is the best way to avoid attacks and minimize damage if they do occur. For example, backup your data, train your employees, and make sure you can remotely lock or wipe company devices if they’re lost or stolen.

Cyber threats are constantly evolving, so make sure you review your security policy regularly, always keep software updated, and be aware of the latest risks.

The post The Cost of Cybercrime to Businesses (And How to Avoid It) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key Concerns

Three primary areas are being examined by the investigation:

1. Risk Assessment and Mitigation: The Commission is interested in learning if Meta is evaluating and mitigating risks resulting from Facebook and Instagram’s design in accordance with DSA regulations. These designs could exploit the inexperience of youngsters, encouraging “rabbit-hole” consequences or addictive behavior. In order to respect children’s rights and safeguard their physical and emotional well-being, this action is essential.
2. Age-Verification Tools: They are examining the effectiveness, fairness, and balance of Meta’s age-verification tools. These resources are essential for shielding children from objectionable material.
3. 3. Measures for Privacy and Security: The Commission is also evaluating whether Meta satisfies DSA requirements for protecting the safety, security, and privacy of minors. Examining the default privacy settings and the operation of recommendation systems are part of this.

Potential Rule Breaches

If the concerns are confirmed, Meta might be found violating several DSA articles:

• Article 28: Online protection of minors
• Article 34: Risk assessment
• Article 35: Mitigation of risks

Next Steps

The European Commission will now conduct a thorough inquiry with an emphasis on obtaining proof. This could entail conducting interviews, making more information requests, or performing inspections.

As the investigation progresses and the Commission works to guarantee that minors are protected in the digital world, stay tuned for future developments.

For more detailed information, you can read the official press release here.

The post European Commission Probes Meta for Potential Digital Services Act Violations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

IAB Reacts:

IAB Europe has expressed significant objections.

They believe that rather than reducing legal uncertainties, this verdict may potentially make them more so, which would have an impact on a greater percentage of the digital economy in addition to major platforms. People may find it more challenging to access a variety of free internet resources and information as a result.

Significant portions of the EDPB report are devoted to what IAB Europe views as excessively “abstract assumptions” on personalised advertising. It presents this advertising approach as essentially at odds with the fairness and data minimization requirements of the GDPR.

The criticism centres on the idea that the “consent or pay” paradigm turns data protection rights into a luxury that is exclusively accessible to the wealthy.

IAB Europe considers that this interpretation misrepresents the fundamental principles of GDPR, which tightly controls data processing to safeguard user privacy regardless of the nature of the underlying economic transactions.

The Third Option

In order to gain valid consent, the EDPB has suggested a third option: providing services free of behavioural advertising.

IAB Europe emphasises that the GDPR, which attempts to strike a balance between data protection rights and the freedom to conduct business, does not support requiring companies to operate at a loss.

Up next:

In order to guarantee that any future guidelines on the “Consent or Pay” model are produced with a thorough knowledge of all stakeholders’ concerns and the commercial realities they confront, IAB Europe is pushing for a public consultation.

As time goes on, it will become increasingly evident that a balanced strategy is required to protect both the right to privacy of individuals and the capacity of businesses to survive and thrive.

The post IABs take on EDPB’s Opinion on “Consent or Pay” Models appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A Four-Step Method for Protecting Data

Each of the four primary pillars of the plan addresses a crucial aspect of data protection:

1. Improving Harmonization and Encouraging Compliance: This pillar seeks to harmonize data security procedures within the European Union, facilitating regulatory compliance for organizations.
2. Strengthening the Implementation of Data Protection regulations and Promoting Effective Cooperation among EU Member States: Here, the emphasis is on bolstering the enforcement of data protection regulations.
3. Protecting Data Protection in the Developing Digital and Cross-Regulatory Environment: This pillar addresses the difficulties brought up by emerging technologies and the points where multiple regulatory frameworks converge.
4. Contributing to the Global Data Protection Dialogue: Through international collaboration and discourse, the EDPB hopes to have an impact on global data protection standards and practices.

A Revisited Perspective

The new plan, as stressed by EDPB Chair Anu Talus, intends to realign the organization’s vision to better address present and future data protection requirements in a changing digital environment. The plan, which establishes a single course for the near future, is the result of collaboration between all EU data protection authorities (DPAs).

Looking ahead

Over the next four years, the EDPB will focus on developing practical, understandable guidelines to encourage adherence to data protection rules. It will also produce materials aimed at a broader audience to improve awareness of these matters. The board will build on the fundamental Vienna Statement and pursue initiatives like coordinated enforcement operations while maintaining enforcement cooperation as a top priority.

The strategy’s interplay with newly emerging digital regulations, like the Digital Services Act (DSA) and the Digital Markets Act (DMA), which have consequences for privacy and data protection, is a major new focus. In order to more fully incorporate data protection into the overall regulatory architecture, the EDPB seeks to strengthen partnerships with other regulatory bodies.

In order to safeguard privacy rights despite swift technological advancement, the EDPB’s strategic plan offers a strong data protection strategy that is capable of navigating the intricacies of the digital age.

The post The EDPB’s Strategic Vision for Data Protection 2024-2027 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Online booking systems, used widely across sectors such as beauty and wellness, sports and fitness, healthcare, and events management, are particularly sensitive due to the vast amounts of personal data they collect and process. From names and contact details to payment information and personal preferences, each data point collected is subject to GDPR’s stringent regulations. The challenge for businesses is twofold: ensuring full compliance to avoid hefty fines and, equally importantly, fostering an environment where users feel confident their data is handled securely and respectfully.

This article aims to clarify GDPR compliance for online booking platforms, outlining best practices that ensure both privacy and security. Whether you’re a small business owner, a freelancer managing your appointments, or part of a larger enterprise, the insights provided here will guide you towards not only meeting legal obligations but also enhancing your service through firm data protection measures. Let’s look into the essentials of GDPR compliance, offering practical advice and actionable tips to secure your booking systems against breaches and build a stronger, trust-based relationship with your users.

Understanding GDPR in the Context of Online Booking

The General Data Protection Regulation (GDPR), implemented on May 25, 2018, fundamentally altered how personal data is handled across all sectors. For online booking platforms, which rely heavily on the collection, processing, and storage of personal information, comprehending and adhering to GDPR principles is non-negotiable. At its core, GDPR demands the safeguarding of personal data and the preservation of individuals’ rights regarding their information.

Grasping how GDPR applies to a business or organization is a critical initial step, important for ensuring transparency and accountability towards users. Utilizing online booking software for your services involves various activities that fall under GDPR’s broad definition of “processing,” which includes collecting, recording, storing, using, and disclosing data by transmission, among other actions.

Such activities must be grounded on lawful bases as outlined in GDPR, which include consent, contractual obligations, legal obligations, vital interests, public interests, and legitimate interests. This foundational understanding ensures that the operations not only comply with the regulation but also respect the privacy and rights of individuals.

In addition to adhering to the lawful grounds for data processing, integrating key GDPR practices into business operations becomes essential. Data must be processed lawfully and transparently. After fulfilling the purpose for processing, the data should be deleted, highlighting the principle of data minimization. Moreover, it’s critical to ensure data accuracy, protect it against unauthorized access, and empower individuals to exercise their rights over their data.

Equally important, and in alignment with the feedback, is the incorporation of GDPR’s core principles into the very fabric of your business decisions and overall approach. These principles include data minimization, purpose limitation, storage limitation, accuracy, integrity, and confidentiality (security). By embedding these principles at the center of your operations, you establish a strong framework for GDPR compliance, ensuring that your online booking platform not only meets legal requirements but also ensures the privacy and security of user data.

The Significance of GDPR Compliance

Compliance with GDPR is not merely about avoiding penalties, which can reach up to €20 million or 4% of the annual global turnover, whichever is higher. Beyond these financial risks, non-compliance can damage a brand’s reputation, trustworthiness, and customer loyalty. In contrast, businesses that demonstrate a commitment to data protection can enhance their market position, building stronger relationships with customers who value privacy and security.

A GDPR-compliant online booking platform reassures users that their data is handled with the utmost care, leading to increased customer confidence and potentially, a competitive advantage. Moreover, compliance encourages businesses to adopt best practices in data management and cybersecurity, leading to operational improvements and efficiencies.

Best Practices for GDPR Compliance

1. Data Minimisation and Purpose Limitation

Only collect data that is strictly necessary for the booking process, and be clear about why you’re collecting it. This approach not only aligns with GDPR’s principle of data minimization but also simplifies data management and security.

2. Securing Data Transfers and Storage

Use encryption and secure connections (such as SSL/TLS) for transmitting personal data. Ensure that stored data is protected against breaches with robust cybersecurity measures, including regular security audits and access controls.

3. User Consent and Transparency

Obtain explicit consent from users before collecting their data, clearly explaining how it will be used. Provide easily accessible privacy policies that detail data handling practices, and ensure users can easily withdraw consent if they choose.

4. Data Subject Rights

Facilitate users’ rights to access, correct, delete, or port their data. Implementing straightforward mechanisms for users to exercise these rights not only complies with GDPR but also empowers users and builds trust.

5. Regular Compliance Audits

Regularly review and update data protection practices to ensure ongoing compliance with GDPR. This includes conducting impact assessments for new technologies or processes that handle personal data.

GDPR-Compliant Booking Solutions: Identifying the Ideal Platform

Selecting a GDPR-compliant booking platform is a crucial decision for businesses that aim to ensure data privacy and security. A suitable solution not only mitigates legal risks but also plays a critical role in enhancing user trust. Here are the key features that define a GDPR-compliant booking solution, ending with an excellent example of one such platform:

Key Features of a Compliant Platform

• Comprehensive Data Protection: The ideal platform employs end-to-end encryption, secure data storage, and regular security assessments to safeguard user data against breaches.
• Transparent Data Processing: It should offer clear, accessible privacy policies and consent forms, making it easy for users to understand and manage their data preferences.
• User Rights Support: A compliant platform provides mechanisms for users to access, rectify, or delete their personal information, in line with GDPR’s emphasis on individual rights.
• Ongoing Compliance Efforts: True compliance is an ongoing process, necessitating regular updates and audits to align with evolving legal and technological landscapes.

SimplyBook.me’s Commitment to GDPR-Compliant Booking

Within the domain of GDPR-compliant booking solutions, SimplyBook.me stands out as a prime example of best practices and user-centric design. It covers all the essential features listed above, setting a high standard for data privacy and security. SimplyBook.me goes beyond simple compliance, embedding privacy by design into the fabric of its operations. Its transparent handling of user data, combined with vigorous security measures and an intense commitment to user rights, demonstrates what businesses should seek in a GDPR-compliant booking platform. SimplyBook.me’s approach not only adheres to regulatory requirements but also heightens the user experience, fostering trust and loyalty among its clientele.

Implementing GDPR-Friendly Features in Booking Systems

Incorporating privacy by design into the development and operation of online booking platforms is essential. This approach ensures that privacy is considered at every stage of product development, making features such as clear consent forms, data minimization strategies, and secure data processing foundational elements rather than afterthoughts. From the initial design phase, these platforms must prioritize the security and privacy of user data, employing encryption, secure access protocols, and regular security audits to safeguard information against unauthorized access or breaches.

Moreover, empowering users with dashboard controls to manage their data and preferences is a crucial step toward enhancing transparency and user control. This not only aligns with GDPR’s requirements but also fosters a relationship of trust between the service provider and the user. Such dashboards should be intuitive, providing users with clear options to view, modify, or delete their personal information, and to manage how it’s used. By allowing users to easily control their privacy settings and understand how their data is processed, online booking platforms can demonstrate their commitment to data protection and user autonomy.

Implementing these practices requires a united effort from the initial design phase through to the daily operations of the platform. It involves continuous monitoring and updating of privacy practices to address emerging security threats and changes in regulatory requirements. Ultimately, integrating privacy by design not only ensures compliance with stringent data protection laws like GDPR but also positions a platform as a trustworthy and user-friendly service in the competitive online booking industry.

Conclusion

Adhering to GDPR is imperative for online booking platforms, not just to avoid legal repercussions but to foster a trusted environment for users. By implementing the best practices outlined above, businesses can ensure compliance, enhance data security, and build a competitive edge through demonstrated commitment to user privacy. As we move forward in an increasingly data-driven world, embracing these principles is not just beneficial but essential for long-term success and customer loyalty.

This is provided for informational purposes only and does not constitute legal advice. You should seek appropriate legal advice and assistance to ensure compliance with the GDPR or other privacy laws for your business operations.

The post GDPR Compliance in Online Booking: Best Practices for Enhanced Privacy and Security appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

There was a clear majority in favour of the plan, with 329 MEPs voting in favour, 213 voting against, and 79 abstaining. This resounding show of support demonstrates a strong commitment to bolstering the enforcement mechanisms of the GDPRᅳregulations that, since their inception, have established a global standard for data protection.

A notable aspect of these recently enacted policies is the enhanced collaboration between national data protection authorities (DPAs). This attempts to remove the bureaucratic roadblocks that have previously prevented enforcement by streamlining the frequently intricate and slow process of cross-border inquiries and dispute settlements.

The revisions appear to be fairly promising in terms of transparency and justice for complainants. They promise that everyone will receive the same treatment and have the right to a hearing before any unfavourable decisions are made, regardless of where they register a complaint. With the exception of some internal conversations, the procedure will also be more open and knowledgeable, and all participants will have access to a joint case file.

A further crucial step forward is to set certain timeframes for procedures. The European Parliament has now established a two-week complaint acknowledgment window and a three-week lead authority determination period for cross-border issues. In addition, a nine-month deadline for providing draft decisions has been established, which will greatly accelerate the enforcement procedure.

Any settlement requires the express consent of all parties, guaranteeing that any agreement is acceptable to all sides. Crucially, these settlements do not preclude DPAs from starting independent investigations, preserving the delicate equilibrium between negotiated outcomes and regulatory supervision.

The updated rules also uphold parties’ rights to legal recourse in the event that they are unhappy with DPAs’ performance—or lack thereof—or with the delays in case resolution. This focus on efficient remedies is essential for upholding accountability and guaranteeing that complaints are handled promptly and equitably.

After the European elections in June, the newly elected Parliament will soon take over responsibility for these regulations while they continue to be refined and negotiated in the committee. This change demonstrates the EU’s continued dedication to upholding strict data privacy regulations.

MEP Sergey Lagodinsky effectively encapsulated the situation when he stated that this legislative amendment reinforces the EU’s core right to data privacy while simultaneously making the legal environment more understandable for both individuals and corporations. This resolute move by the Parliament represents a significant advancement in the GDPR’s development and may have an impact on international norms governing the enforcement of data protection.

The post European Parliament Strengthens GDPR Enforcement appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

For businesses that are already navigating the compliance landscape of other non-California privacy laws, the KCDPA does not heap on significant additional requirements. This new law is scheduled to become active starting January 1, 2026.

Scope and Application

The KCDPA casts a net over entities that engage in business within Kentucky or that target Kentucky residents with their products or services. A business falls under the purview of this law if it either handles the personal data of more than 100,000 consumers or manages the data of at least 25,000 consumers while deriving over half of its gross revenue from selling that data. These thresholds mirror those found in privacy legislation in several other states including Indiana, Iowa, Utah, and Virginia. It is noteworthy that the KCDPA excludes individuals acting in a commercial or employment context from its ambit.

Exemptions Worth Noting

In line with other state laws, the KCDPA includes exemptions for certain entities and data types. These exemptions encompass entities covered by HIPAA, non-profit organizations, educational institutions, and financial and data institutions that fall under the Gramm-Leach-Bliley Act. Additionally, data governed by the Fair Credit Reporting Act and certain types of non-profit activities, such as those aimed at combating insurance fraud or aiding first responders during catastrophic events, are also exempt.

One unique feature of the Kentucky law is its treatment of non-profit organizations, which specifically excludes political organizations from the exemption—a notable deviation from Virginia’s approach.

Definitional Clarity

The definition of “biometric data” under the KCDPA is notably consumer-centric, excluding general photographs, video, or audio recordings unless they are processed specifically to identify an individual. This definition also carves out exceptions for data collected, used, or stored for health care treatment, payment, or operations under HIPAA.

Regarding the “sale” of personal data, the KCDPA adopts a business-friendly stance by limiting the definition to the exchange of personal data for monetary compensation, thus excluding transactions involving other forms of consideration.

Enforcement and Compliance

The Kentucky Attorney General’s office is tasked with enforcing the KCDPA. There is no provision for private rights of action; however, businesses found in violation have a 30-day window to rectify the issue before facing a potential fine of $7,500 per incident.

Key Dates

• January 1, 2026: The law takes effect.
• June 1, 2026: Data protection assessment requirements kick in for processing activities that commence on or after this date.

Governor Beshear’s enactment of the KCDPA marks a critical moment for privacy regulation in Kentucky, reflecting a broader movement towards heightened consumer data protection across the United States. This legislation not only aligns Kentucky with national trends but also provides both businesses and consumers with clearer rules of engagement in the digital age.

The post Kentucky: The New Consumer Data Protection Act Sets a New Standard for Privacy Legislation appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

ICO Expands Global Reach in Data Protection with Global CAPE Membership

The Information Commissioner’s Office (ICO), the UK’s guardian of data privacy, has taken a significant step in international collaboration by joining the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE). This development marks a crucial milestone in the ICO’s efforts to strengthen global data protection and privacy enforcement.

The ICO’s partnership with Global CAPE is set to streamline international cooperation in the realm of data privacy. Traditionally, cross-border collaborations on data protection required establishing individual agreements with each country. However, with the new membership, the ICO can now engage more efficiently in investigative and information-sharing activities with fellow member countries.

A Unified Front in Data Privacy

Global CAPE membership encompasses a broad spectrum of nations, including the United States, Australia, Canada, Mexico, Japan, South Korea, the Philippines, Singapore, and Chinese Taipei. This diverse alliance underscores the universal importance of data protection and the collective effort to safeguard personal information across borders.

UK Information Commissioner John Edwards highlighted the significance of this union, stating that the ICO’s involvement with Global CAPE strengthens its international ties, facilitating a cooperative approach to addressing global data privacy challenges. This is especially pertinent as personal data increasingly transcends national boundaries, necessitating robust, collaborative solutions to protect privacy on a global scale.

Global CAPE and APEC CBPR: Complementary Forces

Global CAPE is not an isolated initiative but rather complements the Asian Pacific Economic Cooperation Cross-border Privacy Rules (APEC CBPR) system. While APEC CBPR fosters cooperation and assistance in privacy and data security investigations within the Asia Pacific region, Global CAPE extends this collaborative spirit to countries outside this geographic area.

This expanded network through Global CAPE signifies a more inclusive and comprehensive approach to international data protection, enhancing the capabilities of its members, including the ICO, to tackle privacy issues that transcend geographical boundaries.

In summary, the ICO’s membership in Global CAPE represents a strategic move towards global collaboration in data privacy and protection. It underscores a shared commitment to developing and implementing effective privacy safeguards that cater to the interconnected nature of today’s digital world.

The post ICO Expands Global Reach in Data Protection with Global CAPE Membership appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• Default Privacy and Geolocation Settings: To mitigate risks, children’s profiles should automatically be set to private, and geolocation services turned off. This approach aims to shield children from potential dangers, including misuse of their location data.
• Advertising and Profiling: There is a call to minimize the profiling of children for targeted advertising. This practice often leads to unauthorized data collection and can manipulate children’s online experiences, sometimes even encouraging unintended financial expenditures.
• Recommender Systems: There is a concern about how personal information, like search history and behavioral profiles, is used in creating content feeds. These systems can inadvertently lead to exposure to harmful content and may contribute to excessive screen time.
• Protecting Young Users: Special attention is given to children under 13, who legally cannot consent to their data being used. Online services need to ensure proper consent mechanisms, often requiring parental involvement, and implement age verification processes.

Further, the ICO plans to collaborate with other UK and international regulators, aiming to elevate global data protection standards. Edwards highlights the necessity of global cooperation to prevent online harms to children, as he engages with international stakeholders at the IAPP Global Privacy Summit 2024 and meetings with tech giants.

The ICO’s focused approach, as articulated by John Edwards, underscores a robust strategy to integrate children’s privacy into the digital framework, ensuring a safer online environment for the younger generation.

The post ICO Unveils New Strategies to Enhance Online Privacy for Children appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The story took a significant turn this Tuesday when the D.C. Circuit Court of Appeals issued an order that was less than favorable for Meta. The court rejected Meta’s request to put a pause on an FTC administrative hearing that could lead to the imposition of stricter regulations on how the company uses data from users under 18. This hearing is part of a broader effort to modify the terms of a 2020 settlement between Meta and the FTC, a settlement that came in the wake of the Cambridge Analytica scandal and other data privacy concerns.

Meta’s pushback against the FTC’s move was grounded in the argument that the proposed in-house hearing would cause the company irreparable harm. However, the appellate court was unconvinced, stating that Meta had not met the stringent standards required for an injunction. The judges highlighted that any outcomes from the FTC proceedings could be appealed in a federal court, underscoring that the “expense and annoyance of litigation” did not amount to irreparable injury.

This legal skirmish is not just about the procedural nuances of federal regulatory actions; it’s about the evolving landscape of digital privacy, especially concerning younger users. In a 2020 agreement, hammered out after allegations that Meta allowed undue access to users’ data by entities like Cambridge Analytica, the company had committed to paying $5 billion, enhancing its privacy oversight, and securing an independent assessment of its privacy practices.

But in light of alleged “gaps and weaknesses” in its privacy program, the FTC last May proposed adding new terms to this settlement, specifically to prevent Meta from using minors’ data for ad targeting and to impose stricter conditions on launching new products or services.

Meta sued the FTC by claiming that only the judge who allowed the settlement to take place could rule on its changes—an argument that was dismissed by both the judge and, currently, the appeals’ board.

However, the Meta’s official spokesperson has contradicted this by saying that the company intends to continue its fight against the so called “FTC’s baseless and unlawful action”. Meta argues that the allegations that the company’s privacy program is nonexistent are unsubstantiated and that Meta will invest in privacy protections.

What happens between the Meta and the FTC is more than a legal battle; it’s a reflection of the broader societal challenges concerning privacy in the digital era, respectful data usage, and supporting the weak users against possible exploitations. With the unfolding of the case we will be able to tell whether it will set a new trend in the discourse around digital rights and responsibilities, mostly in the way of protecting young people’s privacy on-line.

The post The Battle Over Teens’ Privacy Between Meta and the FTC appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Commission has issued formal requests for information to eight of the largest digital platforms and search engines, including Bing and Google Search. They all full under the classification of Very Large Online Search Engines (VLOSEs), and Facebook, Instagram, Snapchat, TikTok, YouTube, and X (under the classification of Very Large Online Platforms, or VLOPs). This gesture demonstrates the EU’s ambition to be responsive to the changing AI field, especially the growing dominance of AI generative technologies.

The Commission’s concerns are related to the potential of generative AI turning into negative force that can harm society. The Commission intends to require specific information from these platforms and search engines concerning the strategies used to prevent the risks such as AI generated hallucinations, spread of the deepfakes virus and manipulation of AI services that can mislead voters. These risks concern particular areas, and those areas are the integrity the electoral processes, the dissemination of illegal content, the protection of fundamental rights, gender-based violence, the well-being of minors, mental health, data privacy, consumer protection, and intellectual property rights.

The request for information covers both the dissemination and creation of content by generative AI technologies, pointing to the broad scope of the Commission’s concerns. The informed companies have to correspond to all requests on electoral protection by April 5, 2024, the deadline for all the other inquiries is April 26, 2024.

With this action by the Commission, there is no anticipation of front-loading of further regulatory or enforcement matters but acts as a preliminary measure. However, the feedback of the respondents is of the utmost importance in devising the next moves of the Commission. The Commission is also included by Article 74 (2) of the DSA to fine data controllers over misrepresentation, lack of information, or incorrect details they give to the Commission. Similarly, the non-compliance with the required performance targets within the set deadlines could lead to the imposition of periodic penalty payments.


The topic of generative AI and its possible risks has also been mentioned in the Commission’s draft guidelines on the integrity of electoral processes. The guidelines aim at assisting VLOPs and VLOSEs in acquiring the best practices and examples of mitigation measures to deal with election-related risks, including the ones involving the generative AI technologies.

This move by the European Commission demonstrates that it is a growing global realization that AI requires regulation and monitoring during its development and usage. This will guarantee that the Commission deals with a key issue that can give rise to public opinion and may spread misinformation and influence the democratic process. The responses of these platforms and search engines would serve as the indicators of how generative AI risks could be managed and whether additional actions are needed to create a safe, fair, and transparent atmosphere for all users.

The post EU Commission Probes Major Tech Giants on Generative AI Risks Under Digital Services Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Embracing Change with Microsoft Advertising

As the digital landscape evolves, Microsoft Advertising is leading the charge towards a more privacy-centric approach to advertising. Recognizing the importance of user privacy and the need for sustainable advertising practices, we are actively engaging in industry efforts to maintain the balance between privacy and digital advertising efficacy. This includes our early adoption of and support for the Privacy Sandbox APIs introduced by Google Chrome, aimed at enhancing web privacy while keeping digital advertising viable.

The Privacy Sandbox Initiative

The Privacy Sandbox represents a crucial step towards a more private web, though its acceptance and effectiveness across the ad tech industry are still under scrutiny. Despite the challenges, Microsoft Advertising is committed to integrating these new standards, minimizing disruption for our partners, and contributing to a privacy-aware advertising ecosystem.

The Microsoft Edge Ad Selection API: Balancing Privacy and Performance

A standout innovation in our privacy-first advertising arsenal is the Ad Selection API in Microsoft Edge. This tool is designed to deliver relevant advertising without relying on third-party cookies, striking a delicate balance between respecting user privacy and maintaining advertising effectiveness.

Advantages of the Ad Selection API:

• Privacy-Centric Design: The API is built on privacy-first principles such as K-anonymity and differential privacy, ensuring user data is protected and privacy is maintained.
• Efficient and Secure Processing: By utilizing Trusted Execution Environments (TEEs), the Ad Selection API offers a secure and efficient method for data processing, reducing latency and simplifying the transition to new advertising paradigms for ad tech companies.
• Fostering Industry Collaboration: Our commitment to an open and collaborative approach is evident in our efforts to refine the Ad Selection API through partnerships with industry bodies like the IAB Tech Lab and Prebid, aiming to strengthen the digital advertising ecosystem.

Looking Forward: Microsoft Advertising’s Vision

Microsoft’s mission to empower every individual and organization to achieve more extends to our efforts in digital advertising. We are steadfast in our dedication to user privacy and are working tirelessly to develop solutions that redefine targeted advertising in a world moving away from traditional tracking mechanisms. By collaborating with the industry, we aim to innovate in the realms of user privacy and digital advertising, setting new standards for the future.

The post Microsoft: Privacy-Focused Digital Advertising appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The right of access is pivotal within data protection legislation. It allows individuals to verify the accuracy and legality of how their personal data is processed, potentially enabling the exercise of other data protection rights, such as rectification and erasure. The importance of this right cannot be overstated, as it lies at the heart of data protection, reflecting its frequent exercise and the numerous complaints DPAs receive about its implementation.

Recognizing its critical role, the EDPB chose the right of access for its third Coordinated Enforcement Framework (CEF) action during its October 2023 plenary. This decision underscores the Board’s commitment to ensuring that individuals can effectively exercise their data protection rights.

In preparation for this initiative, the EDPB adopted Guidelines on data subject rights – Right of access in 2023. These guidelines are designed to help organizations comply with the GDPR’s requirements when responding to data access requests from individuals. They also aim to ensure that requests for access to personal data are handled appropriately, respecting the individual’s rights and the organization’s legal obligations.

The enforcement of the right of access will be carried out through a multi-faceted approach:

• Distributing questionnaires to organizations for fact-finding purposes or to determine the need for a formal investigation.
• Initiating formal investigations where necessary.
• Following up on ongoing formal investigations.

The data that is collected from those actions will lead to determining the supervision and enforcement strategies of DPAs. Such joint work is expected to provide a comprehensive overview of the extent of compliance of the right of access, which will be beneficial for the targeted interventions at the EU level. As its complementary action, the EDPB is going to make up a study that will outline the final results of this coordinated approach, demonstrating its high efficiency.

The post The European Data Protection Board’s 2024 Initiative appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key Focus Areas of the Investigation

The EU’s inquiry into TikTok centers on several critical issues:

• Mitigating Systemic Risks: The investigation will examine if TikTok has taken necessary steps to lessen systemic risks posed by its algorithmic systems. These include concerns over fostering behavioral addictions and leading users down “rabbit holes,” where they lose sense of time and neglect other responsibilities.
• Protection of Minors: A significant part of the probe is dedicated to evaluating the measures TikTok has implemented to guarantee minors’ privacy, safety, and security. This includes scrutinizing the default privacy settings provided for young users.
• Advertising Transparency: The European Commission is assessing TikTok’s efforts to maintain a transparent and accessible repository for its advertisements.
• Platform Transparency: The overall transparency of TikTok’s platform is under review, including how it manages and discloses information to its users.

TikTok had previously submitted a risk assessment analysis to the European Commission in September 2023, which led to further queries from the Commission regarding illegal content, the protection of minors, and data access issues in the following months.

Understanding the Digital Services Act (DSA)

The DSA, which came into effect on October 27, 2022, represents the EU’s ambition to regulate online platforms, aiming to create a safer digital environment. The act mandates online platforms to address illegal content, uphold users’ fundamental rights, and prevent the spread of misinformation. Non-compliance could result in fines up to 6% of a company’s global turnover.

Under the DSA, platforms are categorized based on their size and impact, with specific compliance deadlines set for each category. TikTok, having declared 135.9 million monthly active users in the EU as of April 25, 2023, falls into the category of Very Large Online Platforms (VLOPs), which had to comply with the DSA by August 31, 2023.

What’s Next for TikTok?

The formal proceedings against TikTok will be managed by Digital Services Coordinators or other competent authorities within EU Member States. This process enables the European Commission to potentially enforce interim measures or make non-compliance decisions. Although there is no set deadline for concluding these proceedings under the DSA, the Commission has the authority to extend the investigation as needed, including conducting interviews, inspections, or sending additional requests for information.

This investigation into TikTok follows a previous probe under the DSA into the social media company X, highlighting the EU’s commitment to enforcing its digital regulations rigorously. As the proceedings unfold, TikTok may need to make commitments to demonstrate its compliance with the DSA, showcasing the EU’s proactive stance in ensuring a safer and more transparent online environment for its citizens.

The post The EU’s New Inquiry into TikTok: Child Safety, Privacy, and Advertising Under Scrutiny appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Role of the European AI Office

The European AI Office is at the forefront of the EU’s efforts to navigate the complex landscape of AI, ensuring that it is developed and used in a manner that is safe, ethical, and respects fundamental rights.

With the ambitious goal of establishing a unified European AI governance system, the office supports the implementation of the AI Act, a groundbreaking legal framework designed to safeguard individuals’ health, safety, and rights while providing legal certainty for businesses across the 27 Member States.

Key Responsibilities

• Implementing the AI Act: The AI Office assists governance bodies of Member States with rulemaking for general-purpose AI models and a consistent AI Act implementation across EU.
• Promoting Trustworthy AI: This office leverages its close cooperation with a broad spectrum of stakeholders, including scientists, business representatives, civil society and open source developers to promote the development of AI that is both innovative and trustworthy at the same time.
• Fostering International Cooperation: The EU’s office will be pivotal in this regard, helping to build a strong EU voice in AI policy globally by developing a coherent and efficient international AI governance regime.

Tasks and Initiatives

The European AI Office is tasked with a variety of crucial functions to support the EU’s vision for AI:The European AI Office is tasked with a variety of crucial functions to support the EU’s vision for AI:

• Support for the AI Act: The office takes a comprehensive approach that involves creating assessment tools and methodologies, making codes of conduct and looking into possible violations. This way the AI Act will be effectively carried out and enforced.
• Development of Trustworthy AI: The office will be instrumental in developing policies that ensure the socioeconomic advantages of AI in Europe at both EU and regional levels by stimulating a climate of innovation and confidence.
• International Collaboration: Its objective is to build up the EU as a benchmark in the world AI framework, which will drive cooperation and governance on AI globally in order to harmonize the approach to this technology.

Collaboration and Engagement

The success of the European AI Office relies on its ability to collaborate with a wide array of partners:The success of the European AI Office relies on its ability to collaborate with a wide array of partners:

• Support for the AI Act: From developing evaluation tools and methodologies to drawing up codes of practice and investigating possible infringements, the office ensures the effective implementation and enforcement of the AI Act.
• Development of Trustworthy AI: The office is key to advancing policies that maximize the societal and economic benefits of AI across the EU, supporting an ecosystem of innovation and trust.
• International Collaboration: It aims to establish the EU as a reference point in the global AI landscape, fostering cooperation and governance on AI to achieve a worldwide approach to the technology.

Collaboration and Engagement

The success of the European AI Office relies on its ability to collaborate with a wide array of partners:

• Institutional Cooperation: Working closely with entities like the European Artificial Intelligence Board and the European Centre for Algorithmic Transparency, the office ensures a coordinated approach to AI governance.
• Engagement with Experts and Stakeholders: Through dedicated forums and advisory groups, the office gathers insights from various sectors to inform its strategies and initiatives.
• The AI Pact and European AI Alliance: These initiatives encourage businesses and other stakeholders to engage with the Commission, sharing best practices and preparing for the AI Act’s implementation.

Looking Ahead

With plans to recruit talent across policy, technical, legal, and administrative roles, the European AI Office is poised to expand its capabilities and impact. External experts and stakeholders will also have opportunities to contribute to its mission, ensuring that the EU remains at the cutting edge of trustworthy AI development.

For those interested in staying informed about the European AI Office’s work or exploring job opportunities, further information can be found by reaching out to the provided contact details. This initiative not only underscores the EU’s commitment to ethical AI but also invites collaboration and innovation from across the globe, setting a standard for how technology should be governed in the public interest.

The post The European AI Office: Leading the Way in Trustworthy AI Development appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

UK-based Avast Limited along with its subsidiary in the Czech Republic began to suffer what can be possibly described as a ‘Data Leak’ scandal, whereby their browsing information was collected through browser extensions and antivirus software. Whether this data collection orchestrated was violating trust or without the consent of customers, it still happened without the permission of customers and companies. Yet, connection to the user limited ‘Avast’ to grab and sell the user’s personal information to the third parties. But more so, the company did not inform its users that this information could and would later be sold to other websites with their browsing activity being precisely identifiable.

While the consumer protection agencies spoke of aspirations, the Federal Trade Commission, whose mission included enforcing laws to protect users from false and misleading marketing practices, underscored the gap between rhetoric and realities. However, Samuel Levine, the head of the FTC’s Bureau of Consumer Protection, strongly rebuked Avast’s “surveillance tactics”; due to this, illegal activities like the breaching of consumers’ privacy were carried out to a large extent.

The FTC’s complaint demonstrates that since 2014, Avast has been accessing sensitive information of users through its software that include data on their financial status, political viewpoints, and health concerns, just to mention a few issues. Jumpsight collected the data, which was then sold to over a hundred third parties. It was done under Avast’s subsidiary, Jumpshot, rebranded as Avast Analytics Company.

Despite Avast arguing that the data gathered is anonymized before being sold, this did not prove to be adequate protection for the consumers’ data. The information sold contained personal details that could re-identify the users, and was not only aggregated and anonymized as promised by the company.

The settlement includes several critical stipulations:

• Prohibition on Selling Browsing Data: Avast is now barred from selling or licensing browsing data from its branded products for advertising purposes.
• Affirmative Express Consent: Avast must obtain explicit consent from consumers before selling or licensing browsing data from non-Avast products.
• Data and Model Deletion: All web browsing information transferred to Jumpshot, along with any derived products or algorithms, must be deleted.
• Consumer Notification: Avast is required to inform consumers whose data was sold without their consent about the FTC’s actions.
• Privacy Program Implementation: A comprehensive privacy program addressing the misconduct must be established by Avast.

This settlement, unanimously voted on by the FTC commissioners, underscores the importance of digital privacy and the need for transparency in how companies handle consumer data. It serves as a stark reminder of the potential consequences of betraying consumer trust and the importance of adhering to privacy laws and regulations.

The FTC’s actions against Avast highlight a commitment to protecting consumer privacy and ensuring companies are held accountable for their promises. As digital privacy becomes increasingly paramount, this case marks a significant step in the ongoing effort to safeguard consumers’ online data.

The post Avast’s $16.5 Million Settlement: A Lesson in Privacy Protection appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This examination, however, is part of the EU’s grand effort in regulating online platforms, with the DSA being a crucial measure in the regulation strategy of the Union in managing online content and services. However, the DSA came into being, and the latter has set a number of strict requirements against large online platforms like TikTok, mainly on the issues of algorithmic transparency and the systemic management.

Enforcement of the DSA will incur penalties reaching up to 6% of annual revenue for global corporations. The Commission was collecting information about TikTok commodity within the investigation period and focusing on areas such as child safety and misinformation. Prior, TikTok changed its procedures with respect to the multiple queries asked by the regional bodies which inquired about the security & privacy of children.

Along with the probe, the Commission is trying its best to increase its requests for information from TikTok that can include interviews and inspections as well. The durability of the investigation will rely on several factors, which include the complexity of the case and level of cooperation TikTok provides to the Commission.

The TikTok company stated on multiple occasions that the safety of its young users and its close collaboration with the Commission is its priority, as it has already implemented measures for this purpose. The verification will review TikTok’s performance in DSA, including its measures for protecting the minors and ensuring the transparency of its advertising. The main objective of the EU, is to make sure that TikTok applies the necessary measures to protect minors’ privacy, safety and security, as well as to provide direct access to advertising info in order to ensure transparency.

The EU’s actions reflect its prioritization of online user safety and the proper regulation of platforms that have significant reach among children and teenagers. This investigation into TikTok follows a similar probe into X (formerly Twitter), underscoring the EU’s commitment to enforcing the DSA and protecting online users.

The post EU Launches Investigation into TikTok for Digital Services Act Compliance: Focus on Youth Safety and Transparency appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key findings and what is expected in future steps:

1. Standstill on Cookie Deprecation: Google is now committed to canceling third-party cookies, but only after CMA’s questions are answered. When these issues are dealt with and solved, Google will have the right to implement its plan, which could be as early as the second half of 2024.
2. Testing Phase Insights: At present, CMA is in the examining stage of data to accumulate further evidence on Privacy Sandbox tool’s likely effects. Such a stage is paramount for reviewing the overall impact of these instruments on competition, and it shall shape the CMA’s position as the test period ends.
3. Compliance and Cooperation: Commencing from October through December 2023, Google has been found to be in compliance with the commitments by engaging collaboratively with the CMA with a view to addressing the specified issues. Though, the authority states that Google must put in place additional measures to comprehensively remedy competition concerns.
4. Ongoing Engagement: The CMA aims to timely cooperate with Google in Q1 2024 to eliminate competition problems that were identified. This would mean that the Privacy Sandbox do own advertising services not give a preference to Google, and also to clarify long-term governance arrangements for the Sandbox.
5. Open for Feedback: The CMA welcomes the comments from interested people till 27th February 2024. This feedback will act as a main basis for the discussions with Google and will help set up future development of digital advertising in a way that makes the market competitive.

Implications and Next Steps

CMA’s report brings to fore the delicate balance between the two important issues of boosting user privacy and creating a level playing field for the digital advertising industry. While Google is trying to sort out the CMA’s claims, it highly likely that the result of this evaluation will set a benchmark for how such privacy-centric initiatives are assessed globally from the competition perspective.

A wide range of stakeholders in the digital advertising environment are following the scenario closely as the decisions will be made in the next few months may tilt the rules and redefine the engagement in the online advertising, and any change could affect millions of business and consumers across globe.

These changes will undoubtedly continue while we wait for the next developments. Media, regulatory bodies, and advertisers have to collaborate so that the technological progress achieved does not result in loss of positive environment for business.

The post UK regulators stop Google’s plan to remove cookies due to competition concerns. appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background and Introduction

In May 2022, the European Commission posted new regulations that will tackle online child sexual abuse.This proposal consists of the commitments for service providers to search, remove, and report child sexual abuse material (CSAM) as well as grooming activities, and a central EU agency to overwatch and cooperate. While endorsing the stand of the EDPB and EDPS that the online child sexual abuse deserves to be fought against, the data protection agreements between the Member States are criticized for the infringement of privacy and data protection rights in case the said proposal is put in effect.

Key Concerns and Recommendations

The EDPB acknowledged that the European Parliament proposed some changes in the original plan, that are aimed at excluding the encrypted communications from the detection orders. However, the Board highlighted several unresolved issues:However, the Board highlighted several unresolved issues:

• 1. Indiscriminate Monitoring: The new directives are not directly responding to the concerns of the EDPB connected with the massive and indiscriminate interception of private correspondence. It highlights the fact that measures should be more precise (so that they do not offend the rights of the people).
• 2. Detection Orders for New CSAM: The EPDP has reservation about issuing orders to use technologies for detecting new CSAM based on these systems’ error rates. Besides this, such actions could cause the accusers of the innocent people and may also constitute privacy issues.
• 3. Ambiguity and Legal Uncertainty: The text described in the Parliament is confusing, for instance, there is more information on the recovery orders regulations. The EDPB stresses the point that the detecting moments must be clearer and have unambiguous definitions in order to ensure that the efforts are really targeted at those possibly involved in the production or dissemination of CSAM and will not affect anyone suspected of the activities.
• 4. Risk to Encryption: The EDPB reinforces the fact that the end-to-end encryption is one of the most vital methods for securing the privacy of communications. Measures to weaken encryption could devastate digital services.

Call to the Public

Despite the welcomed improvement from the European Parliament’s position, the EDPB asks the legislators to look into the concerns that still persist in a more comprehensive manner. The Board underlines the importance of creating an implementable text, which is concrete, unambiguous and fully respectful of fundamental rights, like privacy, data protection, and the rights of children and vulnerable persons.

The EDPB’s statement points out how delicate this balance is when protecting the children from exploitation online and safeguarding the fundamental rights of privacy and data protection. With the legislative process still ongoing, the need is to make sure the rules are made which hold the balance between individual rights and freedom on the one hand and address the problem at hand efficiently on the other.

The post The European Data Protection Board’s Stance on the Proposal to Combat Child Sexual Abuse Online appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Update: IAB Tech Lab Highlights Advertising Industry Challenges with Google’s Prefers Adoption

The Latest IAB Tech Lab report highlighted a number of issues that the advertising industry might come upon with integration of Google’s Privacy Sandbox. The report particularly highlights issues relating to year-on-year reviews, brand safety settings, ad-load measurements running on-browser and a commercial perspective as most crucial areas to oversee.

Specifically, this in-depth analysis by the IAB Tech Lab that draws attention to the complexities and pitfalls advertisers may encounter when they adapt to the privacy-centric solutions that Google Privacy Sandbox proposes is the main objective of this study. These worries highlight the importance of balanced method which meets needs of both advertisers and users, ensuring privacy and same time achieving required goals.

After the publication of such report, the IAB Tech Lab commences its period of public comments and solicits expression of views by key players in the ecosystem up to March 22nd. Open to public comment, this is the first step toward building a rich and meaningful collaboration to better tackle the identified shortcomings so that the evolving advertising ecosystem brings social good to all the stakeholders, be they consumers, advertisers, or platforms.

The CMA’s Stance on Privacy Sandbox

The CMA’s involvement came to a head when it ordered Google to halt its efforts to eliminate third-party cookies until the tech giant addressed multiple competition-related issues. The authority’s concerns were clear: Google must not develop its Privacy Sandbox proposals in ways that would unfairly reinforce its market dominance, particularly in advertising services. This directive underscored the delicate balance between enhancing user privacy and maintaining a competitive digital advertising market.

Latest Developments: Q4 2023 Report

As we approached the end of 2023, the CMA released an update on Google’s compliance with its commitments regarding the Privacy Sandbox. This update was crucial, given the looming deadline for the deprecation of third-party cookies in the second half of 2024. Google has begun testing ‘Tracking Protection’ on a small fraction of Chrome users worldwide, signaling a significant step towards this goal.

The Q4 2023 report highlighted the progress Google has made and identified areas where further attention is needed. Feedback from the broader industry has been instrumental in shaping the report’s findings, reflecting a collaborative effort to address potential concerns. Stakeholders were encouraged to share their views, further fostering an open dialogue around the Privacy Sandbox’s development.

CMA’s Findings and Future Directions

The CMA acknowledged Google’s compliance with its commitments during the last quarter of 2023 but emphasized the need for continued progress. The authority is keen to resolve outstanding competition concerns, particularly those related to the design of Privacy Sandbox tools and ensuring they do not unfairly favor Google’s own advertising services.

Looking ahead to the first quarter of 2024, the CMA plans to work closely with Google to address these concerns. The focus will be on resolving any remaining issues and clarifying long-term governance arrangements for the Privacy Sandbox. The CMA’s proactive approach highlights its commitment to fostering a competitive and privacy-respecting digital advertising ecosystem.

The evolving narrative around Google’s Privacy Sandbox and the CMA’s regulatory oversight exemplifies the complexities of balancing privacy advancements with competitive fairness. As the industry moves towards a cookie-less future, the collaboration between regulatory bodies, tech giants, and stakeholders will be pivotal in shaping an internet that respects user privacy without compromising on the dynamism of digital competition. The CMA’s efforts to engage with Google and the broader community underscore the importance of transparency and cooperation in navigating these uncharted waters.

The post Google’s Privacy Sandbox and the UK’s Quest for Competitive Fairness appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• rich insights;
• established best practices; and
• actionable examples aimed at enhancing the caliber of digital ad campaigns.

The 2024 edition builds on the foundation laid by its predecessor, introduced in September 2021, by incorporating additional elements of quality with a pronounced emphasis on sustainability. True to its comprehensive nature, the guide continues to address key issues such as viewability, brand safety, ad fraud, creativity in campaign design, user experience, and privacy concerns—elements critical to the integrity and effectiveness of digital advertising.

In celebration of this significant update, IAB Europe is set to host an insightful webinar on 7th March at 12:00 CET. This event promises to bring together the brilliant minds behind the guide, including seasoned experts from the Brand Advertising Committee. They will explore the guide’s pivotal role in the digital advertising landscape, offering a deeper understanding of what defines quality in this context and how it can be consistently achieved. Webinar attendees will be treated to expert opinions on the importance of quality and will learn how to effectively implement the best practices outlined in the guide.

Helen Mussard, the Chief Marketing Officer at IAB Europe, shared her enthusiasm for the guide’s release, stating:

Quality in digital advertising is not the sole responsibility of any single entity but a collective commitment from all stakeholders within the ecosystem.

She further highlighted the updated guide’s alignment with the latest industry practices and standards, particularly its focus on sustainability—a testament to the industry’s evolving priorities. Mussard extends an invitation to industry professionals to join the upcoming webinar and contribute to the critical dialogue on the future of quality in digital advertising.

This initiative by IAB Europe not only sets a new benchmark for quality in digital advertising but also underscores the sector’s growing consciousness towards sustainable practices. By guiding stakeholders through the intricate landscape of digital advertising with a keen focus on quality and sustainability, IAB Europe is paving the way for a more responsible and effective industry.

For further details on the “Guide to Quality” and information on how to participate in the upcoming webinar, industry professionals are encouraged to connect with IAB Europe.

The move by IAB Europe to update its Guide to Quality, with an added emphasis on sustainability, represents a significant step towards a more accountable and high-quality digital advertising ecosystem. By fostering a dialogue on these critical issues and providing actionable guidance, IAB Europe is leading the industry towards a brighter, more sustainable future.

The post IAB Europe’s New Guide Embraces Quality and Sustainability appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The focus of this year’s sweep?

Ensuring compliance with the California Consumer Privacy Act (CCPA), a pioneering law designed to give consumers greater control over their personal data. Specifically, Attorney General Bonta is honing in on the CCPA’s opt-out requirements, which allow consumers to instruct businesses not to sell or share their personal information.

So, what exactly does the CCPA entail? At its core, the law grants California consumers the right to know how businesses collect, share, and disclose their personal information. For businesses subject to the CCPA, this means fulfilling certain obligations, such as responding to consumer requests and providing clear notices about their privacy practices.

One key aspect of the CCPA is the right to opt out. This provision mandates that businesses offering personal data for sale or targeted advertising must give consumers an easy way to opt out of such practices. For example, if you’re using a SmartTV, you should be able to navigate to the settings menu in a streaming app and enable the “Do Not Sell My Personal Information” option with minimal hassle. Additionally, this choice should apply across different devices if you’re logged into your account.

Attorney General Bonta is unwavering in his commitment to enforcing the CCPA, the nation’s toughest data privacy law. In a recent settlement with Sephora, allegations were resolved concerning the company’s failure to disclose its sale of consumers’ personal information and its mishandling of opt-out requests—a clear violation of the CCPA.

As consumers, it’s crucial that we educate ourselves about our rights under the CCPA and take action to protect our privacy. To learn more about the CCPA, visit the official website at www.oag.ca.gov/ccpa. If you suspect a violation of the CCPA, you can file a complaint directly with the Attorney General’s office at www.oag.ca.gov/report.

In an era where our personal data is more valuable than ever, it’s essential that we remain vigilant and hold businesses accountable for safeguarding our privacy. With initiatives like the investigative sweep targeting streaming services, California is leading the charge in championing consumer rights in the digital age.

The post California Attorney General Cracks Down on Streaming Services appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Snapchat, known for its popular messaging service, has diverged from NetChoice, a trade association that has previously expressed opposition to KOSA. The bill is designed to ensure that social media platforms actively work to prevent children from accessing harmful content, such as material related to eating disorders or suicide.

This development comes as Snapchat’s CEO prepares to testify in a Senate Judiciary Committee hearing alongside executives from Meta, Discord, TikTok, and the company formerly known as Twitter. The hearing is expected to address concerns about the platforms’ alleged inadequacies in removing content that promotes the sexual abuse of children.

Senators Richard Blumenthal and Marsha Blackburn, who are co-sponsors of KOSA, have welcomed Snapchat’s support. They emphasize the importance of making social media safer for children and acknowledge that such measures are long overdue. Despite Snapchat’s endorsement, other major platforms like TikTok, Discord, and Meta have yet to publicly support KOSA. Meta, while not directly supporting KOSA, has taken steps to block content related to suicide and eating disorders from young users’ feeds on Instagram and Facebook.

The push for children’s online safety has gained momentum, with many states stepping in to enact laws in the absence of federal legislation. Tech companies are increasingly acknowledging the need for enhanced safety measures, as demonstrated by Snapchat’s alignment with KOSA’s objectives and the expansion of its in-app parental controls.
The upcoming Senate Judiciary hearing is anticipated to be a pivotal moment for online child safety discussions. It will be Snapchat CEO Evan Spiegel’s first congressional appearance, where he is expected to face challenging questions, particularly regarding the alleged use of Snapchat for the sale of illicit drugs.

This move by Snapchat could potentially inspire other tech companies to reconsider their positions on online child safety. As the debate continues, the future of the Kids Online Safety Act and its potential impact on social media platforms and their young users remains a topic of keen interest.

The post Snapchat Paves the Way for Child Safety Online appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

For the Tech-Savvy: Developer-Focused Changes

If you’re a developer, these updates are especially thrilling. Apple is introducing over 600 new APIs, expanded app analytics, and functionality for alternative browser engines. But that’s not all – you now have more freedom with app payments and distribution methods for iOS apps. These tools offer a fresh landscape for creativity and innovation in app development.

For the Everyday User: Enhanced Controls and Protections

As a user, you’ll experience new controls and disclosures designed to beef up your privacy and security. Apple acknowledges that while these changes open doors to new possibilities, they also bring potential risks like malware, fraud, and other threats. To counter this, Apple is introducing several protective measures, such as Notarization for iOS apps, authorization requirements for marketplace developers, and clear disclosures on alternative payment methods.

What’s New in iOS 17.4?

Come March 2024, iOS 17.4 will be available in the 27 EU countries, packed with these new features. Developers, get ready to explore these changes on the Apple Developer Support page and test them out in the iOS 17.4 beta.

A Closer Look at the iOS Updates

• Alternative App Distribution: Developers can now offer iOS apps through different app marketplaces, thanks to new APIs and tools.
• Alternative Browser Engines: Wave goodbye to the WebKit-only world. Now, developers can use different browser engines for their apps.
• Interoperability Requests: Got a unique idea that requires specific iPhone features? Apple’s got you covered with a new request form.
• NFC Technology and Contactless Payments: New APIs will enable developers to integrate NFC technology in banking and wallet apps.

Safari’s New Choice Screen

With iOS 17.4, EU users will be greeted with a choice screen to select their default browser, enhancing user autonomy but potentially interrupting the seamless Apple experience.

App Store Overhaul

For developers, new payment processing options are on the horizon. Plus, EU users will see informative labels and disclosures about app transactions. However, it’s important to note that alternative payment methods will limit Apple’s ability to assist with refunds or fraud issues.

New Business Terms for EU Apps

Developers have the flexibility to choose between Apple’s existing terms or the new DMA-compliant terms, which offer reduced commission rates and new fee structures. This change aims to balance compliance with the DMA while maintaining value creation for developers.

What Does This Mean for You?

These updates mark a significant shift in Apple’s approach to app distribution and payments in the EU. While they aim to enhance user choice and developer freedom, they also come with new challenges and risks. It’s essential to stay informed and cautious, especially when venturing outside the trusted App Store environment.

Stay tuned for more detailed resources from Apple in March, and get ready to navigate these exciting changes!

The post Major Updates Coming to iOS, Safari, and the App Store in the EU appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Choose How Your Facebook and Instagram Data is Shared

Have you linked your Instagram and Facebook accounts? Now, you get to decide whether to keep this connection or manage them separately. This choice gives you the freedom to control the flow of information between these platforms. Whether you want to keep them linked for a seamless experience or prefer keeping things separate for more privacy, the choice is yours!

Messenger Goes Solo

For those who love Messenger but want to keep it separate from Facebook, there’s good news too! You can now opt for a standalone Messenger account. This means you can enjoy all the core features like messaging, chat, and voice/video calls, without any ties to your Facebook account. A win-win for privacy and connectivity!

Tailor Your Facebook Marketplace Experience

When it comes to Facebook Marketplace, you now have options. Enjoy a personalized marketplace experience connected to your Facebook profile or choose an anonymized version. In the latter, your interactions with buyers and sellers will be through email, not Messenger, offering more privacy.

Gaming Without Facebook Ties

Gamers, you’re not left out! Meta offers you the choice to link your Facebook info for an enhanced gaming experience with features like multiplayer, in-game purchases, and personalized recommendations. Prefer to game without Facebook? You can choose that too!

Ad-Free Subscription Option

European users can opt for a subscription to enjoy Facebook and Instagram without ads. This ensures that your information is not used for targeted advertising.

Embracing the Digital Markets Act

These changes are a response to the evolving digital landscape and the implementation of the Digital Markets Act. To understand how this legislation has influenced Meta’s decision and for a deeper insight into the DMA, check out this comprehensive guide by iubenda: Understanding the Digital Markets Act.

In summary, Meta’s new policy changes are a significant step towards giving users more control over their data, aligning with the EU’s commitment to digital privacy and user autonomy.

So, European friends, get ready to take control of your social media experience like never before!

The post Big News for Social Media Users in Europe: Meta’s New Policy Change appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Core of the Concern

IAB Europe believes the current draft report might not live up to the original goal of harmonizing procedural rules for GDPR. This could lead to an inconsistent and unfair process for handling GDPR cross-border complaints across different organizations. In a detailed letter, IAB Europe outlined six major recommendations to address these concerns.

Their focus?

To maintain the administrative nature of cross-border complaints, respect the GDPR governance model, encourage early resolution, ensure confidentiality of business information, harmonize the defendant’s right to be heard, and establish flexible time limits for the defendant’s views.

Key Recommendations for MEPs

• Administrative Nature of Complaints: IAB Europe stresses the need to keep cross-border complaints administrative, avoiding a shift towards an adversarial process.
• GDPR Governance Model Respect: The draft report gives new powers to the EDPB (European Data Protection Board), conflicting with the GDPR’s original framework. IAB Europe urges this to be reconsidered.
• Harmonizing Defendant Rights: There’s ambiguity in how defendants’ rights are addressed in the draft. IAB Europe calls for clarity and uniformity across Europe.
• Effective Exercise of Defendant Rights: The group advises against strict deadlines for defendants to express their views, especially in complex cases.
• Confidentiality of Business Information: IAB Europe is concerned about the deletion of measures to protect confidential information, highlighting the risk of media leaks and their impact on the integrity of the procedure.
• Enabling Early Resolution: The draft report, according to IAB Europe, introduces barriers to amicable settlements in non-contentious cases, which could strain resources on less urgent matters.

The Way Forward

IAB Europe’s call to action is clear: MEPs should take these arguments into account for a harmonized, fair, and efficient GDPR procedural rule framework in cross-border cases. This is not just about maintaining the balance in the digital landscape, but also about ensuring a predictable and just resolution process for both organizations and consumers.

In conclusion, while welcoming the transparency and opportunities for early resolution of complaints, IAB Europe’s concerns highlight the need for a careful balancing act in the GDPR procedural regulation. The goal? To maintain an efficient, fair, and harmonious GDPR process across Europe.

The post IAB Europe Raises Concerns Over GDPR Procedural Regulation Draft Report appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

TikTok’s Troubles:

A Cautionary Tale The biggest headline of the year was TikTok’s whopping £12.7 million fine. This penalty was levied for violating data protection laws, including the unlawful use of children’s personal data. The ICO estimated that around 1.4 million children under the age of 13 in the UK were using the video-sharing app in 2020, raising serious concerns about child safety online.

Marketing Missteps:

A Costly Affair, The ICO’s crackdown didn’t stop with social media giants. Three marketing firms faced a combined £310,000 fine for making over 480,000 unsolicited marketing calls and sending 107 million spam emails. Two energy firms were fined £250,000 for targeting people and businesses on the UK’s ‘do not call’ register with unlawful marketing calls. In addition, a business support consultancy and an appliance service company faced hefty fines for sending unconsented text messages and making unsolicited marketing calls.

The Half-Year Haul:

Unwanted Communications Cost Companies £800k The latter half of 2023 saw 10 companies being fined a total of more than £800,000. Their offenses? Sending nearly 5 million unwanted text messages, over 39 million spam emails, and making almost 2 million nuisance phone calls.

Expert Insights:

Charlotte Riley Weighs In Charlotte Riley, the director of information security at CSS Assure, commented on the significance of these fines. “The actions taken by the ICO in 2023 underline the gravity of data misuse. This isn’t just about breaking laws; it’s about eroding consumer trust,” she said. Riley also highlighted the importance of appropriate data handling, especially for sensitive groups like children, as illustrated by TikTok’s case.

A Message to All Businesses

The ICO’s actions send a clear signal: respect for individual privacy and adherence to data protection laws are non-negotiable. This is not just a warning for big players like TikTok but also for small and medium-sized enterprises. The fines imposed for invasive marketing practices show the impact and consequences of disrespecting privacy preferences and bombarding people with unwanted communications.

As we navigate an increasingly digital world, these developments serve as a crucial reminder of the importance of responsible data management. Businesses, big or small, must prioritize data ethics to maintain consumer trust and comply with legal standards.

The post Businesses Beware: ICO’s Record £14.3m in Fines for Data Misuse in 2023 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Intersection of Data, AI, and Business

In the fast-paced world of Artificial Intelligence (AI), data is the lifeblood that drives innovation and progress. However, not all companies have the resources to develop their own AI models. This is where “model-as-a-service” companies step in, offering a unique solution. They develop and host AI models, like large language models (LLMs), and provide access to businesses through user interfaces or APIs. These models are incredibly useful for various sectors like online retail, hospitality, banking, etc., particularly for enhancing customer service through chatbots.

The Insatiable Data Hunger: Balancing Innovation with Privacy

While model-as-a-service companies continuously seek more data to refine or create new models, this pursuit can clash with ethical responsibilities. The constant ingestion of additional data raises significant privacy concerns. There’s a danger that these companies might inadvertently infringe on user privacy or misuse sensitive business information. This issue becomes more acute as customers often share confidential data while interacting with these AI models.

Legal Implications: The FTC’s Stance

The Federal Trade Commission (FTC) plays a crucial role in ensuring that these companies adhere to privacy commitments. Any failure to respect user and customer privacy, including misuse of customer data for undisclosed purposes such as training models, can attract legal consequences. The FTC has historically mandated companies to delete any products, including AI models, developed using unlawfully obtained data. Thus, model-as-a-service companies must be vigilant in their data practices to avoid FTC enforcement actions.

Beyond Privacy: The Spectrum of Legal Obligations

These companies must honor commitments to customers, made through any medium – be it promotional materials, terms of service, or online marketplaces. Misleading customers, failing to protect their data, or using it for purposes like ad targeting without explicit consent can lead to FTC action. Additionally, omissions in disclosing how customer data is used are equally significant. The FTC has penalized companies for failing to disclose critical information affecting customer decisions, such as the selective use of facial recognition technology.

Competition and Fair Play

Misrepresentations or misuse of data in AI model training and deployment not only pose privacy risks but also affect market competition. These deceptive practices can distort fair competition, trapping customers with false promises or giving dishonest businesses an unfair advantage. Model-as-a-service companies appropriating significant business information may also breach laws against unfair competition.

No Exemptions: The Legal Framework

In essence, there is no special exemption for AI in the realm of law. Model-as-a-service companies, like all firms, must transparently and honestly communicate how they collect and use data. Deceiving customers, whether through direct statements or omissions, could constitute a legal violation.

In conclusion, while model-as-a-service companies offer valuable services in AI development, they must navigate a complex landscape of data ethics, privacy concerns, and legal obligations. Balancing innovation with responsibility is key to their success and legal compliance.

The post Understanding the Risks and Responsibilities of Model-as-a-Service Companies in AI Development appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The enhancement includes three key areas: expanding local storage and processing to encompass all personal data, providing comprehensive transparency resources, and deploying EU-based technology for additional protection. These improvements represent a significant step in data residency and control for European customers, with Microsoft leading the way as the first large-scale cloud provider to offer such a level of data residency.

Furthermore, Microsoft’s initiative is not just about compliance, but also about pioneering in the field of cloud sovereignty. With over 8,000 global experts and advanced cybersecurity measures, Microsoft ensures that data transfers outside the EU are limited and used strictly for essential cybersecurity purposes. This move reinforces the company’s reputation for providing world-class security while adhering to European standards and values.

The next phase of this initiative will further transform data processing and storage capabilities, particularly regarding technical support interactions. Microsoft is developing solutions to ensure that support data remains within the EU, with secure methods for any necessary temporary data transfer.

Microsoft’s efforts go beyond mere compliance with European regulations. They represent a deep commitment to providing trusted, region-specific cloud services. This approach not only respects European values but also leverages the full power of the public cloud, setting a new industry standard in data sovereignty and cloud services.

For a more detailed insight into this significant development, you can read the full article on Microsoft’s website.

The post Microsoft Ensuring European Data Stays Within the EU Cloud Boundary appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Convenience at a Glance

Facebook presents the “Link History” as a handy repository for your browsing activity. The idea is to save all the links in one place, making it easier for users to revisit them. A pop-up in the app encourages users to enable this feature, emphasizing its usefulness in keeping track of online activities.

The Catch: Data for Ads

However, there’s a significant catch. Once enabled, “Link History” contributes to Facebook’s targeted advertising strategy. The company openly states that enabling this feature allows them to use your browsing data to enhance ad personalization across Meta platforms. This aspect raises the question of whether the convenience offered is just a facade for more intensive data harvesting.

Opt-Out, But Be Proactive

Users can opt out of “Link History,” but it requires proactive action. The default setting in the pop-up is to have the feature turned on, subtly nudging users towards acceptance. For those concerned about their privacy, a careful examination of the app’s settings is necessary to disable this feature.

Data Deletion Promises

Facebook assures that if you decide to turn off “Link History,” the data collected will be deleted within 90 days. However, this assurance does little to alleviate the immediate privacy concerns.

Not a Global Feature Yet

It’s important to note that “Link History” isn’t available everywhere. Facebook mentions that the rollout will happen globally over time, but for now, it’s limited to certain regions.

A Step Towards Transparency or a Privacy Mirage?

While “Link History” does provide some level of visibility and control over a specific aspect of Facebook’s data collection, it’s not entirely a win for privacy. This feature is part of a broader data tracking practice that Facebook has been engaged in for over a decade. It’s essentially a formal request for permission to continue what they’ve been doing all along. Additionally, the way it’s presented and the default settings could give users a false sense of privacy and control.

In conclusion, Facebook’s “Link History” is a double-edged sword. It offers the convenience of saving links in one place but at the cost of contributing to Facebook’s vast data collection used for targeted advertising. It represents a step towards transparency, yet it also raises significant privacy concerns. Users should be aware of these implications and take proactive steps if they choose to opt out of this feature.

The post Facebook’s New “Link History” Feature: A Blend of Convenience and Surveillance? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The AI powerhouse has been in the spotlight for how ChatGPT processes personal data, sparking investigations by data protection authorities in countries like Italy and Poland. To address these concerns, OpenAI is shifting its service provision in the European Economic Area (EEA) and Switzerland to its Irish entity, OpenAI Ireland Limited.

This change, effective from February 15, 2024, positions OpenAI Ireland Limited as the primary data controller for users in the EEA and Switzerland. This strategic move leverages the GDPR’s one-stop-shop mechanism, allowing OpenAI to streamline privacy oversight and potentially reduce the complexities of dealing with multiple data protection authorities across Europe.

However, this isn’t just a simple paperwork exercise. OpenAI must demonstrate that its Dublin-based entity has substantial influence over data-related decisions, ensuring meaningful privacy checks on its U.S. parent company. This requirement is vital for obtaining the coveted “main establishment” status under the GDPR.

OpenAI’s engagement with the Irish Data Protection Commission (DPC) and other EU data protection authorities is a clear indication of its commitment to comply with European data protection standards. This step could lead to the Irish DPC becoming the lead supervisory authority for OpenAI, joining other tech giants like Apple, Google, Meta, and TikTok, who have also established their EU bases in Dublin.

The DPC, however, faces criticism for its handling of big tech companies, often being seen as slow and lenient. This backdrop makes OpenAI’s move all the more significant, as it seeks to navigate the complex terrain of GDPR compliance while advancing its AI technologies.

For U.K. users, the situation is different due to Brexit. They fall under the jurisdiction of OpenAI’s U.S. entity, as the U.K. now operates under its own version of GDPR, which is gradually diverging from the EU standards.

OpenAI’s proactive approach in the EU is a significant development in the intersection of AI and data privacy. It reflects a growing understanding within the tech industry of the importance of aligning advanced technologies with regulatory frameworks, particularly in regions with stringent data protection laws like the EU. This move by OpenAI could set a precedent for how AI companies globally approach privacy and data protection in the future.

The post OpenAI’s Strategic Move in the EU: Aligning with Data Privacy Regulations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The lawsuit, initiated by California resident Bernadine Griffith, accuses TikTok of covertly collecting data from visitors of these websites, including those without TikTok accounts. Griffith’s allegations suggest that TikTok’s technology is capable of gathering user data even when attempts are made to block third-party cookies.

TikTok’s defense strategy, revealed in recent court documents, is built on the premise that users consent to data collection. The company argues that by continuing to visit these websites, users implicitly agree to the collection and sharing of their information with third parties, including TikTok. This stance frames the complaint against data sharing as a fundamental misunderstanding of how the internet functions.

However, this argument faced a setback. U.S. District Court Judge Stanley Blumenfeld, Jr., overseeing the case, allowed most of Griffith’s claims to proceed, acknowledging a precedence of similar privacy lawsuits in California against tech giants like Meta and Google.

Further complicating the case is an amended complaint filed by Griffith and other non-TikTok users. This revised lawsuit includes additional details and asserts that TikTok violated federal wiretap laws. TikTok’s response to this was to request a dismissal, claiming the lack of sensitive or personally identifiable information in the data collected. However, Judge Blumenfeld dismissed this request, allowing the lawsuit to move forward.

TikTok’s answer to the lawsuit also hints at shifting some responsibility to the web publishers that installed the pixel, arguing that these operators chose to use and configure TikTok’s tools.

This legal battle is part of a broader discussion about online privacy, highlighted by a Consumer Reports investigation in September 2022. This report revealed TikTok’s partnerships with various companies to collect data about web users. The findings indicated that while TikTok’s tracking tools are less prevalent than those of Google and Meta, the issue of digital tracking and privacy remains a significant concern for internet users.

The post TikTok Faces Lawsuit Over Tracking Non-Users appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background of the Case

The case, which garnered widespread attention, was scheduled for trial on February 5, 2024. However, on December 28, 2023, US District Judge Yvonne Gonzalez Rogers in Oakland, California, paused the proceedings. This pause came after an announcement by both Google’s and the consumers’ attorneys that a preliminary agreement had been reached. The details of this settlement are yet to be publicly disclosed, but a formal proposal is expected to be presented for court approval by February 24, 2024.

The Core Allegations

At the heart of the lawsuit were allegations that Google, through its analytics, cookies, and various applications, was able to track users’ online activities even when they used Google’s Chrome browser in “Incognito” mode or other browsers in “private” browsing mode. This capability reportedly turned Google into a vast repository of personal information, revealing intricate details about individuals’ personal lives, interests, and even potentially sensitive or private inquiries.

Legal Proceedings and Implications

The lawsuit, which was initially filed in 2020, pertained to “millions” of Google users since June 1, 2016. Each user was potentially eligible for a minimum of $5,000 in damages, under federal wire-tapping and California privacy laws. Judge Rogers, in August, rejected Google’s motion to dismiss the lawsuit, citing ambiguities around Google’s legal commitment not to collect data in private browsing modes. This decision underscored the significance of corporate privacy policies and the expectations they set for users.

This settlement marks a significant moment in the ongoing debate over digital privacy and the responsibilities of tech giants in protecting consumer data. As the world waits for the detailed terms of the settlement, this case serves as a potent reminder of the complex interplay between technology, privacy, and consumer rights in the digital age.

The post Google Settles Landmark Privacy Lawsuit for $5 Billion appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Autostrade per l’Italia S.p.A.’s GDPR Breach and Fine

Autostrade per l’Italia S.p.A. was fined €100,000 for violating Articles 12 and 15 of the GDPR. The company failed to respond adequately to an employee’s request for access and rectification of personal data related to annual severance pay calculations. This highlights the critical need for businesses to have robust systems in place for handling personal data requests efficiently and transparently.

Cluster s.r.l.’s Data Breach and Fine

Cluster s.r.l. faced a fine of €18,000 for violating Articles 5 and 32 of the GDPR. This penalty was imposed due to the unauthorized disclosure of sensitive clinical health data and information about an individual’s death. This case underlines the importance of strict adherence to data processing principles and ensuring the security of sensitive personal data.

Amazon Italia Transport s.r.l.’s Compliance Failure and Fine

Amazon Italia Transport s.r.l. was fined €40,000 for failing to properly respond to an employee’s data subject right request, breaching Articles 12 and 15 of the GDPR. This case serves as a reminder of the necessity for clear and effective communication channels regarding data subject rights.

How iubenda can help

With iubenda, you can ensure that your business is equipped to handle data subject requests promptly and accurately. Our solutions facilitate effective communication and provide a structured approach to managing such requests, thereby upholding GDPR compliance and reinforcing trust in your data management practices.

Check out our solution to easily document all the data processing activity within your organization →

The recent GDPR fines in Italy are a wake-up call for businesses to reassess their data protection strategies. iubenda stands ready to assist your organization in navigating the complex terrain of GDPR compliance. With our expert solutions, you can mitigate the risk of non-compliance, protect your customers’ data, and maintain your business’s integrity in the digital world.

Don’t wait for a fine to prompt action. Visit iubenda today to explore our suite of GDPR compliance solutions and secure your business’s future.

The post Navigate GDPR Compliance with Confidence: Lessons from Recent Fines in Italy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Breaking Down the Latest Development

This week, the Commission unveiled a crucial tool for digital market gatekeepers: a new template for reporting their consumer profiling techniques. This step is part of the larger Digital Markets Act (DMA), specifically aligning with Article 15 of the Act. Let’s break down what this means in simpler terms.

What is a Gatekeeper?

First off, a “gatekeeper” in this context refers to major players in the digital market. These are companies that have significant control over platform services and can potentially impact the market’s dynamics and consumer choices.

The Importance of the New Template

The newly published template is not just a formality. It’s a structured guide for these gatekeepers to report how they profile consumers. Consumer profiling involves analyzing data to understand and predict consumer behaviors, preferences, and decisions. This is often a core part of how digital services operate and market themselves.

What Must the Reports Include?

Gatekeepers must now provide detailed, transparent information on:

• All profiling techniques used in their core platform services.
• The process of how these techniques apply to consumers.

Moreover, these reports aren’t just submitted directly to the Commission. They must first undergo an independent audit. This means an external, unbiased party will review the reports for their completeness and accuracy. The auditors’ assessments are also part of what the gatekeepers need to submit.

Timeline for Compliance

This isn’t a distant future requirement. Gatekeepers designated on 5 September 2023 have a clear deadline: they must submit their first report and a non-confidential overview by 7 March 2024. This quick turnaround emphasizes the Commission’s commitment to regulating digital markets more closely.

Public Involvement and Transparency

Adding to the transparency, the Commission has also made public the non-confidential responses it received regarding this new template. These were collected during a public consultation phase, highlighting the Commission’s effort to involve various stakeholders and the public in shaping this important regulatory tool.

In essence, this new template is a significant step towards more transparent and regulated digital markets. It requires major digital companies to openly disclose how they profile consumers, ensuring that these practices are audited and reported accurately. This move aims to foster a more fair, competitive, and consumer-friendly digital market environment.

The post Simplifying the Commission’s New Reporting Template for Digital Market Gatekeepers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A fresh development in the digital privacy world: a complaint has been filed against X (Twitter) for using sensitive user data inappropriately for targeted advertising. This involves some complex legal and ethical issues, so let’s break it down to make it easier to understand.

What Did X Do?

According to the complaint by noyb, a privacy advocacy group, X (Twitter) used the political and religious beliefs of its users for microtargeting ads. Specifically, they targeted users for an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs. This campaign was promoting the proposed “chat control” regulation in the Netherlands.

Why is This a Big Deal?

The crux of the issue lies in the type of data used: political opinions and religious beliefs. These are considered highly sensitive and are specially protected under the General Data Protection Regulation (GDPR). The GDPR mandates that such data can only be processed under specific, stringent conditions.

Previous Complaint Against the EU Commission

Interestingly, this isn’t the first complaint in this saga. In November, noyb had already filed a complaint against the EU Commission for using this unlawful microtargeting technique. The latest complaint against X (Twitter) is a follow-up, pointing out the platform’s role in enabling this practice.

The Alleged Violation

Here’s where it gets ironic. X’s own advertising guidelines state that political affiliation and religious beliefs should not be used for ad targeting. However, the complaint suggests that these guidelines are not being enforced, rendering them ineffective. The EU Commission’s campaign was reportedly shown to several hundred thousand Dutch users on X.

Expert Opinions

Maartje de Graaf, a data protection lawyer at noyb, highlights a discrepancy. While X officially prohibits the use of sensitive data for political ads, they allegedly profit from such techniques. This echoes concerns raised during the Cambridge Analytica scandal in 2018.

Legal Implications

The use of such sensitive data for targeting not only potentially breaches the GDPR but also the Digital Services Act (DSA). As a result, noyb has lodged a complaint with the Dutch Data Protection Authority and suggests that a fine should be imposed due to the seriousness of the violations and the number of affected users.

Felix Mikolasch, another data protection lawyer at noyb, stresses that while the EU Commission has stopped advertising on X following the initial complaint, there is a need for enforcement against X as a platform to truly address the issue.

The complaint against X (Twitter) by noyb is a significant development in the world of digital privacy. It underscores the ongoing tension between targeted advertising practices and the legal and ethical standards set by regulations like the GDPR and DSA. The outcome of this complaint could have far-reaching implications for how sensitive user data is used in digital advertising.

The post Understanding the GDPR Complaint Against X (Twitter) for Illegal MicroTargeting appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

At the heart of this lawsuit is a critical accusation: Meta, they claim, has been using personal data from users of Facebook, Instagram, and WhatsApp in ways that give it an undue advantage. By leveraging this data for personalized advertising, these media outlets argue that Meta has crossed a line, engaging in practices that amount to unfair competition. This isn’t just a business dispute; it delves into the realm of data privacy and user consent, particularly under the stringent EU data protection rules.

Since the introduction of the EU General Data Protection Regulation in May 2018, the rules of engagement with personal data have been clear. Consent is king. But according to these Spanish media giants, which include influential names like Prisa and Vocento, Meta’s advertising practices may have sidestepped these essential consent protocols. This alleged violation isn’t just a local issue; it’s a matter that could ripple across the European Union, potentially setting a legal precedent.

Meta’s response to these allegations is currently awaited, as they have yet to receive the legal documents pertaining to the lawsuit. However, this isn’t just a legal skirmish in a court; it symbolizes a broader struggle. Around the globe, traditional media outlets are increasingly clashing with tech behemoths over issues ranging from content sharing to advertising revenues. Spain itself has seen similar confrontations in the past, notably with Google News, leading to significant changes and new legislations.

This lawsuit against Meta is more than a legal battle; it’s a narrative about the evolving dynamics between traditional media and tech giants. As this case unfolds, it could very well become a landmark event, influencing how digital platforms engage with personal data for advertising and how they interact with the media industry at large.

As we watch this saga unfold, one thing is clear: the outcome of this lawsuit could reshape the digital advertising landscape, not just in Spain, but potentially across the entire European Union.

The post Spanish Media Giants Take On Meta in a Groundbreaking $600 Million Lawsuit appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Key Changes in Cookie Consent Practices

The Belgian DPA’s settlements are a significant step in enforcing the General Data Protection Regulation (GDPR) principles regarding cookie consent and transparency. The mandated changes include:

1. Introduction of a ‘Refuse All’ Button: This change is aimed at providing users with a clear and straightforward option to reject all cookies, balancing the previously dominant ‘Accept All’ option.
2. Visual Equality for Consent Buttons: The companies are required to ensure that the ‘Accept All’ button is not more visually prominent than other options, thus avoiding any design bias that might influence user choices.
3. Simplified Revocation of Consent: The process to withdraw consent for cookies must be as easy as giving it, ensuring that users can easily change their preferences.

Broader Implications and Compliance Challenges

These changes reflect a growing emphasis on user consent and data privacy in the digital landscape. The decision by the Belgian DPA sends a strong message to other companies about the importance of transparent and user-friendly consent mechanisms. It also highlights the need for organizations to regularly review and update their data handling and privacy practices to stay compliant with evolving regulations.

Exemption and Transparency Requirements

Interestingly, the Belgian DPA did not impose the same requirements on Mediafin concerning transparency about strictly necessary or technical cookies. For the other companies, this aspect of the settlement underscores the importance of being transparent about the use of cookies that are deemed essential for the functionality of the website and how revoking consent might affect the user experience.

Deadline for Implementation

The companies involved in these settlements have been given a one-month timeframe to implement these changes. This rapid implementation period underscores the urgency and importance that the Belgian DPA places on GDPR compliance, particularly concerning online privacy.

This action by the Belgian DPA is an important reminder of the ongoing evolution in data protection and privacy laws. Companies operating online must be vigilant and proactive in ensuring their practices comply with these regulations. The settlements also signify the increasing power and influence of privacy advocacy groups like noyb in shaping data protection landscapes.

For businesses and website operators, this case serves as a critical prompt to reevaluate and possibly redesign their cookie consent mechanisms. It’s an opportunity to align with best practices in user consent and data privacy, ensuring a transparent and user-friendly online experience for consumers.

The post Belgian DPA Mandates Cookie Banner Changes for Major Media Websites appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The message is clear:

The Crux of the Issue

Several websites currently do not provide users with fair options to opt out of being tracked for personalized advertising. The ICO has been vocal in the past about the necessity for organizations to make it as effortless for users to reject all advertising cookies as it is to accept them.

Notably, even when users reject tracking cookies, websites can still display ads, but these should not be tailored to the individual user’s browsing habits.

A Firm Stance for Compliance

The ICO has taken proactive steps by contacting companies behind many of the UK’s most-visited websites. These companies have been given a 30-day ultimatum to ensure their compliance with data protection laws.

ICO’s Viewpoint

Stephen Almond, the ICO Executive Director of Regulatory Risk, highlighted the often unnerving experience of encountering online ads that seem uncannily tailored to our personal lives.

He pointed out the troubling aspects of this practice, such as gambling addicts being bombarded with betting offers, or individuals receiving distressing or highly personal ads based on sensitive browsing history.

A Choice for Companies

While acknowledging that many major websites have aligned their practices with legal requirements, Almond emphasized that those still lagging behind must make a decision: revise their cookie practices promptly or prepare for the repercussions.

Looking Ahead

The ICO has announced plans to update the public in January on this initiative, including naming companies that have not addressed these concerns. This enforcement action is part of a broader effort to safeguard individuals’ rights in the face of the online advertising industry’s practices.

The post UK’s Top Websites Warned by ICO to Revise Cookie Practices appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

From Marshall Plan to AI Governance

Originally established to manage post-WWII European reconstruction, the OECD has evolved into a key forum for international economic collaboration, often referred to as a club for wealthy nations. In 2019, it took a leap into the digital era by proposing a set of principles for trustworthy AI, including an early definition of AI.

The New Definition

The OECD’s recent decision to update this definition marks a pivotal moment. The new definition reads:
“An AI system is a machine-based system that infers, for explicit or implicit objectives, from the input it receives, how to generate outputs like predictions, content, recommendations, or decisions influencing physical or virtual environments.”
This definition, which varies in levels of autonomy and adaptiveness, reflects technological advancements and aims to future-proof the understanding of AI.

EU’s AI Act and International Alignment

The updated definition is not just a theoretical change; it’s expected to be incorporated into the EU’s AI Act, a pioneering legislative proposal aiming to regulate AI based on its potential harm. The EU Parliament, working on this file, has agreed to align with the OECD’s definition, demonstrating a commitment to maintaining semantic consistency with international standards.

Foundation Models and General Purpose AI

The AI Act negotiations have also introduced obligations for foundation models and General Purpose AI. This inclusion acknowledges the expanding capabilities of AI, from generating content like text and videos to evolving post-deployment through machine learning techniques.

Looking Ahead

As the OECD’s new AI definition becomes official, its incorporation into the EU’s AI bill is anticipated. Although the EU received this revised definition in mid-October, the internal adaptation of this change is still pending. This update is a crucial step in shaping not just EU’s AI legislation but also in setting a global standard for AI governance.

Enjoyed post? Subscribe for monthly updates →

The post OECD Updates AI Definition: A Step Forward in Shaping EU’s AI Law appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Today’s digital landscape faces a new challenge as Noyb, a prominent data protection organization, files a complaint against the EU Commission. At the heart of this controversy is the EU Commission’s Directorate General for Migration and Home Affairs and its recent advertising tactics.

The Questionable Campaign

In September 2023, the EU Commission launched an advertising campaign on Twitter, targeting public opinion about its proposed chat control regulation. This regulation, already under fire for potentially undermining encrypted online communications, has sparked fears of mass surveillance and widespread criticism from various sectors.

The GDPR Breach

Interestingly, the EU Commission’s campaign strategy involved microtargeting users based on sensitive data like political views and religious beliefs. This approach, deemed as a “serious threat to a fair, democratic electoral process,” contradicts the EU GDPR’s protection of such data.

Misleading Statistics

Adding to the controversy, the Commission used misleading statistics in its ads, claiming overwhelming public support for detecting online child abuse over privacy rights. These claims, based on skewed opinion polls, failed to present the negative implications of chat control mechanisms.

Noyb’s Stand

Felix Mikolasch and Maartje de Graaf, data protection lawyers at Noyb, emphasize the illegality of the EU Commission’s actions. Their stance is clear: the Commission, despite being a law-maker, is not above the law, especially when it comes to processing sensitive data for targeted advertising.

Platform Responsibility

The social media platform Twitter, despite its guidelines against using sensitive data for ad targeting, allowed the campaign to reach hundreds of thousands of users. This raises questions about the platform’s enforcement of its own policies.

The Implications for Democracy

Noyb’s complaint is more than just about data protection; it’s about safeguarding democratic processes in the EU. The EU Commission’s tactics not only violate GDPR but also pose a threat to the integrity of the EU legislative process.

Noyb’s Call to Action

In response to these violations, Noyb has called for a full investigation by the European Data Protection Supervisor (EDPS) and suggests imposing a fine due to the severity and scale of the infringement. This move by Noyb is a critical step in holding the EU Commission accountable and protecting the digital rights and democratic values of EU citizens.

Navigate the Digital Privacy Landscape with iubenda

In light of the recent controversy involving the EU Commission and its approach to digital advertising and data privacy, as highlighted above, the importance of adhering to data protection laws has never been more critical. This is where iubenda’s suite of compliance solutions becomes an invaluable asset for businesses and individuals alike.

Align with Legal Standards Effortlessly

The complexities of the EU GDPR and other data protection laws can be daunting. iubenda provides an array of tools, including privacy policy generators, cookie consent management, and terms and conditions templates, all designed to ensure your online activities comply with the latest legal standards.

Why iubenda?

• Tailored to Your Needs: Whether you’re running a blog, an e-commerce site, or a mobile app, iubenda’s solutions are customizable to fit your specific requirements.
• Stay Up-to-Date: With laws and regulations constantly evolving, iubenda’s team of legal experts ensures that their products reflect the most current legal requirements.
• Ease of Use: iubenda’s tools are designed for easy implementation, making compliance accessible to everyone, regardless of technical expertise.

Take Action Today

Visit iubenda’s website to explore how you can safeguard your digital endeavors against legal missteps and maintain the trust of your users. Stay informed, compliant, and ahead in the ever-evolving world of digital privacy.

The post Noyb Challenges EU Commission Over Controversial Ad Campaign appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Global Privacy Control (GPC) in Firefox

Firefox, in its upcoming version (Firefox 120), is set to enable a feature that could change how we manage our privacy online. This feature, known as the Global Privacy Control (GPC), acts as a universal command, signaling websites not to share or sell a user’s data.

Key Features:

• Direct Activation: Users can activate the GPC from the privacy settings in Firefox.
• Reject Targeted Advertising: The GPC allows users to opt out of targeted advertising across the web, eliminating the need to opt out on a company-by-company basis.
• Supported by Laws: States like California, Colorado, Connecticut, Delaware, Montana, and Texas have passed laws requiring companies to honor such universal opt-out mechanisms.

Global Privacy Platform: What you Need to Know →

Implementation in Firefox 120:

• Default Settings: By default, GPC will be off in normal browsing mode and on in private browsing mode.
• Comparison with Other Browsers: Browsers like Brave and DuckDuckGo have the GPC setting turned on by default.
• Previous Versions: Earlier, activating GPC in Firefox required more steps than just checking a box.

The Advertising Industry’s Response

The advertising industry has expressed concerns regarding the GPC, arguing that:

• Default Settings: Companies shouldn’t be mandated to honor do-not-track settings that are set by default.
• First Amendment Rights: Universal opt-outs might violate advertisers’ rights by burdening commercial speech.

iubenda’s Role in Enhancing Privacy Control

With these developments, tools like iubenda’s Cookie Consent Management become even more crucial. iubenda’s solution supports GPC, offering users and website owners an easy and compliant way to manage cookie consents and privacy preferences.

Why Choose iubenda?

• Compliance with Laws: Ensures websites are compliant with various privacy laws.
• User-Friendly Interface: Simplifies the process of managing cookie consents.
• Integration with GPC: Works seamlessly with the Global Privacy Control initiative.

Conclusion

Firefox’s upcoming release with the Global Privacy Control feature is a step forward in user privacy. This, coupled with solutions like iubenda’s Cookie Consent Management, can significantly empower users in controlling their digital footprint. As privacy becomes a paramount concern, such initiatives are crucial in shaping a more secure and private internet experience.

Stay tuned for the release of Firefox 120 next month to experience these privacy controls first-hand!

The post Firefox To Introduce Simplified Global Privacy Control appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a significant ruling, the Berlin District Court has taken a stand against certain practices of the social networking platform LinkedIn, owned by LinkedIn Ireland Unlimited Company. This ruling, largely in favor of the Federation of German Consumer Organizations (vzbv), marks a pivotal moment in the ongoing battle for digital privacy rights.

“Do-Not-Track” Signals Must Be Honored

One of the critical aspects of this ruling is the court’s decision that LinkedIn can no longer ignore “do-not-track” signals from users. These signals are an essential tool for users who wish to prevent their online activities from being tracked for advertising or other purposes. LinkedIn’s previous policy of disregarding these signals has been deemed unacceptable by the court.

Unlawful Default Settings Changed

The court also targeted LinkedIn’s default setting concerning the visibility of member profiles. Until now, new users’ profiles were automatically set to be publicly visible, including on external websites and search engines, without explicit consent from the users. The court has declared this practice unlawful, emphasizing the need for valid consent for such visibility settings.

Unsolicited Emails Banned

In a ruling from last year, which still stands, LinkedIn was prohibited from sending email invitations to non-members who had not agreed to such communication. This decision aligns with the broader theme of the court’s rulings, focusing on user consent and the right to digital privacy.

Implications for Digital Consent and Privacy

Rosemarie Rodden, Policy Officer Team Litigation at vzbv, has stressed the importance of respecting users’ preferences, especially those who activate the ‘do-not-track’ function in their browsers. The rulings by the Berlin District Court underline the significance of user consent and the right to object to the processing of personal data, as outlined in the General Data Protection Regulation (GDPR).

LinkedIn’s Misleading Statement and Terms Conditions

The court found LinkedIn’s statement about ignoring DNT signals misleading, as it suggested that the DNT signal was legally irrelevant. Additionally, certain conditions in LinkedIn’s general terms and conditions were prohibited, including clauses dictating that only the English language version of the contract is legally binding and litigation may only be pursued in Dublin, Ireland.

A Victory for Consumer Rights

This ruling represents a victory for consumer rights and data privacy. It sends a strong message to digital platforms about the importance of respecting user preferences and the necessity of obtaining explicit consent for data processing and profile visibility. The decision of the Berlin District Court sets a precedent that could influence future legal actions in the realm of digital privacy and user rights.

As digital privacy concerns continue to grow, rulings like this one from the Berlin District Court are crucial in shaping the future of how social networks and other online platforms handle user data. It’s a reminder that user rights and privacy must be at the forefront of digital business practices.

Ensure Your Compliance with Iubenda

In the wake of this landmark ruling, it’s more important than ever for businesses to ensure their online practices comply with data privacy laws. Iubenda offers comprehensive solutions for managing digital compliance, including consent management, privacy policy generation, and cookie management tailored to the latest legal requirements.

Protect your business and respect your users’ rights with iubenda’s easy-to-use, legally compliant tools. Learn more and start your journey towards full compliance at iubenda’s website.

The post Berlin Court Cracks Down on LinkedIn’s Privacy Violations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This short blog post will give you a quick overview and the potential implications of this controversy. Keep reading to learn more! 

Background

Online advertising is a driving force behind the free, accessible internet we all enjoy. However, the intrusive nature of certain ads led to the development and widespread use of ad blockers.

YouTube has been trying to navigate this intricate landscape, leading to the creation of their ad blocker detection system. This system recognizes when users are using ad blockers and prompts them to disable these tools for a smooth viewing experience.

The Accusation

The controversy began when Alexander Hanff, a privacy advocate and tech entrepreneur, claimed that YouTube’s ad blocker detection system violated the EU ePrivacy Directive. Hanff argues that detecting an ad blocker falls outside the realm of “strictly necessary” and constitutes a violation of the directive.

YouTube’s Defense

In response to this accusation, YouTube maintains that its ad blocker detection system is a necessary part of its service. They argue that their platform, which relies heavily on ad revenue, would suffer significant economic harm without it. YouTube has said that their ad detection system is a protective measure that allows them to sustainably offer free content to their users.

Possible Implications

If Hanff’s claims are upheld, the implications extend far beyond YouTube. Many online platforms could be forced to rethink how they operate, potentially disrupting the online advertising industry. On the other hand, ruling in favor of YouTube could set a precedent for other platforms to implement similar systems, potentially infringing on user privacy.

The YouTube ad blocker controversy is emblematic of the broader struggle between digital rights and economic viability. It raises fundamental questions about the balance between a free internet and user privacy. It is a test of the ePrivacy Directive, its interpretations, and its capacity to protect users in the rapidly changing digital landscape.

Regardless of the outcome, this controversy serves as a reminder that as technology evolves, so too must our understanding and regulation of privacy. It’s a delicate balancing act, one that requires us to continually reassess what we value most — free content or privacy protection. This controversy is yet another chapter in the ongoing dialogue about the nature and future of our digital rights.

The post The YouTube Ad Blocker Controversy: A Test of the ePrivacy Directive? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

AWS European Sovereign Cloud: Key Features

1. Data Sovereignty: One of the primary concerns for European businesses and public sector organizations is the control and sovereignty of their data. The AWS European Sovereign Cloud will enable customers to store their metadata exclusively within the European Union, ensuring compliance with EU data protection regulations.
2. Security and Privacy: AWS is known for its commitment to security, and this new cloud offering will be no exception. Customers can expect the same level of security, availability, and performance as existing AWS regions. It will also support 143 security standards and compliance certifications to help customers meet regulatory requirements.
3. Billing and Usage Metering: The AWS European Sovereign Cloud will feature its own billing and usage metering systems, providing customers with greater transparency and control over their cloud costs.
4. Collaboration with European Regulators: AWS is actively collaborating with European regulators and national cybersecurity agencies to ensure that the AWS European Sovereign Cloud meets additional data residency, operational autonomy, and resiliency needs specific to Europe.

Data Privacy History

The need for enhanced data privacy and sovereignty in Europe has been a long-standing concern. Washington and Brussels were embroiled in a prolonged battle over the safety of EU citizens’ data stored by tech companies in the U.S., triggered by revelations from former NSA contractor Edward Snowden. After the rejection of two earlier data transfer agreements, the EU recently approved a new framework with improved data protection measures.

AWS’s Commitment to Europe

Amazon’s AWS infrastructure in Europe already includes eight regions in major cities across the continent, and it plans to launch five more AWS regions in countries like Canada, Germany, Malaysia, New Zealand, and Thailand. Germany will be the first AWS Region within the AWS European Sovereign Cloud.

European Response

European officials and organizations have welcomed this development. Claudia Plattner, president of the German Federal Office for Information Security, highlighted the significance of the European AWS cloud for public sector organizations and companies with stringent data security and protection requirements.

The introduction of the AWS European Sovereign Cloud demonstrates Amazon’s commitment to addressing the unique data sovereignty and security needs of its European customers. With its advanced security features, data residency options, and collaboration with regulators, this new cloud offering is poised to empower businesses and public sector organizations to embrace AWS services while ensuring compliance with EU regulations. As data privacy continues to be a critical issue, Amazon’s initiative represents a significant step forward in safeguarding European data.

The post Amazon Introduces AWS European Sovereign Cloud to Address EU Regulations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this blog post, we’ll delve into the details of Google’s Privacy Sandbox initiative, its timeline, and what it means for the digital advertising landscape.

Understanding Google’s Privacy Sandbox

Google’s Privacy Sandbox is an initiative aimed at reducing cross-site tracking while ensuring that online content remains freely accessible. The key component of this initiative is the deprecation of third-party cookies, which are commonly used for tracking user behavior across different websites. These cookies have been a cornerstone of digital advertising for years, but concerns about user privacy have prompted their removal.

The Timeline

Google’s plan to phase out third-party cookies is set to unfold in several stages:

Q4 2023 and Q1 2024: During this period, Google will facilitate testing of the Privacy Sandbox relevance and measurement APIs. As part of this testing, third-party cookies will be disabled for 1% of Chrome Stable users. This is a crucial phase for companies testing the impact of the Privacy Sandbox on their operations.
Start of 2024: The testing period continues into the first quarter of 2024. At this point, a growing proportion of Chrome users will have third-party cookies disabled, even if they are not actively participating in the testing.
Q3 2024: By this time, Google aims to have resolved any competition concerns, including those raised by the UK’s Competition and Markets Authority (CMA). If all goes according to plan, third-party cookies will be disabled for all Chrome users, marking the culmination of this transition.

The CMA’s Role

Earlier this year, the CMA accepted commitments from Google to address competition concerns related to the removal of third-party cookies and other functionalities from its Chrome browser. The CMA will continue to monitor these developments through quarterly reports.

Industry Collaboration

The impending deprecation of third-party cookies has spurred increased collaboration within the advertising industry. Companies like Amazon Web Services (AWS) are introducing data-matching capabilities for advertisers, aiming to enhance the use of first-party data. LiveRamp is also working on a sophisticated data platform, fostering collaboration among brands, publishers, and technology platforms.

The Importance of Interoperability

Interoperability between different identity solutions is becoming increasingly important. According to Insider Intelligence, collaboration among data partners will allow for the enrichment of first-party data, a comprehensive understanding of consumer behavior, and the maintenance of frequency and recency caps across multiple platforms. However, achieving interoperability poses challenges, such as matching diverse data sets and addressing consumer privacy-related methods.

Industry Preparation Guidelines

Rowan Merewood, developer relations for Privacy Sandbox, has provided guidelines for the industry to prepare for the transition away from third-party cookies. These include:

• Auditing third-party cookie use.
• Testing for breakage in existing systems.
• Assessing cross-site cookies that store data on a per-site basis.

In conclusion, Google’s decision to disable third-party cookies represents a significant shift in the digital advertising landscape. Advertisers and other stakeholders should be proactive in preparing for this change by familiarizing themselves with the Privacy Sandbox initiative, understanding the timeline, and exploring alternative solutions for targeting and tracking users. Collaboration and interoperability will play crucial roles in the post-cookie era, ensuring that advertisers can continue to deliver effective and privacy-conscious campaigns. Stay tuned for Google’s upcoming tools to aid in this transition, set to be released in November.

The post Google’s Move to Disable Third-Party Cookies: What Advertisers Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Origin of the Case

The saga began when IMY initiated a supervision of H&M based on six complaints received from individuals who voiced their concerns about receiving unsolicited direct marketing materials from the company. It’s important to note that these complaints came from individuals in various countries, including Poland and Italy. However, since H&M is headquartered in Sweden, IMY took on the responsibility of investigating the matter.

Key Findings

IMY’s investigation yielded crucial findings that underscored H&M’s non-compliance with the GDPR:

• Continued Handling of Personal Data: The primary violation identified by IMY was H&M’s failure to promptly cease the handling of personal data belonging to the complainants for direct marketing purposes. Despite these individuals clearly expressing their objection to such marketing tactics, the company continued its practices without undue delay.
• Lack of Systems and Routines: Additionally, IMY’s decision pointed out that H&M lacked the necessary systems and routines to facilitate the easy exercise of the right to object to direct marketing by those who had filed complaints. This deficiency contributed to the GDPR violations.

The Decision

In light of the GDPR breaches uncovered during the investigation, IMY has taken decisive action against H&M. The authority has issued an administrative fine amounting to SEK 350,000, which roughly translates to approximately 28,500 EUR. This fine serves as a clear message that non-compliance with GDPR regulations will not be tolerated.

The IMY’s decision to fine H&M for GDPR violations emphasizes the importance of data protection and respecting individuals’ rights to control their personal data. It’s a reminder to businesses operating within the European Union and handling personal data to implement robust systems and procedures to honor data subject requests, such as objections to direct marketing. This case serves as a valuable lesson for companies of all sizes on the significance of GDPR compliance and the consequences of non-compliance.

The post IMY Fines H&M for GDPR Violations: A Closer Look appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In this blog post, we’ll break down the key components of the Delete Act and what it means for both data brokers and consumers.

Background: CCPA and CPRA

Before diving into the specifics of the Delete Act, it’s essential to understand the context. The California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA) set the stage for enhanced data privacy in California. These laws granted consumers several rights, including the right to request information about the data collected, the right to request data deletion, and the right to opt-out of data sales.

The Delete Act’s Core Provisions

1. Registration with CPPA: Under the Delete Act, data brokers are required to register with the California Privacy Protection Agency (CPPA). This agency is responsible for enforcing the law and ensuring compliance.
2. One-Stop-Shop Mechanism: The CPPA is tasked with developing a user-friendly mechanism by January 1, 2026. This mechanism allows securely verified consumers to request the deletion and tracking of their personal data from data brokers. Starting August 1, 2026, data brokers must process deletion requests within 45 days of receiving a verified request.
3. Incorporating CCPA Definitions:The Delete Act incorporates definitions from the CCPA into its provisions, aligning terminology and regulations.
4. Compliance Reporting: Data brokers must compile and disclose specific information related to requests received under the CCPA. They are also required to provide this information to the agency annually.
5. Accessible Deletion Mechanism: By January 1, 2026, the agency must establish an accessible deletion mechanism that allows consumers to request the deletion of their data from all data brokers through a single verifiable request.
6. Regular Audits: Data brokers must undergo an audit by an independent third party every three years, beginning January 1, 2028. Audit reports must be submitted to the agency upon request.
7. Fees: The agency may charge data brokers a fee for accessing the accessible deletion mechanism.

Penalties and Funds

The Delete Act imposes penalties, fees, expenses, and costs on data brokers for non-compliance with its provisions. These financial consequences are collected and managed in the Data Brokers’ Registry Fund, administered by the agency. The fund’s usage has been expanded to cover state court expenses, enforcement costs, and the maintenance of the accessible deletion mechanism.

The California “Delete Act” represents a significant step forward in data privacy regulation. By requiring data brokers to register with the CPPA, implement accessible deletion mechanisms, and undergo regular audits, the state aims to protect consumers’ personal information more effectively. Data brokers operating in California should be aware of these changes and take the necessary steps to ensure compliance. As of now, the Delete Act strengthens California’s commitment to data privacy and consumer rights, reinforcing its position as a leader in data protection legislation.

The post Understanding California’s “Delete Act” and Data Broker Regulations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Digital Services Act (DSA) in a Nutshell

The DSA is a vital component of the European Union’s digital strategy. It sets out new standards for accountability when it comes to online platforms and their role in addressing issues like disinformation, illegal content, and societal risks. It’s designed to strike a balance between safeguarding freedom of expression and protecting users from harmful content.

X’s Designation as a Very Large Online Platform (VLOP)

X was designated as a Very Large Online Platform (VLOP) based on its significant user base, exceeding 45 million users or 10% of the EU population. As a VLOP, X is obligated to comply with the comprehensive set of provisions introduced by the DSA since late August 2023. These provisions encompass a wide range of issues, including the dissemination of illegal content, disinformation, gender-based violence, and their impact on fundamental rights, child rights, public security, and mental well-being.

The Request for Information

The European Commission services have initiated an investigation into X’s compliance with the DSA. This investigation encompasses various aspects, including X’s policies and actions related to illegal content notices, complaint handling, risk assessment, and measures taken to mitigate identified risks. The Commission has the authority to request additional information from X to ensure the proper implementation of the law.

Next Steps and Possible Consequences

X is required to provide the requested information to the Commission services by specific deadlines—18th October 2023 for questions concerning its crisis response protocol and 31st October 2023 for other aspects. Based on X’s responses, the Commission will assess the next steps. This could include formally opening proceedings under Article 66 of the DSA.

Compliance and Potential Penalties

It’s important to note that the Commission can impose fines if X provides incorrect, incomplete, or misleading information in response to the request. Failure to respond by the deadline could also lead to the imposition of periodic penalty payments. Compliance with DSA provisions is crucial to avoid legal consequences.

The European Commission’s request for information from X under the Digital Services Act highlights the growing importance of accountability and responsibility for online platforms. As the digital landscape continues to evolve, regulations like the DSA aim to strike a balance between protecting users from harmful content and preserving freedom of expression.

The outcome of this investigation will be closely watched, as it could set a precedent for how online platforms are held accountable in the EU.

The post EU Commission Requests Information from X Under Digital Services Act: What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A Timeline of the DAZN Case

2018: Privacy Regulations and Right to Access

When the GDPR (General Data Protection Regulation) was introduced in May 2018, it promised enhanced data protection rights for users. Among these rights was the “right of access”, which allows users to request a copy of all personal data a company holds about them. Ideally, companies should process such requests within a month.
The privacy advocacy group, noyb, decided to test the waters. Their target? Streaming services. And the results were less than stellar. Not one streaming service was fully compliant with GDPR. DAZN, however, stood out from the crowd – by not even acknowledging the access requests filed by users in September 2018.

2019: Legal Battles Begin

Frustrated with the inaction, noyb took the issue to the Austrian data protection authority, initiating a lengthy legal tussle that stretched on for years.

2023: An Epic Conclusion

Fast forward to 2023, DAZN’s reluctance, combined with the Austrian data protection authority’s repeated inaction, pushed the cases to the Austrian Federal Administrative Court. Throughout the legal journey, DAZN provided the requested information in bits and pieces, drawing out the process.
But on September 6, 2023, a decision finally came through. DAZN had provided all the information except one key detail – the contact details of those who had received user data. After being ordered by the court, DAZN complied on September 13, 2023.

The Bigger Picture

Marco Blocher, a Data Protection Lawyer at noyb, voiced his frustration. “After five years of GDPR, it’s disheartening to see companies either partially or entirely ignoring the right of access. Instead of swift fines for non-compliance, they’re granted numerous chances over extended legal battles.” He suggests a change in approach, comparing it to the immediacy of speeding tickets, which if applied, could streamline compliance and reduce legal hassles.

The conclusion of DAZN’s case might have brought some relief, but the broader scenario remains concerning. Enforcing data protection rights is a herculean task in reality. With about 400 of noyb’s cases pending for over two years, DAZN’s episode is a mere drop in the ocean.

So, while the curtain has fallen on this particular saga, the broader narrative about the challenges of enforcing data protection continues. And for the discerning user, the question remains – just how protected is our data?

The post DAZN’s Access Request Saga appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Why the Potential Shift?

At its core, this potential change is driven by Meta’s need to align with European Union privacy directives. The EU has stringent rules that curb companies from delivering personalized ads, drawing from users’ online browsing habits without explicit consent. To give you an idea of how seriously the EU takes these concerns: Ireland’s Data Privacy Commissioner previously slapped Meta with a fine for seeking app users’ nod to view such personalized ads.

The Price Tag of Privacy

As per insider information provided to CBS MoneyWatch, the proposed fee stands at about $13 a month—mirroring similar charges by other platforms such as YouTube Premium. But before you jump to conclusions, it’s crucial to note that this proposal isn’t final. Meta remains in exploratory stages, evaluating various strategies to adhere to EU’s guidelines.

A Choice for Europeans

Should this model be adopted, European users will find themselves at a crossroads:

1. Continue using Facebook and Instagram without any charges but get served with personalized ads.
2. Opt for a premium experience by paying a monthly fee and enjoy an ad-free social surfing.

For our readers outside Europe, you can heave a sigh of relief. This potential change won’t touch the shores of other countries, including the vast user base in the U.S.

Meta’s Stance on the Issue

Meta has always championed the mantra of free services, which are, in most cases, underpinned by ad revenues. Speaking to CBS MoneyWatch, a spokesperson from Meta iterated, “Meta believes in the value of free services which are supported by personalized ads. However, we continue to explore options to ensure we comply with evolving regulatory requirements.”

As the digital realm evolves, and regulatory boundaries are redrawn, it’s not just Meta but many tech giants that are poised at the threshold of change. While the idea of paying for what was once free might unsettle some, it opens up a dialogue on the real costs of digital privacy. Only time will tell how these discussions and decisions will shape the next era of our online experience. Stay tuned with us for more updates on this fascinating pivot!

The post Meta’s New Pivot in Europe: To Pay or Not to Pay for an Ad-Free Experience? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Regaining Control Over Personal Data

Today, data privacy is a pressing concern. Every click, every purchase, every online interaction leaves a trail of personal information. With the brand-new Permission Slip app, consumers nationwide can shield their privacy like never before.

The app, available for both iOS and Android, offers an intuitive user interface where users can easily see which companies have their data. In a few taps, they can ask these companies to delete their data or prevent its sale. From giants like Amazon and Netflix to popular brands like McDonald’s, AMC Theatres, Lowe’s, and more, Permission Slip offers a broad spectrum of companies to choose from, with even more set to join the list.

How Does It Work?

Built in the wake of new state privacy laws and the transformative California Consumer Privacy Act (CCPA) of 2020, the app is a brainchild of Consumer Reports’ Innovation Lab. Using Permission Slip, Consumer Reports becomes an “authorized agent” – filing data requests for consumers and ensuring these requests get the attention they deserve.
Getting started is easy:

1. Discover: Tap on a company and see the type of data they have.
2. Act: Opt to delete your data or prevent its sale.
3. Stay Safe: Engage in automatic requests to data brokers, who often gather vast amounts of data without clear consent.
4. Stay Updated: Check the request status and get confirmations once actioned. Some companies may contact you directly for ID verification.

Director of Product R&D, Ginny Fahs, shared her excitement, saying, “This free app makes it simple to control the personal information companies have about you.”

Pushing the Boundaries of Data Privacy

But Consumer Reports isn’t stopping at the app. They’re pioneering a new consumer privacy technology called the Data Rights Protocol. With this, they aim to create an industry-wide open standard, making it more straightforward for companies to honor data privacy requests. The whole initiative, supported in part by the Omidyar Network, signals a decisive move towards granting consumers more power over their personal data.

The post Consumer Reports Launches Free ‘Permission Slip’ App to Protect Your Data appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Proposal

Meta has proposed a “Pay for your Rights” model, suggesting that EU users pay $14 monthly, totaling $168 (€160) annually, to enjoy their fundamental privacy rights. This means if you don’t want Meta to exploit your personal data, you might have to pay up.

What Sparked This Move?

Meta’s decision follows a successful lawsuit by noyb (an activist group focused on data protection). The European Data Protection Board (EDPB) had earlier declared that Meta’s method of bypassing user consent was unlawful. The Court of Justice of the European Union (CJEU) backed this view in case C-252/21 Bundeskartellamt, confirming that Meta’s data usage practices were illegal in the EU from 2018 to 2023.

Max Schrems, an activist with noyb, remarked, “Fundamental rights cannot be for sale. Are we going to pay for the right to vote or the right to free speech next? This would mean that only the rich can enjoy these rights, at a time when many people are struggling to make ends meet. Introducing this idea in the area of your right to data protection is a major shift. We would fight this up and down the courts.”

A Ruling with Six Crucial Words

Interestingly, Meta’s stance might be influenced by just six words in a recent, lengthy CJEU judgement. The statement, tucked away in paragraph 150, suggested an alternative to ads “if necessary for an appropriate fee”. These words, often called an “obiter dictum”, are non-binding remarks in a legal judgement. Despite their non-binding nature, Meta seems to be latching onto this statement to justify their proposed fee.

Schrems added, “The CJEU said that the alternative to ads must be ‘necessary’ and the fee must be ‘appropriate’. I don’t think € 160 a year is what they had in mind.”

The Origin of ‘Pay or Okay’

The idea of choosing between paying for privacy or consenting to data processing was first introduced by the Austrian newspaper “Der Standard”.

They proposed a fee of €8.90 monthly (€107 annually) for readers who opted out of data processing for ads. Initially, this approach aimed to help journalism outlets affected by dwindling ad revenues due to big tech dominance.

However, Meta seems keen to adopt this strategy, even though the General Data Protection Regulation (GDPR) doesn’t distinguish between big tech and media companies regarding user consent.

While it remains to be seen how this will pan out, one thing is clear: the debate about online privacy, user rights, and big tech’s responsibilities is heating up. Stay tuned for more developments on this front!

The post Meta’s New Approach: Pay for Your Privacy? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background of the Case:

The lawsuit asserted that Google presented consumers with misleading information, giving them the impression they had more control over their location data than they actually possessed. This discrepancy between what was communicated to the users and the alleged reality forms the core of the complaint.

“Our investigation disclosed a considerable divergence between Google’s assurances to users – that opting out meant their location would no longer be tracked – and the actual practices of continuing to monitor user movements for commercial benefits,” declared Attorney General Bonta, emphasizing the importance of holding Google accountable for such divergences.

Core Discrepancies:

Users were given the option to disable their “location history,” with Google stating explicitly that it would cease to track the locations of those who opted for this. However, it was alleged that the company still continued to gather and store users’ location data through other means, including “web and app activity” trackers, which are typically enabled by default.

Google, additionally, was accused of concealing the true extent of users’ ability to avoid targeted advertisements based on their location, contributing to the overall allegation of deception and misrepresentation.

Terms of the Settlement:

While Google hasn’t admitted to any wrongdoing in the settlement, it has consented to comply with several terms besides the monetary payout. The company has committed to enhancing transparency around its location tracking activities, alerting users before using location data to create ad profiles, and obtaining approvals from its internal privacy working group prior to implementing substantial privacy-related changes.

José Castañeda, a spokesperson for Google, clarified, “Aligned with the enhancements we’ve incorporated in recent years, we’ve resolved this matter, attributed to obsolete product policies that have already undergone modifications.”

Past Settlements:

This isn’t a solitary incident of such settlements for Google. The company settled a comparable lawsuit in 2022, wherein it was accused of analogous deceptive location privacy practices by attorneys general from 40 states, and agreed to pay nearly $392 million.

This case underscores the crucial need for transparency and clarity in the way companies, especially tech giants like Google, manage and communicate their data practices to consumers. With growing concerns over data privacy and security, it’s imperative that companies are held to stringent standards to maintain user trust and ensure the responsible use of sensitive information. This settlement serves as a reminder and a precedent, emphasizing responsibility and accountability in handling user data.

The post Understanding Google’s $93m Settlement over Consumer Location Data Accusations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Methodology and Findings

Noyb’s complaints stem from a technical investigation where apps were installed on an Android smartphone to analyze their network traffic. The findings were unsettling. As soon as users open these apps, the applications begin collecting and sharing sensitive data like Google’s unique Advertising ID (AdID), the model and brand of the device, and the local IP address with third-party organizations.

Why is this a Big Deal?

Such data collection allows for extensive user profiling, which in turn enables targeted ads and marketing campaigns, thereby increasing revenue for these companies. The more concerning aspect is that users aren’t given the option to consent to this data sharing, making the process unlawful under the ePrivacy Directive of the European Union.

The Illusion of Consent

European law states that data access or storage on a user’s terminal device is only allowed if users provide “free, informed, specific, and unambiguous consent.” Two out of the three mobile apps that were part of this investigation did not even display a consent banner upon launching. The third displayed a consent banner but began data transmission before the user could interact with it or provide their consent.

Detailed Tracking

Information like AdID is unique to a device, making it possible for third parties to single out users for targeted advertising in the future. Some apps go a step further by tracking user behavior outside their apps, providing even more granular data for their profit-making schemes.

The Larger Context

According to research by Konrad Kollnig and others, only 3.5% of all apps give users a real choice to decline consent. Ala Krinickytė, a Data Protection Lawyer at noyb, has emphasized that illegal data sharing is a widespread issue in the mobile app environment. Noyb aims to push regulatory authorities to put an end to this troubling practice.

Call to Action

Noyb has urged the CNIL (The National Commission on Informatics and Liberty) to order MyFitnessPal, Fnac, and SeLoger to delete all unlawfully processed data. They also suggest imposing fines due to the seriousness of these violations. This is merely the tip of the iceberg, as noyb plans to file more complaints against mobile app companies in the future to halt the illegal sharing of user data.

As consumers, it’s crucial that we remain vigilant and informed about the apps we use and the permissions we grant. Regulatory bodies must also step up to enforce existing laws designed to protect user data. Until that happens, organizations like noyb will continue to uncover the underbelly of data violations in the mobile app industry, pushing for change one complaint at a time.

As Ala Krinickytė of noyb puts it, “The illegal collection and sharing of users’ personal data is a widespread problem in the mobile apps environment. It is key that the supervisory authorities now take appropriate action to put an end to this practice.” Let’s hope that the coming months and years bring about more accountability in this sector.

The post How Mobile Apps Illegally Share Your Personal Data: A Deep Dive appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a development that’s grabbing attention across technology circles, OpenAI and its main financial supporter, Microsoft, are facing legal issues once more. A lawsuit has been launched against them for purportedly violating several privacy regulations during the creation and operation of ChatGPT, OpenAI’s widely-used chatbot. This legal action, led by law firm Morgan & Morgan, mirrors a similar suit initiated by Clarkson Law Firm earlier this year. This article explores what this legal wrangling could mean for both the tech sector and the public.

Details of the Legal Action

Two anonymous software developers who use ChatGPT are at the center of this new class action lawsuit, filed in a federal court in San Francisco. Their contention is that OpenAI and Microsoft have utilized confidential data from a large population of internet users to train their artificial intelligence offerings.

The latest lawsuit shares common ground with an earlier one spearheaded by Clarkson Law Firm. Ryan Clarkson, the managing partner of the firm, is enthusiastic about joining forces with Morgan & Morgan to hold what he refers to as “BigAI” responsible for large-scale data appropriation.

Backstory

Since its debut, ChatGPT has grown at an unprecedented rate, tallying up to 100 million active users in a scant two months. Microsoft’s significant financial investment in OpenAI amplifies the potential consequences of any legal judgments relating to the chatbot.

Core Accusations

According to the lawsuit, not only has personal data been improperly used from platforms like social media, but the intellectual “know-how” of the engineers who initiated the lawsuit could be absorbed into AI systems. They fear this might make their professional skills irrelevant in the future.

Larger Legal Landscape

This isn’t a standalone issue; rather, it’s part of a more significant wave of lawsuits that have emerged against technology companies regarding data privacy. Parallel to this, companies such as Microsoft, OpenAI, Google, and Stability AI have been named in separate legal challenges concerning the unauthorized gathering of copyrighted content and personal details to fuel their AI algorithms.

What It Means for Tech Companies

• Answerability and Supervision: The unfolding legal actions underscore the urgent requirement for comprehensive legal and ethical norms surrounding AI.
• Open Disclosure: There could be increased pressure for companies to disclose their data usage and training methodologies.
• Consumer Confidence: Legal challenges could shake consumer faith in AI technologies, making transparency crucial for maintaining trust.
• Policy Responses: Regulatory bodies might step in with tighter rules around data collection and AI training.

Takeaways for Consumers

• Privacy Awareness: These lawsuits could make individuals more vigilant about how their personal data is used or misused.
• Knowledge-Based Decisions: Increased disclosure from companies could equip consumers to make more informed choices regarding platform trustworthiness.
• Potential Remedies: Successful legal action could mean financial restitution for affected individuals.

The new lawsuit serves as yet another wake-up call to technology companies about the importance of ethical and transparent practices in AI development. The results of this and similar cases will almost certainly have ripple effects across the entire tech landscape, setting precedents for how personal data is handled.

The post Legal Spotlight: Privacy Concerns Surrounding OpenAI’s ChatGPT and Microsoft’s Involvement appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Historical Context

In july 2020, the EU’s highest court, the Court of Justice of the European Union (CJEU), voided the previous data transfer arrangement known as Privacy Shield, citing surveillance concerns from U.S. intelligence agencies. A subsequent agreement, the EU-U.S. Data Privacy Framework, was green lit by both EU and U.S. officials in July 2023, aimed at providing companies a legal pathway for transatlantic data transfers and ending years of legal ambiguity.

Key Legal Arguments

Philippe Latombe, affiliated with President Macron’s partner party Modem, argues that the new framework violates the EU Charter of Fundamental Rights. He raises concerns about “lacking assurances for the protection of privacy and family life concerning mass data collection” and notes its non-compliance with the General Data Protection Regulation (GDPR).
Latombe is leveraging a dual strategy for his legal objections:

• Immediate Invalidation: The first objection seeks to put an immediate hold on the DPF.
• Textual and Procedural Flaws: The second centers around the framework’s textual shortcomings, including its availability solely in English and its absence from the EU’s Official Journal.

Latombe has kept both the French government and CNIL, the country’s data protection authority, informed about his legal moves.

Update on EU-U.S. Data Privacy Dispute

Latombe has recently filed an appeal against the decision of the EU General Court regarding data protection. In his argument, Latombe highlights significant concerns about the independence and effectiveness of the U.S. Data Protection Review Court. Key points of his appeal include:

1. Questioning Independence: Latombe asserts that the U.S. Data Protection Review Court lacks genuine independence, as it was established by a presidential executive order rather than through an act of Congress.

2. Automated Decision-Making Safeguards: He also raises concerns about the absence of comprehensive safeguards in U.S. law against automated decision-making processes, suggesting a potential for bias and lack of transparency.

This appeal represents a crucial development in the ongoing discourse about data privacy and protection standards between the European Union and the United States. The outcome of this case could have significant implications for the future of international data transfers and privacy regulations.

What’s at Stake?

Corporate Impact
If Latombe’s objections are upheld, corporations on either side of the Atlantic may find themselves navigating a legal maze, devoid of any stable framework for transatlantic data flows.

Diplomatic Relations
The objections could further complicate the already delicate relationship between the EU and the U.S., especially given that the DPF was supposed to resolve prior uncertainties.

Data Privacy Future
The case could serve as a catalyst for renewed debates over data privacy standards, possibly leading to more stringent regulations in the coming years.

Regardless of the outcome, this unfolding drama highlights the challenges inherent in creating international accords that need to marry business needs with human rights protections. It remains to be seen whether the DPF can endure the renewed scrutiny it now faces.

The post Legal Scrutiny Looms Over Transatlantic Data Deal: French MEP Takes Action appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Here’s what you need to know

The Core Issues

According to noyb’s complaints, when you sign up for a Fitbit account in Europe, you’re essentially forced to agree to the transfer of your data to the United States and other countries with varying data protection laws. This is against GDPR requirements, which specify that consent must be freely given, informed, and specific.

As per the complaint, Fitbit doesn’t offer a clear path for users to withdraw their consent later, which is another GDPR requisite.

Not Just Basic Data

When we talk about data, we’re not just referring to mundane information like email addresses and birthdates. Fitbit’s policy allegedly allows for the sharing of more intimate data, such as your sleep patterns, weight, and even messages sent through their services.

And here’s the kicker: the company may share this data with unknown third parties, leaving you in the dark about who exactly has access to your personal information.

A “Take It or Leave It” Dilemma

Fitbit’s existing policy essentially offers you two options—either agree to their data-sharing policy or delete your account. The latter, of course, would mean losing all your previously logged health data, which undermines the very reason most people purchase a Fitbit in the first place.

Legal Repercussions

According to GDPR, consent can only be used as a lawful basis for transferring data outside the EU if it is for occasional, non-repetitive transfers. Fitbit’s alleged approach of routinely sharing data would therefore not be in line with the regulations.

This could have significant financial implications for Fitbit; if found guilty, the company could face fines up to €11.28 billion, based on the annual turnover of Google’s parent company, Alphabet.

Why This Matters for You

The Fitbit issue is not just about one company. It highlights how important it is to be aware of the permissions you grant when you use any online service, especially one that collects sensitive health data. Knowing your rights under GDPR and similar privacy laws can help you make informed choices.

Fitbit’s health-tracking capabilities may be top-notch, but the recent complaints suggest there might be some turbulence ahead for the company on the data protection front. The situation serves as a crucial reminder for consumers to always read the fine print, especially when it comes to how your sensitive data will be handled.

Stay tuned for updates on this issue and make sure you’re well-informed about where your data is going. Because when it comes to data privacy, knowledge is power.

The post Fitbit and the GDPR Hurdle: What You Need to Know About Your Data Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Senators Edward J. Markey (D-Mass.) and Marsha Blackburn (R-Tenn.) are spearheading the effort to hold YouTube and Google accountable for what they believe are violations of COPPA. In a press release, the Senators expressed concern over the companies’ data collection methods, which may be unfairly targeting minors.

According to investigations by The New York Times and Analytics, these tech giants may have employed opaque algorithms and advertising practices that capitalize on children’s data without proper parental consent. This not only contravenes COPPA, but may also breach an existing agreement between the companies and the FTC.

What is COPPA?

For those unfamiliar, the Children’s Online Privacy Protection Act, or COPPA, is a federal law in the United States enacted in 1998. It aims to safeguard the privacy of children under the age of 13 by restricting the collection and use of their personal information online. COPPA requires parental consent for companies to collect data from minors and mandates stringent privacy protection protocols.

For more information on COPPA and its significance, check out our COPPA Compliance checklist.

Why is This Investigation Crucial?

While tech companies like Google and YouTube wield enormous power and influence, they are not above the law. Children are especially vulnerable when it comes to online privacy, often unaware of the ramifications of their online actions. The Senators’ demand for an FTC investigation into these practices could serve as a crucial step in holding such companies accountable and ensuring that the laws designed to protect our children are adequately enforced.

Next Steps

As the situation unfolds, a formal investigation by the FTC could lead to penalties, revisions in advertising policies, or even a renegotiation of the consent decree between the FTC and Google/YouTube. This may have a ripple effect, compelling other digital platforms to take children’s privacy issues more seriously.

However, legislation alone cannot fully address this issue. As consumers, we must remain vigilant and educated about the importance of online privacy, especially for our youngest internet users.

In summary, the call for an FTC investigation into YouTube and Google is an essential and timely move in the ongoing struggle to balance technological innovation with ethical responsibility. The investigation’s outcomes will undoubtedly set a precedent in the tech industry, reinforcing the importance of children’s online privacy.

The post Senators Urge FTC to Investigate YouTube and Google for Violating Children’s Privacy: What You Need to Know appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A significant development took place in a lawsuit against tech giant Google. A California judge, Yvonne Gonzalez Rogers, rejected Google’s plea for a summary judgment in a case where it was alleged to have intruded upon the privacy of millions.

The Allegations

The plaintiffs claim that despite activating features designed to protect privacy, such as Chrome’s Incognito mode or Safari’s private browsing, Google’s various tools continued to track their online activity. This tracking would seem to contradict the idea of private browsing. As was pointed out in a 2018 piece, the misconception is clear: “What isn’t private: private browsing mode.”

Diving into the details, Judge Rogers highlighted numerous sections from Google’s own documentation, including the Chrome privacy notice and the Incognito Splash Screen. According to her, these documents could be seen as Google making an “enforceable promise” that user data wouldn’t be collected during private browsing.

Google’s Response

In the wake of the ruling, Google’s spokesperson, José Castañeda, made a statement to The Verge, emphasizing Google’s disagreement with the allegations. Castañeda noted: “Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device. We clarify each time you open an incognito tab that websites may still collect info about your session.”

Evidence Against Google

However, complicating matters for Google, the plaintiffs present evidence that suggests Google “stores users’ regular and private browsing data in the same logs.” Such data is then allegedly used to push personalized ads to users. More concerning, even if data points appear anonymous individually, they could, in aggregation, potentially identify a user.

Addressing another of Google’s arguments—that the plaintiffs didn’t experience any economic harm—Judge Rogers remarked that the plaintiffs indeed had lost potential economic value from their browsing data. She further observed that monetary compensation alone might not suffice, implying the need for more corrective action against Google.

The Road Ahead

Initiated in 2020, this lawsuit has been hanging over Google with potential damages reaching “at least” $5 billion. While the latest ruling was anticipated, as hinted by Judge Rogers earlier, it marks a pivotal juncture. The case now inches closer to either a hefty settlement or a consequential trial.

Note: This blog post is a brief overview, and readers should refer to the original documents and detailed news articles for comprehensive information. 

The post Google Faces Setback in Privacy Lawsuit Over Incognito Mode appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

Now the Do Not Track amendment will bring changes regarding the way you have to disclose the “tracking” fact to the existing Section 22575 of the Business and Professions Code that handles the privacy disclosures at large (or also known as CalOPPA, or even OPPA).

Do Not Track at a glance

Do Not Track is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.

• If you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy.
• If you respond to DNT in some way, the privacy policy should disclose how you respond to this signal.
• You need to act when:
  • your (in any way commercial) website or mobile app is operated from California, or
  • your users may be consumers residing in California.

Our Privacy and Cookie Policy Generator offers you a standard clause that you can use to declare you do not support “Do Not Track” requests. You can find it by typing “Do Not Track” in the service search bar.

If instead you support “Do Not Track” requests, and you want to declare it inside your privacy and cookie policy, please create a new custom clause where you explain how “Do Not Track” requests are handled.

The changes in CalOPPA and what they mean to you, your company and its privacy policy

The changes that AB 370 brought are these:

• (5) Disclose how the operator responds to Web browser Do Not Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
• (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
• (7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

To be clear: this regulation doesn’t require you to respond to Do Not Track browser signals, it merely makes sure you add a disclosing statement into your privacy policy.

The interesting part in CalOPPA’s privacy policy implementation is the enforcement part. It’s enforced via California’s unfair competition law that prohibits unfair business practices with penalties up to $2,500 per violation (for apps this may well be measured in app downloads, mind you, as showcased in the Delta app case).

The “do not track” technology explained & the problems connected to it

The Electronic Frontier Foundation is regularly talking about Do Not Track and the surrounding discussions, developments and problems. Here is an overview post of what Do Not Track is. In a nutshell, a browser sends a Do Not Track HTTP header every time your data is requested from the Web. Firefox, to date, is the browser that supports that technology best.

There are various problems associated with the changes that came into effect on 1/1/2014, one of them being an unclear situation and possible loopholes as outlined by Webpolicy:

• Because we’re third parties, consumers don’t “use or visit” our services.
• The information that we collect is not “about” an “individual consumer”, but rather, related to a browser or device.
• Our data isn’t “personally identifiable information”, it’s just browsing activity and web protocol logs.
• To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
• Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained … in an accessible form”.

Clearly, the most important question for you as a website operator or mobile app developer is what you should do.

How to honor and include Do Not Track in the privacy policy

The next immediate steps are to honor the CalOPPA by disclosing these additional facts:

• if you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy;
• if you respond to DNT in some way, the privacy policy should disclose how you respond to this signal;
• disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

Our Privacy and Cookie Policy Generator offers you a standard clause that you can use to declare you do not support “Do Not Track” requests. You can find it by typing “Do Not Track” in the service search bar.

If instead you support “Do Not Track” requests, and you want to declare it inside your privacy and cookie policy, please create a new custom clause where you explain how “Do Not Track” requests are handled.

If you are unfamiliar with iubenda and our privacy policy approach you should know that:

• we use an international approach to privacy policies (and 8 languages);
• we host the privacy policy for you so you can embed it or link to it;
• we monitor all the major regulations and automatically update our solutions to meet changing requirements so that you don’t have to.

Naturally, we’d like to help you creating a privacy policy for your online service (you can read more about the features and benefits of our compliance solutions here).

The post Do Not Track California Privacy Policy Changes appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Privacy Breach and Warning

The Norwegian regulator, Datatilsynet, issued a warning on July 17th, emphasizing that Meta Platforms needed to rectify its privacy breaches. The crux of the issue lies in Meta’s collection of user data, particularly sensitive information like physical locations, for the purpose of targeted behavioral advertising – a practice commonly used by major tech companies.
The Fine and Broader Implications Starting from August 14th, Meta Platforms will face a substantial daily fine of 1 million krone, equivalent to $98,500, until November 3rd. While this penalty carries weight on its own, its influence could stretch further across Europe. If the European Data Protection Board supports Datatilsynet’s decision, the fine’s scope could expand continent-wide, reshaping data privacy practices.

Insufficient Response from Meta

Despite the impending fine, Meta Platforms has not provided an immediate response to the situation. The company’s proposal to seek user consent within the European Union before allowing targeted advertising has been deemed inadequate by Datatilsynet. The regulator insists on Meta halting the processing of personal data immediately, until a robust consent mechanism is in place.

Concerns Raised by Datatilsynet

Tobias Judin, the head of Datatilsynet’s international section, has expressed concerns about Meta’s proposed timeline for making changes. The extended timeframe, which indicates implementation in several months, raises worries about users’ rights being violated during this transitional period.

Meta’s Rationale and Background

Meta’s decision to shift its data processing practices is attributed to an order from Ireland’s Data Protection Commissioner. This regulatory body serves as Meta’s primary EU overseer and mandated a reassessment of the legal basis for the company’s targeted advertising methods. This directive, issued in January, has prompted Meta’s shift in approach.

Norway’s Unique Position

Although Norway is not a member of the European Union, it is part of the European single market. This connection aligns Norway’s data protection regulations with European standards. Consequently, the consequences of this case could lead to significant changes in privacy practices and policies among tech giants operating within Europe.

Norway’s bold move to fine Meta Platforms serves as a powerful reminder of the importance of safeguarding user privacy. The regulator’s uncompromising stance on data breaches sends ripples through the tech industry, potentially prompting other European countries to follow suit. As this situation evolves, it could potentially reshape how companies handle user data and privacy concerns throughout Europe and beyond.

The Press Release can be found here → (in Norwegian)

The post Norwegian Regulator to Impose Daily Fine on Meta for User Privacy Breach appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Investigatory Powers Act 2016 and Its Implications

At the center of this controversy is the Investigatory Powers Act 2016, which grants the Home Office the authority to seek access to encrypted content via a technology capability notice (TCN). End-to-end encryption, a crucial privacy feature, ensures that only the sender and recipient can view message content, making it challenging for governments to access sensitive data.

Apple’s Concerns and the Global Impact

Apple’s main concerns lie in a provision of the forthcoming online safety bill, which proposes giving the UK government oversight of security changes to its products, including regular iOS software updates. The proposed changes would also require non-UK companies operating on a global platform, like Apple, to implement alterations worldwide. This could make the Home Office the de facto global arbiter of data security and encryption standards, a notion that worries Apple and privacy advocates alike.

The Threat to iMessage and FaceTime

iMessage and FaceTime, two widely used and secure communication services, rely on end-to-end encryption to protect user data. Apple warns that the proposed changes could compel the company to withdraw these critical security features from the UK market. In essence, the company faces an impossible choice between complying with government demands to install vulnerabilities in its technology or forgoing development altogether, leaving UK users without crucial data security protections.

Expert Insights and Wider Implications

Experts, including cybersecurity professor Alan Woodward, have underscored the gravity of Apple’s submission to the government. If the UK government pushes ahead with these changes, Apple may decide to join other tech vendors in leaving the UK, leaving British users isolated and insecure in the digital landscape.
The House of Lords has also approved an amendment that allows Ofcom, the communications watchdog, to order messaging services to use “accredited technology” for scanning message content, potentially weakening end-to-end encryption. Privacy advocates worry that this may impact platforms like WhatsApp and Signal, further compromising user privacy.

The conflict between Apple and the UK government over surveillance laws raises serious questions about user privacy and data security. The proposed changes could force Apple to make difficult decisions regarding the future availability of iMessage and FaceTime in the UK. As the debate unfolds, it remains to be seen how the UK government will address these concerns while ensuring public safety without compromising user privacy rights. The outcome of this discussion will have far-reaching implications, not just for UK users but for digital privacy worldwide.

The post Apple Warns UK Users: iMessage and FaceTime at Risk Due to Surveillance Law Changes appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Despite the update, WhatsApp assured its users that their privacy remains a top priority. All personal messages are protected with end-to-end encryption, ensuring that neither WhatsApp nor any other party can read or listen to them.

It is worth noting that this is not the first time WhatsApp has faced scrutiny regarding its privacy policy. In January 2021, the company’s policy update led to complaints from consumer organizations, accusing WhatsApp of pressuring users into accepting changes without adequately explaining their implications. As a result, corrective measures were put in place to address these concerns.

WhatsApp’s decision to shift to a ‘legitimate interest’ legal basis comes in the wake of EU sanctions and legal challenges. While the company claims users can still object to data usage, there are lingering doubts about the stability of this legal ground. With data privacy becoming an increasingly critical concern, users are advised to stay vigilant and informed about any updates to WhatsApp’s policies and terms of service.

The post WhatsApp’s Privacy Policy Update: A Shift to ‘Legitimate Interest’ Basis Amidst EU Sanctions appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Background

Heise Medien GmbH & Co. KG, the owner of heise.de, introduced a “Pur Subscription” (cookie paywall) model in February 2021. This model offered users a choice between accessing the website for free with personalized advertising and tracking, or paying for a subscription to eliminate tracking and external advertising.

Numerous complaints were filed with the LfD, alleging violations of data protection laws related to the use of cookies, tracking technologies, and third-party services.

The Consent Banner

The LfD found that the consent banner used on heise.de in July 2021, did not provide granular consent options.Instead, users were asked to provide blanket consent by clicking the “Accept” button. In this case, blanket consent refers to a situation where users provide a general consent that encompasses all purposes without being able to make individual choices for each specific purpose.

The design of the banner created an imbalance between the data controller and the user, making it difficult for users to find comprehensive information and give informed consent. The LfD highlighted the absence of voluntariness in the consent process and the lack of clear options to refuse or withdraw consent.

See how to easily design a GDPR complaint cookie banner here →

The Decision

The LfD concluded that heise.de’s 2021 “Pur-Subscription” consent banner system violated Article 6(1) of the GDPR by not meeting the conditions for processing users’ personal data and also Article 7(3) as the revocation of consent was considerably more difficult than granting consent.

The consent banner was finally updated in January 2023, allowing users more options and information. However, the LfD still issued its decision based on the previous shortcomings.

While no fines were imposed, Heise received a warning under Article 58(2) of the GDPR and was ordered to pay the costs of the proceedings. The LfD emphasized that this decision could influence potential future GDPR breaches and the imposition of fines.

Separate LfD Audits

The LfD conducted audits on five unnamed media companies, probably also including heise.de, regarding their use of cookies, tracking technologies, and “pur-subscription models.” The audits revealed that these companies did not meet the legal requirements for the use of cookies. In addition their consent banners were deemed misleading and inadequate. The companies were notified of the deficiencies and given an opportunity to rectify them.

While the LfD did not explicitly label the consent banners containing “pur-subscription models” as illegal, it identified non-compliance during the audits.

The media companies subsequently updated their banners which indicates an effort to comply with the GDPR, but further developments and ongoing monitoring will clarify the LfD’s exact position on cookie pay walls.

Ensuring granular consent, voluntary choices, and easy revocation processes are essential for websites to comply with GDPR regulations and protect users’ data.

Key Takeaways from the Case: Insights into GDPR Compliance and Consent Banners

Based on the ruling, the LfD found that the implementation of the cookie paywall, specifically the design of the consent banner, did not fully align with key provisions of the GDPR, particularly Articles 6, 4, and 7. The ruling identified several issues, including:

1. the lack of voluntary and granular consent options;
2. insufficient choices presented to users; and
3. difficulties in revoking consent compared to granting it, which are mandated by the GDPR.

Transparency and adherence to the principles of freely given and informed consent are of utmost importance for websites opting to employ cookie paywalls. This ruling serves as a reminder to prioritize these principles to ensure compliance with the GDPR and protect users’ data privacy rights.

If users are properly informed about what they are consenting to and if the cookie pay wall system offers an equivalent alternative to consent, then it may be considered acceptable by the LfD.

The GDPR requires that users have a clear understanding of the purposes for which their data will be processed and the ability to withdraw consent without facing disadvantages. If the consent banner and cookie pay wall fulfill these requirements, it may be considered compliant with the GDPR.

As always, we will monitor this case and further developments from the LfD to gain a clearer understanding of their position on the use of cookie pay walls and whether they are considered to be in line with the GDPR. Compliance with data protection regulations is crucial to protect users’ privacy and ensure transparency in data processing practices.

Want to learn more about the use of cookie paywalls in Europe? Check out our article here →

The post Understanding Consent and Cookie Paywalls: Key Lessons from LfD Decision appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

DPC’s Decision

The Irish DPC, responsible for overseeing data protection in Ireland, confirmed that it had been in contact with Meta regarding the Threads service. However, the DPC stated that the app would not be launched in the EU “at this point.” It’s important to note that the DPC did not actively block the service. Instead, Meta has yet to prepare the app for a European launch outside of the UK, which is subject to different privacy rules and regulations.

Concerns Surrounding Data Privacy

Meta has refrained from introducing Threads in the EU due to what the company sees as a lack of clarity in the EU’s Digital Markets Act. This legislation designates companies like Meta as “gatekeepers” with restrictions on how they handle users’ personal data. Meta believes that the EU’s regulations do not provide sufficient clarity on data management, prompting them to delay the app’s launch in the region.

Threads and Data Collection

The Threads platform is designed to import data from Instagram, including users’ behavioral patterns and advertising preferences. In the US, the app explicitly informs users that it collects a wide range of data, such as health information, financial details, browsing history, location, purchases, contacts, search history, and sensitive information.
EU Privacy Laws: Meta has encountered limitations when it comes to launching advertising services on WhatsApp that utilize data from Facebook or Instagram in the EU. The tech giant can combine the two data streams in the US due to the country’s weaker privacy laws. Consequently, the EU’s stringent privacy regulations have prevented Meta from implementing similar strategies in the region.

Uncertain Future

At present, it remains unclear whether Meta will launch the Threads app in Ireland or other EU countries. Meta’s spokesperson was unavailable for comment on this matter. The hesitation surrounding the launch of Threads in the EU follows a turbulent week for Twitter, which has implemented various policy changes, including limitations on user access to tweets and the gradual restriction of TweetDeck usage to verified users.

Meta’s ambition to introduce the Threads app in the EU faces significant challenges due to the stricter data privacy regulations in the region. The Irish DPC’s decision not to roll out the app in Ireland at this time highlights the need for clearer guidelines under the EU’s Digital Markets Act. As the future of Threads in the EU remains uncertain, users and regulators will continue to monitor the situation closely to ensure the protection of personal data and privacy.

The post No Instagram Threads App in the EU: Irish DPC Restricts Meta’s New Twitter Rival appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a recent development, the Swedish Authority for Privacy Protection (IMY) has conducted an audit on the utilization of Google Analytics by four prominent companies. As a result of the investigation, IMY has imposed administrative fines on two of the companies, while ordering the remaining three to discontinue their use of the web statistics tool. The audits were prompted by complaints filed by the organization None of Your Business (NOYB), citing violations of the law concerning the transfer of personal data to the United States.

The Audits and Complaints

The four audited companies, namely CDON, Coop, Dagens Industri, and Tele2, were examined based on their implementation of a specific version of Google Analytics dating back to August 14, 2020. IMY focused on scrutinizing the transfer of personal data to the United States via this popular platform used for measuring and analyzing website traffic.

CJEU’s Schrems II Ruling and Data Protection Regulations

Under the provisions of the General Data Protection Regulation (GDPR), personal data can be transferred to countries outside the EU/EEA (European Union/European Economic Area) if the European Commission has deemed the destination country to possess an adequate level of protection for personal data, comparable to that within the EU/EEA. However, in the landmark ruling of Schrems II, the European Court of Justice (CJEU) concluded that the United States did not provide such a level of protection at the time of the ruling.

IMY’s Determinations

IMY’s audits determined that the data transferred to the United States through Google Analytics constituted personal data, as it could be linked with other identifiable information. Furthermore, the authority determined that the technical security measures employed by the companies were inadequate to ensure a level of protection commensurate with that guaranteed within the EU/EEA.

Penalties and Orders

Sandra Arvidsson, a legal advisor who oversaw the audits, emphasized the significance of IMY’s simultaneous decisions, clarifying the expectations placed on technical security measures and other precautions when transferring personal data to third countries, in this case, the United States.

In the absence of a European Commission decision on an adequate level of protection, data transfers may still occur based on standard contractual clauses approved by the European Commission. However, the CJEU stipulated that such clauses may require supplementary safeguards to effectively maintain the intended level of protection.

All four companies had relied on standard contractual clauses for their transfers of personal data through Google Analytics. IMY’s audits revealed that none of the additional technical security measures implemented by the companies were deemed sufficient. Consequently, Tele2 was fined 12 million SEK, while CDON received a penalty of 300,000 SEK for not adopting the same extensive protective measures as Coop and Dagens Industri. Tele2 has already taken the initiative to cease using the statistics tool, while IMY has ordered the other three companies to follow suit.

Implications for Data Transfers and Privacy

Sandra Arvidsson underscored the far-reaching implications of these decisions, not only for the four companies directly involved, but also for other organizations utilizing Google Analytics. The outcomes of this case are likely to serve as guidance for those navigating the complexities of data transfers and ensuring compliance with privacy regulations.

The IMY’s actions highlight the growing importance of safeguarding personal data and upholding privacy standards in an increasingly interconnected digital landscape. It remains crucial for businesses and organizations to stay vigilant, adapt to evolving regulations, and prioritize the protection of individuals’ privacy rights.

The post IMY’s Orders and Penalties : A Wake-Up Call for Companies Using Google Analytics appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Good news for safeguarding your personal information! The European Data Protection Board (EDPB) has introduced a handy new tool to help you file complaints and resolve privacy issues when they involve multiple countries.

During their recent meeting, EDPB Chair Anu Talus announced the adoption of a template complaint form. This form is designed to simplify the process of submitting complaints by individuals and ensure that Data Protection Authorities (DPAs) can handle them efficiently.

Talus explained that this template was one of the commitments made by EDPB members during a meeting in Vienna last year. Its purpose is to encourage better cooperation among DPAs and save everyone’s time when dealing with cross-border cases.

The great thing about the template is that it takes into account the different laws and practices in each country. DPAs have the option to use it and adjust it to fit their specific national requirements.

This template can be used whether you file the complaint yourself or if someone else, like a legal representative or an organization acting on your behalf, submits it on your behalf.

Another helpful addition is the template acknowledgement of receipt. This document will give you an idea of what happens next after you submit your complaint, and also inform you about your right to challenge a DPA’s decision in court.

In addition to the complaint form, the EDPB has also released updated recommendations for organizations that want to use Controller Binding Corporate Rules (BCR-Cs) to protect data across borders. These recommendations provide a clear application form and explain what should be included in BCR-Cs. They also make sure that everyone follows the rules set out in the recent Schrems II ruling.

The EDPB wants to make sure that all organizations have a fair chance to apply for BCR-Cs. So, if you already have BCR-Cs in place or are planning to apply for them, you need to review and adjust them according to the new recommendations. This can be done either during the application process or as part of your annual update in 2024.

So, thanks to these new initiatives by the EDPB, it’s now easier for you to protect your data, file complaints, and ensure that your privacy rights are respected, even when dealing with multiple countries.

The post EDPB Makes It Easier to Protect Your Data Across Borders appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Irish regulator stated that Google has not provided adequate information regarding how Bard, the generative AI tool, ensures the privacy of European users. Deputy Commissioner Graham Doyle highlighted that the Data Protection Commission has not received a comprehensive briefing or access to crucial documentation such as a data protection impact assessment. These omissions have raised doubts about the level of protection Bard offers to EU citizens’ personal data.

Consequently, the EU launch of Bard, initially slated for this week, has been postponed until Google addresses the privacy concerns raised by the Irish Data Protection Commission. The commission has urgently requested a detailed assessment from Google, seeking answers to additional questions about Bard’s compliance with the stringent data protection rules outlined in the GDPR. The regulator views this matter as a priority and has emphasized the need for swift action.

The ongoing examination conducted by the Irish regulator will be shared with other data protection authorities across Europe. Collaboration and information sharing among EU regulators are vital to ensure a consistent approach to data privacy and to address potential risks associated with emerging technologies like AI chatbots.

It is worth noting that Google has already launched Bard in 180 countries, including the United States and the United Kingdom, where it competes with other AI chatbot offerings such as OpenAI’s ChatGPT and Microsoft’s Bing Chat. However, the company has been cautious about launching Bard in EU countries due to the EU’s robust privacy regulations and the previous scrutiny faced by ChatGPT. European privacy authorities in Italy, Germany, and Spain have initiated investigations into ChatGPT, leading to its temporary ban in Italy. In response to these challenges, the European Data Protection Board has formed a task force dedicated to evaluating the compliance of AI tools like ChatGPT with the GDPR.

Google, aware of the importance of privacy and the need to address regulatory concerns, has expressed its commitment to engaging with experts, regulators, and policymakers. The company aims to ensure a responsible and privacy-conscious launch of Bard in the EU. Google’s spokesperson acknowledged ongoing discussions with privacy regulators and emphasized their willingness to address the questions and feedback raised during the evaluation process.

As the development and deployment of AI technologies continue to evolve, ensuring data protection and privacy safeguards remains a critical priority for both technology companies and regulatory bodies. The postponement of Bard’s EU launch underscores the significance of complying with data protection regulations and proactively addressing privacy concerns, reinforcing the commitment to safeguarding individuals’ personal information in an increasingly digital world.

The post Google Postpones EU Launch of Bard Chatbot due to Privacy Concerns appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Under the GDPR, users have the right to access all of their personal data and information on how it is being used. However, Spotify fell short in fulfilling this obligation, leading to the IMY’s intervention. The IMY, as the competent authority in Sweden where Spotify is based, was responsible for handling the case.

The complaint against Spotify was lodged by noyb on January 18, 2019, along with similar complaints against other streaming services. The primary concern was that Spotify did not provide users with a user-friendly method to exercise their right to access their personal data, as stipulated in Article 15 of the GDPR. As the case involved Spotify, headquartered in Sweden, it was referred to the IMY.

However, the complaint remained unresolved for over four years, with the IMY even denying the complainants party status in the procedure. Frustrated by the lack of progress, noyb took legal action against the IMY in Swedish courts on June 22, 2022. The courts ruled in favor of noyb, compelling the IMY to issue a decision on the complaint against Spotify, as well as examine Spotify’s broader approach to providing information to its users. The case was consolidated with another complaint from the Netherlands.

Stefano Rossetti, a privacy lawyer at noyb, expressed satisfaction with the IMY’s final action, albeit after a protracted delay. He emphasized that users have a fundamental right to access complete information about their data processing. However, Rossetti also criticized the sluggishness of the Swedish authority’s procedures, calling for swifter action in such cases.
The right to access, as granted by the GDPR, entails not only obtaining a copy of one’s own personal data but also receiving details about its source, recipients, and any international transfers.

In Spotify’s case, this information was not adequately provided, and the company only granted access to some data without instructing users on how to obtain the remainder. The IMY has now ordered Spotify to furnish the full set of data, in compliance with Article 58(2)(c) of the GDPR.

Noyb will conduct a thorough examination of the IMY’s decision to ensure that users’ rights have been fully enforced. The organization remains committed to safeguarding privacy rights and holding companies accountable for GDPR violations.

Looking for a solution to easily document all the data processing activities within your organization and ensure compliance with GDPR?

Introducing our cutting-edge solution: the Register of Data Processing Activities. With this powerful tool, you can effortlessly create a comprehensive record of all your processing activities, add from over 1700 pre-made options, divide them by area, assign processors and members, and document legal bases and other GDPR-required records.

Our user-friendly interface ensures that your organization is fully equipped to handle user data access requests and comply with the GDPR’s right to access provisions. Don’t risk hefty fines or damage to your reputation—take control of your data processing activities with our Register of Data Processing Activities. Safeguard privacy rights and protect your organization from GDPR violations.

Ensure compliance every step of the way, started today!

The post Spotify hit with €5 Million Fine for GDPR Violations: Failure to Comply with User Data Access Requests appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Australian Government, under the leadership of the Minister for Industry and Science, Ed Husic MP, has recently announced its commitment to fostering the safe and responsible growth of artificial intelligence (AI) technologies in the country. On June 1, 2023, the Minister issued a press release, stating that the government is taking further steps to establish appropriate safeguards surrounding the use of AI in Australia.

To initiate this process, the government has released two important papers that aim to kick-start a discussion on creating a framework for safe and responsible AI implementation:

1. Safe and Responsible AI in Australia Discussion Paper: This paper explores existing regulatory and governance responses to AI, both within Australia and internationally. It identifies potential gaps in the current framework and proposes several options to strengthen regulations and ensure responsible use of AI technologies.
2. National Science and Technology Council’s Rapid Response Report on Generative AI: This paper focuses specifically on generative AI and examines the potential risks and opportunities associated with this technology. It provides a scientific basis for discussions regarding the way forward and serves as an important resource for policymakers and stakeholders.

While Australia already has some safeguards in place for AI, the government acknowledges the need to assess whether these measures are sufficient. The discussion paper released by the government builds upon the commitment of the Albanese Government to the safe and responsible use of AI. In fact, Australia was one of the first countries in the world to adopt AI Ethics Principles, thanks to Labor’s advocacy.

To demonstrate their dedication, the government has allocated $41 million in the recent budget to support the responsible development of AI. This investment includes the establishment of the National AI Center and the introduction of the Responsible AI Adopt program, specifically designed for small and medium enterprises..

Minister Ed Husic emphasized the importance of finding the right balance in using AI safely and responsibly. He acknowledged the tremendous potential of AI in areas like healthcare and cybersecurity but stressed the need for appropriate safeguards. The government’s focus is not only on building trust, but also on instilling public confidence in these critical technologies.

The Safe and Responsible AI in Australia Discussion Paper and the National Science and Technology Council’s Rapid Response Report on Generative AI can be accessed for further information.

The Albanese Government’s proactive steps to address the safe and responsible use of AI reflect a commitment to harnessing the benefits of these technologies while ensuring the well-being and protection of the Australian people. By initiating discussions and proposing potential regulatory enhancements, the government aims to create a framework that fosters innovation, accountability, and public trust in AI.

See the press release here and the discussion papers here.

The post Ensuring Safe and Responsible AI in Australia: Government Takes Action appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Lark, which is used by thousands of employees of TikTok’s Chinese owner, ByteDance, raised concerns because it allowed access to user data, including potentially illegal content. Some TikTok employees expressed alarm about this, as employees in China and elsewhere could easily view the information.

These revelations highlight the data and privacy practices of TikTok and its close ties to ByteDance. It has faced scrutiny over security risks and connections to China. In order to continue operating in the United States, TikTok presented a plan called Project Texas, which aimed to store American user data within the country and limit access to it by ByteDance and TikTok employees outside the United States.

However, there were contradictions regarding the level of access China-based workers had to U.S. user data. TikTok’s CEO downplayed their access, but internal reports and Lark communications revealed otherwise.

TikTok responded to these findings by stating that the documents were outdated and did not reflect their current data handling practices. They claimed to be in the process of deleting pre-June 2022 U.S. user data and making changes to their data management.

The use of Lark, an internal tool used across ByteDance subsidiaries, including TikTok, highlights ByteDance’s oversight of TikTok’s processes. Lark has been used to handle individual account issues and share documents containing personal information since at least 2019.

Instances of mishandled data on Lark included sharing images of identification documents and child sexual abuse materials. TikTok acknowledged these incidents and claimed to have reviewed and addressed them while implementing new processes.

The privacy and security division of TikTok has experienced reorganizations and departures, which may have affected their focus on privacy and security initiatives. The company assured that they have multiple teams working on privacy and security and have invested significant resources in Project Texas, but no completion timeline was provided.

Once Project Texas is finished, TikTok plans to conduct communications involving U.S. user data through a separate internal collaboration tool.

The post TikTok’s Privacy Crisis: Unveiling Data and Security Concerns appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a significant legal development, the State of Montana has announced its decision to appeal a federal court ruling that blocked its pioneering state ban on the widely-used short-video sharing app TikTok.

Montana Attorney General Austin Knudsen confirmed on Tuesday that the state is officially challenging the November ruling by U.S. District Judge Donald Molloy. This move redirects the case to the Ninth Circuit U.S. Court of Appeals, marking the latest chapter in an ongoing legal saga surrounding the app’s usage and regulations.

The controversial state ban, initially scheduled to take effect on January 1st, was halted by Judge Molloy’s preliminary injunction issued on November 30. Molloy’s ruling was a significant setback for the ban’s proponents, as he stated that Montana’s law “violates the Constitution in more ways than one” and “oversteps state power.”

The appeal by Montana reignites the debate over TikTok’s presence and usage in the United States, particularly regarding concerns over data privacy and national security. This case is being closely watched, as it could set a precedent for other states and at the federal level regarding the regulation of foreign-owned apps and digital privacy.

Stay tuned for more updates on this developing story.

Background: Montana Governor Greg Gianforte signed the bill last week, which imposes a daily fine of $10,000 on TikTok or app stores for making the app available on personal devices in the state from January 1, 2024. The ban aims to address growing concerns about TikTok’s ties to China and the potential risks of data privacy and national security.
TikTok’s Response: TikTok spokesperson Brooke Oberwetter expressed the company’s intention to challenge the ban, highlighting the need to protect their business and the hundreds of thousands of TikTok users in Montana. TikTok believes their legal challenge has strong precedents and factual support.

Montana’s Defense: Emily Flower, a spokesperson for Montana’s Attorney General, acknowledged the anticipated legal challenges and expressed confidence in defending the law. Montana sees the ban as a measure to protect the privacy and security of its residents.

China’s Response: China’s Foreign Ministry criticized Montana’s ban, labeling it an “abuse of state power.” Ministry spokesperson Mao Ning emphasized that the US has not provided any evidence to substantiate claims that TikTok poses a threat to national security.

Feasibility and Implications: Legal and technology experts argue that enforcing the TikTok ban poses significant challenges. While Montana’s ban goes further than other states’ restrictions on government devices, the practicalities of the internet may render it difficult to prevent TikTok from reaching users. Even if the law withstands legal scrutiny, experts question its effectiveness and impact.

TikTok’s Fight for First Amendment Rights: TikTok’s lawsuit not only challenges the ban on constitutional grounds but also highlights the importance of protecting freedom of speech. The app serves as a platform for hundreds of thousands of people in Montana to communicate and express their views on a wide range of topics.

TikTok’s legal battle against Montana’s app ban reflects the obstacles faced by lawmakers attempting to restrict the platform in the United States. With the involvement of TikTok creators who have also sued Montana over the ban, asserting violations of their First Amendment rights, the outcome of these legal challenges will have broader implications for the regulation of social media platforms. As the case unfolds, it remains to be seen how courts will navigate the intersection of constitutional rights, privacy concerns, and national security interests.

The post TikTok Fights Back: Montana Faces Legal Battle Over App Ban appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a recent resolution, Members of the European Parliament (MEPs) have expressed their concerns over the proposed EU-U.S. Data Privacy Framework.

While acknowledging its improvements over previous frameworks, MEPs argue that it falls short of providing adequate safeguards to justify an adequacy decision on personal data transfers between the EU and the U.S. The resolution, adopted with a majority vote, raises issues related to bulk data collection, transparency, judicial independence, and legal certainty.

This blog post delves into the MEPs’ perspective on the framework and highlights their recommendations.

Insufficient safeguards and data protection concerns

According to MEPs, the EU-U.S. Data Privacy Framework fails to ensure sufficient safeguards for personal data protection. The resolution highlights several key issues, including the allowance of bulk collection of personal data in certain cases without independent prior authorization. MEPs argue that clear rules on data retention are lacking, leaving room for ambiguity and potential misuse of data.

Concerns regarding the Data Protection Review Court (DPRC)

The resolution draws attention to the creation of the Data Protection Review Court (DPRC), which aims to provide redress to EU data subjects. However, MEPs point out significant flaws in the court’s structure. Firstly, the court’s decisions would remain secret, thereby violating citizens’ right to access and rectify data pertaining to them. Furthermore, the judges of the DPRC could be dismissed by the U.S. President, and the President also holds the power to overrule the court’s decisions. These factors raise doubts about the court’s independence, as stated by MEPs.

The need for a lawsuit-proof regime and legal certainty

MEPs emphasize the importance of establishing a future-proof framework for data transfers between the EU and the U.S. They assert that the adequacy decision should be based on the practical implementation of rules and should withstand legal challenges. Past data transfer frameworks, including the “Schrems II” case, have been invalidated by rulings of the Court of Justice of the European Union. To ensure legal certainty for EU citizens and businesses, MEPs urge the European Commission to negotiate a data transfer framework that can withstand potential legal challenges.

Rapporteur’s perspective

After the resolution’s adoption, rapporteur Juan Fernando López Aguilar (S&D, ES) voiced his thoughts on the matter. While acknowledging the significant improvements in the proposed framework, he expressed his concern over missing elements, such as judicial independence, transparency, access to justice, and remedies. He urged the European Commission to address these concerns and emphasized the need for a mechanism that genuinely protects the data of EU citizens and businesses.

Next steps and ongoing dialogue

The European Commission is currently in the process of adopting an adequacy decision for data transfers based on the EU-U.S. Data Privacy Framework. In the coming days, a delegation from the Committee on Civil Liberties, Justice and Home Affairs will visit Washington, D.C. to engage in discussions with U.S. lawmakers and stakeholders. Privacy and data protection will be among the topics addressed during the annual round of dialogue.

The resolution adopted by MEPs emphasizes the need for stricter data privacy measures in the EU-U.S. Data Privacy Framework. While recognizing its improvements, MEPs argue that the current framework lacks sufficient safeguards and fails to address concerns related to transparency, judicial independence, access to justice, and remedies.

They call upon the European Commission to continue negotiations with the U.S. and ensure that the proposed framework adequately protects the data of EU citizens and businesses. The pursuit of a lawsuit-proof regime that provides legal certainty remains a priority for the EU.

Read the press release here →

The post MEPs Call for Stricter Data Privacy Measures in EU-U.S. Framework appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Samsung stated that it is reviewing measures to create a secure environment for safely using generative AI to enhance employees’ productivity and efficiency. However, until these measures are ready, they are temporarily restricting the use of generative AI through company devices. This restriction will only apply to devices issued by Samsung to its workers, meaning consumers and others that own Samsung phones, laptops, and other connected devices will not be impacted.
Samsung is said to be developing its own in-house AI tools for “software development and translation” and will lift the temporary restriction once security measures are in place.

OpenAI’s generative AI chatbot ChatGPT has gained massive popularity worldwide since its launch last November, but some of its popularity has been met with significant roadblocks. Some have flagged potential violations of data privacy, copyright violations, and inaccuracies in ChatGPT’s responses.

The tech giant initially allowed employees at its device solutions (DS) division, which manages its semiconductor and display businesses, to use generative AI from March 11. In the aftermath of the data leak, Samsung also asked staff using generative AI tools elsewhere “not to submit any company-related information or personal data,” which could disclose its intellectual property.

One of the issues that Samsung noted is that it is difficult to “retrieve and delete” the data on external servers, and the data transmitted to such AI tools could be disclosed to other users. Based on Samsung’s internal survey in April, about 65% of participants said using generative AI tools carries a security risk.

OpenAI has been working to address some of the more controversial issues to remove some of the more high-profile bans. Most recently, ChatGPT services were resumed in Italy after OpenAI unveiled a plan to introduce new privacy controls. Major banks, including Bank of America, Citi, Deutsche Bank, Goldman Sachs, Wells Fargo, and JPMorgan, are among the other businesses that have recently restricted employees’ use of ChatGPT.

In South Korea, other large tech companies, including LG and memory chip maker SK Hynix, are struggling to make their own guidelines for using generative AI tools.

The post Samsung Temporarily Restricts Use of Generative AI Tools Following Data Leak appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The post Meta Brings Legal Action Against EDPB  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Update: Montana’s Attorney General, Austin Knudsen, argued that the state’s prohibition of TikTok is warranted due to the perceived risks associated with the app’s data collection activities. In a federal court document responding to TikTok’s challenge of the Montana ban, Knudsen stated that the state is legally empowered to regulate “goods or activities that, according to Montana’s assessment, result in unwarranted harm to consumers.”

The Montana House voted 54-43 to pass the bill, which will prevent TikTok, owned by Beijing-based ByteDance Ltd., from operating within Montana and prohibit app stores from offering TikTok within the state. The proposed legislation will take effect on January 1, 2024.

If found to be violating the law, entities will face a $10,000 fine per violation. However, it remains uncertain how certain parts of the bill will be enforced.

The governor of Montana, Greg Gianforte, has ten days to act on the bill before it automatically becomes law. Critics of the bill, including the American Civil Liberties Union, claim that it amounts to censorship and violates free speech rights protected by the First Amendment. A TikTok spokesperson said the company will continue to fight for its users and creators’ rights in Montana, whose livelihoods and First Amendment rights are at risk due to this excessive government action.

Lawmakers who opposed the bill expressed uncertainty about the consequences if TikTok users used a workaround to download the app, such as a virtual private network that made it appear that their devices were logging in from outside Montana. Some TikTok leaders feared that if Montana banned the app, it could prompt other states and even Congress to follow suit, leading to nationwide momentum to ban TikTok over national-security concerns. Last month, TikTok’s CEO was grilled over the company’s ties to China in a congressional hearing in Washington. A survey by Pew Research Center found that 50% of Americans supported a TikTok ban, while 22% were against it, and 28% were unsure.

The Biden administration recently urged TikTok to distance itself from its parent company ByteDance or face a possible ban. There are concerns among some members of Congress and Biden administration officials that TikTok could be used by the Chinese government to spy on its 150 million U.S. users or spread propaganda.

TikTok has refused to comply with such a request and has proposed a $1.5 billion plan to separate its U.S. operations from China’s influence. The discussions surrounding the ban of TikTok in Montana were similar to those in Washington. Republican State Senator Shelley Vance, with the help of Montana Attorney General Austin Knudsen, also a Republican, introduced the bill due to national-security concerns. It received bipartisan support and opposition.

The post Montana’s Efforts to Ban TikTok Follow the National Trend Amidst Growing Concerns appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

France’s privacy watchdog CNIL has also announced that it is investigating complaints about ChatGPT, while Italy’s data regulator is reviewing measures proposed by Microsoft Corp-backed OpenAI in response to concerns that led the Italian DPA to order OpenAI to stop processing people’s data locally with immediate effect. In turn, OpenAI started geo-blocking access to its generative AI chatbot, ChatGPT, in Italy.

The Biden administration is also seeking public comments on potential accountability measures for AI systems, as questions arise about their impact on national security and education.

A spokesperson for Spain’s DPA stated that,

“global processing operations that may have a significant impact on the rights of individuals require coordinated decisions at European level.”

Therefore, the agency has requested that the issue of ChatGPT be included in the next Plenary of the European Data Protection Committee, so that harmonized actions can be implemented within the framework of the General Data Protection Regulation.

The Plenary meeting of the European Data Protection Board (EDBP) was scheduled for April 13th, but it is unclear whether ChatGPT was discussed at this meeting.

The EDPB stated that it is generally not involved in national-level investigations, which are the responsibility of national data protection authorities.

However, the Italian regulator’s decision has sparked the interest of other privacy regulators in Europe, who are studying whether harsher measures are necessary for chatbots and whether to coordinate such actions.

Want the latest news on Data Protection and Privacy delivered to your inbox?

Join the list @ dponewsletter.com

The post Spain’s Data Protection Agency Requests EU Assess ChatGPT’s Privacy Risks appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

According to the ICO, TikTok did not adequately check who was using its platform and take sufficient action to remove the underage children that were present on it. This is a clear violation of UK data protection law, which requires organizations to obtain parental or carer consent when offering information society services to children under the age of 13.

The ICO found that TikTok breached the UK General Data Protection Regulation between May 2018 and July 2020 by providing its services to UK children under the age of 13 and processing their personal data without consent or authorization from their parents or carers. The company also failed to provide proper information to users of the platform about how their data is collected, used, and shared in a way that is easy to understand, especially for children.

Furthermore, TikTok failed to ensure that the personal data belonging to its UK users was processed lawfully, fairly, and transparently. The company received an estimated one million under-13s using its platform inappropriately, with TikTok collecting and using their personal data, which could have been used to track and profile them, potentially delivering harmful and inappropriate content at their next scroll.

The ICO has published the Children’s code, a statutory code of practice aimed at online services, such as apps, gaming platforms, and web and social media sites that are likely to be accessed by children. The code sets out 15 standards to ensure children have the best possible experience of online services.

TikTok should have known better and done better, but they didn’t. Therefore, the fine levied against them by the ICO reflects the serious impact their failures may have had.

The post TikTok Fined £12.7m Over Child Data Protection Breaches appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a white paper published by the Department for Science, Innovation and Technology, regulators have been asked to come up with their own approaches to govern the use of AI in their respective sectors. The government has opted to use existing regulators, such as the Health and Safety Executive, Equality and Human Rights Commission, and Competition and Markets Authority, instead of creating a new single regulator. The move is aimed at reducing confusion and creating a more cohesive approach to AI governance.

AI is viewed as a technology of tomorrow and has contributed £3.7bn ($5.6bn) to the UK economy in the past year alone. However, critics are concerned that the rapid growth of AI could lead to job losses and be used maliciously. There are also concerns that AI can display biases against certain groups if trained on large datasets that include racist, sexist, and other undesirable material. Additionally, AI could be used to create and spread misinformation.

The white paper outlines five principles that regulators should consider when governing AI. These principles include safety, security, and robustness; transparency and “explainability”; fairness; accountability and governance; and contestability and redress. Over the next year, regulators will issue practical guidance to organizations to implement these principles in their respective sectors.

The government’s approach has been described as “light-touch” by Simon Elliott, a partner at law firm Dentons. He warned that the UK’s regulators could be burdened with an “increasingly large and diverse” range of complaints when AI is added to their workloads. The EU has proposed regulations called the Artificial Intelligence Act, which aims to “strengthen Europe’s position as a global hub of excellence in AI from the lab to the market.” Meanwhile, in the US, the Algorithmic Accountability Act 2022 requires companies to assess the impacts of AI, but the nation’s AI framework is voluntary.

The UK’s approach to AI regulation is expected to be closely watched by other countries as they develop their own guidelines. While AI is already delivering real social and economic benefits, there are concerns about its potential risks to privacy, human rights, and safety. The government’s move to regulate AI is aimed at ensuring it is developed safely and used responsibly to deliver the maximum benefits to society.

Press release here →

The post UK Government Announces New Guidelines for Responsible Use of AI appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The cookie pledge will be announced at the European Consumer Summit and will involve stakeholders such as consumer groups, publishers, advertisers, and technology companies in a series of roundtables. The initiative is driven by the European Commissioner for Justice and Consumers, Didier Reynders, who aims to address the online users’ growing ‘cookie fatigue’ and their lack of understanding about the implications of their choices.

The voluntary pledge is set to clash with the digital policy branch of the Commission, which proposed the ePrivacy Regulation in 2017 to update the current electronic communications regime. However, discussions over the ePrivacy Regulation were hijacked by a coalition of member states and the regulation is likely to be withdrawn if no agreement is reached by the end of this European mandate.

One of the main options for implementing the cookie pledge is to represent a measure of the ePrivacy Regulation that would allow users to centralize their preferences via web browsers, reducing the need for cookie banners. However, this approach has been criticized for giving considerable power to web browser providers and potentially leading to market concentration. Another idea is to provide a label for publishers that commit not to track users across different websites, but this may also favor larger publishers who can harvest more data.

The EU consumer department is consulting with the Commission’s divisions responsible for digital policy and competition on these matters. Although the cookie pledge is voluntary, it may be the prelude to a hard law in the next Commission’s term. A regulatory approach would ensure a level playing field for signatories to the voluntary agreement, who should not be disadvantaged compared to competitors.

The EU Commission department is also working on a public consultation to assess whether EU consumer law is fit for a digitalized world, which will likely lead to a legislative proposal in the next mandate.

The post EU Takes Action to Simplify Cookie Consent Process for Consumers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The EU Data Act aims to address the fact that 80% of industrial data collected is never used, according to the European Commission. To combat this, the law establishes common rules for sharing data generated by connected products or services, ensuring fairness in data sharing contracts. The law also rebalances negotiation power in favor of small and medium-sized enterprises (SMEs) to shield them from unfair contractual terms imposed by larger companies.

The EU Data Act also defines how public sector bodies can access and use data held by private sector entities in exceptional circumstances or emergencies, such as during floods or wildfires. Additionally, the law strengthens provisions to protect trade secrets and prevents increased access to data from being used by competitors to retro-engineer services or devices. The act also sets stricter conditions on business-to-government data requests.

The EU Data Act also facilitates switching between cloud service providers and other data processing services, while introducing safeguards against unlawful international data transfers by cloud service providers.

Lead MEP Pilar del Castillo Vera (EPP, ES) commented, “The EU Data Act will be an absolute game changer, providing access to an almost infinite amount of high-quality industrial data. Competitiveness and innovation are part of its DNA.”

The post The EU Data Act to Boost Innovation and Competitiveness appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

IAB Europe’s action plan was surprisingly validated by the APD on January 11th, 2023, with a six-month deadline for implementation (July 11th, 2023). The validation occurred while several key points were being examined by the CJEU, following IAB Europe’s appeal against the APD’s February 2022 decision before the Belgian Market Court.

The voluntary suspension by the APD of the implementation of the action plan was essential to prevent the APD from preempting the CJEU’s response and avoid implementation of changes to the Transparency and Consent Framework (TCF) that may need to be rolled back when the CJEU’s ruling is rendered.

If the Belgian Market Court upholds the APD’s validation decision of January 2023, despite the pending appeal against the February 2022 decision, the implementation period will resume at that time. This would postpone the deadline for implementation to Q4 2023 instead of July 11th, 2023.

IAB Europe’s CEO, Townsend Feehan, commented on the situation: “The APD’s validation of the action plan was a welcome confirmation of the legality of the TCF, but its timing had raised legitimate concerns. Given the impact of that referral on the foundations of the APD’s decision of last year, and by extension on the action plan, that deadline in practice could have robbed the referral of its utility.”

IAB Europe is pleased that the voluntary suspension by the APD will enable the release of sustainable improvements to the TCF pending the decision of the Belgian Market Court. As the deadline of July 11th, 2023, ceases to apply, IAB Europe will move forward with various iterations to the TCF that are less directly impacted by the CJEU procedure.

IAB Europe has updated its FAQ regarding the TCF, which can be found on its website. More information regarding these iterations and their timing will be provided at a later stage to enable TCF participants to prepare for them. The Belgian Market Court’s ruling on this second appeal is expected at the end of Q2 or the beginning of Q3 2023.

The post IAB Europe Halts TCF Action Plan appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In response to reports that UK authorities were considering banning the app from government devices earlier on Monday, TikTok stated that it would be “disappointed” if this happened.

Such actions, according to TikTok, were motivated by “misplaced fears”. With legislators on both sides of the Atlantic warning that the Chinese state may access its data or sway what users view on the app through its recommendation system, the app is under pressure due to its ownership by the Beijing-based ByteDance.

According to The Sunday Times, the Government Security Group, a division of the Cabinet Office, had reviewed TikTok and the National Cyber Security Center has highlighted security vulnerabilities associated with the app.

According to a spokesperson for TikTok, they are currently awaiting further information regarding any specific concerns that the UK government may have. However, they expressed disappointment at the possibility of such a move, citing similar decisions made elsewhere which were based on unfounded fears and geopolitical considerations. Despite this, TikTok remains dedicated to collaborating with the government in order to address any concerns that may arise.

According to the report, while advice would be issued to explain the risks associated with using the app, the ban would not extend to the personal devices of ministers and civil servants.

Downing Street had indicated that there were no plans to change their position on the installation of TikTok on government phones, just hours before the Sunak interviews were aired.

TikTok recently provided additional information regarding its efforts to address the concerns of European governments regarding the platform’s security. The framework, known as Project Clover, involves storing user data on servers located in Ireland and Norway, with a cost of €1.2bn (£1.1bn) annually. Additionally, any transfers of data outside of Europe would be monitored by a third party IT company. While the outlines of a security agreement have been agreed upon in the US, the White House has yet to approve the arrangement, which includes TikTok’s data being stored by Oracle and its source code being reviewed. In December, TikTok was banned from federal government devices in the US, and last month, Canada and the EU’s executive arm followed suit.

The post Will the UK government ban TikTok?  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The U.K. published a draft of its General Data Protection Regulation data protection overhaul. The Data Protection and Digital Information (No. 2) Bill was introduced to Parliament on Wednesday by Michelle Donelan, the United Kingdom’s Secretary of State for Science, Innovation, and Technology. The government first put up the reform bill’s first draft in July 2022, but it was shelved last September when Liz Truss was named prime minister.

The latest plan will raise fines for annoying calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is bigger. According to a press statement from the government, the bill will also lessen the number of consent pop-ups that appear on websites.

The amended measure will:

• Provide a straightforward, business-friendly structure that is easy to deploy and won’t cost much. Taking the finest parts of GDPR and giving companies more leeway in how they adhere to the new data rules.
• Make sure our new system maintains data compliance with EU requirements and the trust of the worldwide community in the UK’s stringent data protection regulations.
• Further, cut back on the paperwork that businesses must submit to prove compliance
• If organizations are currently in compliance with existing data regulation, encourage even greater global trade without adding further costs to their operations.
• Provide businesses more assurance about when they can process individuals’ personal information without their consent.
• Clarifying the situations in which strict protections are required for automated decision-making would increase public and commercial confidence in AI technologies.

The bill’s next step will likely be a second reading, which should happen in a few weeks.

GDPR & Brexit – What it means for businesses and the impact on data protection, find out here →

The post UK Reveals Proposed Data Protection Reform appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The CEO of the chat app has stated that WhatsApp would reject any provisions in the internet safety bill that aimed to forbid end-to-end encryption, raising concerns about the service’s future in the UK. Will Cathcart, the head of WhatsApp at Meta, described the bill as the most alarming piece of legislation being considered in the western world while on a visit to the UK where he would meet MPs to discuss the government’s centerpiece internet reform.

“End-to-end” encryption

Messaging services employ “end-to-end” encryption to make it impossible for anybody other than the intended recipients to decrypt a communication. Due to its own service’s inability to read messages, WhatsApp is unable to abide by legal requirements to turn over messages or requests to actively monitor communications for the protection of children or counterterrorism efforts.

Because of the 2016 investigatory powers act, the UK government already has the authority to request that encryption be turned off, but according to Cathcart, WhatsApp has never been given a formal legal order to do so. Due to the legal “gray area,” the internet safety measure represents a worrying increase of that power.

The Bill

According to the bill, WhatsApp might be forced to adhere to content moderation regulations that would be hard to follow without disabling end-to-end encryption. If the business refused, it might be fined up to 4% of the parent firm Meta’s annual revenue, unless it completely withdrew from the UK market.

Cathcart argued that similar legislation in other countries, such as the EU’s Digital Markets Act, clearly supports end-to-end encryption for messaging services. He asked for the UK bill to include similar language before it was passed. It could specify that the framework should take security and privacy into account. It could state unequivocally that end-to-end encryption shouldn’t be removed. Further procedural safeguards could be implemented to prevent this from being decided on its own.

What’s next?

This summer, the parliament is anticipated to revisit the online safety measure. If approved, it will grant Ofcom considerable new authority as the internet’s regulatory body, enabling it to impose strict sanctions on those who fail to effectively moderate their content.

The post WhatsApp vs the UK law appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The EDPB has adopted its opinion on the European Commission’s draft adequacy decision regarding the EU-US Data Privacy Framework (DPF). The DPF is meant to replace the Privacy Shield which was invalidated by the CJEU in the Schrems II judgment and is applicable to U.S. organizations which have self-certified and fall within the jurisdiction of the Federal Trade Commission or the Department of Transportation.

EDPB Chair Andrea Jelinek held that:

“…we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years, and we are committed to contributing to them.”

The Main findings from the EDPB’s opinion:

• The EDPB applauds the significant advancements made in the DPF, especially the addition of the necessity and proportionality criteria and the individual redress mechanism for EU data subjects. It also considers that the DPF enforcement should be properly monitored and takes into account the DPF enforcement pledges made by U.S. authorities.
• The complexity of the DPF and the absence of several crucial definitions in the language may make it challenging for essential parties to comprehend.
• There may be too many exceptions to the right of access in the DPF, more assurances should be given on potential future transfers of EU data subjects’ personal information, and more security measures are required when using automated decision-making.
• Because the DPF does not mandate prior independent authority approval for bulk data collection, there may not be adequate safeguards in this situation.
• When compared to Privacy Shield, the new redress procedures under the DFC reflect an improvement. The Data Protection Review Court in particular provides strengthened protections, such as independence. Clarifications may still be needed, though, on some issues like judges’ access to information.
• The Data Protection Review Court may not have effectively considered the appropriate balance between the rights of persons and issues of national security in its general adoption of the standard answer.
• The adoption of policies and procedures for its execution by U.S. Intelligence Agencies will determine how effective EO 14086 is. The EDPB thinks that the adoption of stated policies and procedures should be a requirement for both the adoption and implementation of the DPF.

What’s next?

A committee made up of the representatives of the Member States will now have to adopt the DPF.
The European Parliament will probably keep examining the procedure.

Although the EDPB’s Opinion is not legally enforceable, it is anticipated that it will have an impact on how Member State representatives and the European Parliament carry out their separate duties.

The post EDPB’s Opinion on Commission’s EU-US Data Privacy Framework appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

“the provisions of this Regulation shall also apply to administrative proceedings in progress at the time of its entry into force.”

Resolution No. 4 specifies that in addition to a fine, other penalties for breaking the law may include a warning, the suspension of data processing activities, or the requirement to make the sanction public.

How are the fine measured?

The motion defines a violation according to the severity of the harm: small, medium, and serious. For instance, where it interferes with the fundamental rights of the owners of personal data or inhibits the use of a service while also causing the owners of the data material or moral harm, such as financial fraud and discrimination, it will be deemed medium.

The ANPD will consider factors including the offender’s earnings in the latest available year prior to the imposition of the sanction in the case of the imposition of a fine, in addition to this rating of the seriousness of the breach. The overall revenue of the group or conglomerate in Brazil shall be taken into account by the ANPD if there is no information available regarding the industry in which the infraction occurred.

The post ANPD New Regulations Regarding Sanctions | A Quick Overview appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

The latest sign of escalating tensions between Beijing and the West is the decision by the European Commission and Council of the EU to forbid personnel from accessing the Chinese social media app TikTok due to security concerns. Evidence that Chinese technology firms help the Communist Party and its intelligence services acquire large amounts of data around the world, with a special focus on high-value political and security targets, is alarming Western governments more and more.

On Thursday, the European Commission and the Council made the announcement that they had asked their workers to uninstall the TikTok app from any personal or work-related apps they had installed on their smartphones.

What’s happened?

All 32,000 employees of the Commission were instructed to remove TikTok from their work-related devices, as well as from any personal devices on which they may have the app loaded. If the staff members insist on keeping TikTok, they can alternatively remove work-related apps from their personal phones.

An email sent to staff read:

“To protect Commission’s data and increase its cybersecurity, the EC Corporate Management Board has decided to suspend the TikTok application on corporate devices and personal devices enrolled in the Commission mobile device service,”

Officials are required to uninstall the video-sharing app “at their earliest convenience” and before March 15. “As of 15 March, devices with the app installed will be considered non-compliant with the corporate environment,” the email read.

The Commission has chosen not to reveal the details that led them to the conclusion that the app poses serious cybersecurity and data threats to the EU executive.

The personnel will have about two weeks to abide by the suspension from TikTok.

According to a statement TikTok gave to POLITICO, the choice was “misguided.”

“We are disappointed with this decision, which we believe to be misguided and based on fundamental misconceptions,” said a TikTok spokesperson. “We have contacted the Commission to set the record straight and explain how we protect the data of the 125 million people across the EU who come to TikTok every month. We are surprised that the Commission did not contact us directly nor offer any explanation — we have requested a meeting”

What about the rest of the EU?

Four Dutch coalition parties want to take things a step further and demand that TikTok be prohibited on governmental phones. The Dutch government, under pressure from parliamentarians, has asked its intelligence services to determine if using TikTok on official phones constitutes a risk. It is the first European government to consider such a restriction.

As MPs sanctioned by China raised worries about data security in August of last year, the British parliament closed its TikTok account. Emmanuel Macron, the president of France, attacked the business in December, labeling it “deceptively innocent,” a source of “serious addiction” among users, and a vehicle for Russian misinformation.

Meanwhile, TikTok is under investigation by Ireland’s top European data protection regulator for potentially illegal data transfers to China in accordance with the EU’s General Data Protection Regulation (GDPR).

The post TikTok banned for staff at European Commission and Council of the EU appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Following a referral by the Belgian Market Court in September 2022, this validation was surprisingly announced on January 11, 2023, while outstanding issues are being reviewed by the Court of Justice of the European Union (CJEU). The Belgian Market court found that the APD had violated its duty of care in that same ruling, casting doubt on the APD’s judgment from February 2022.

The plan must be put into action within six months, by July 11, 2023, a date by which the CJEU has not yet issued its decision. IAB Europe is requesting interim steps to stop the APD from imposing the implementation of revisions to the TCF that may need to be rolled back when the CJEU’s judgment is given, so that it can continue with various versions of the TCF that are less directly affected by the CJEU procedure. This formal request proved to be essential because the APD has not made it apparent that it is prepared to speak with IAB Europe about its decision and appears unlikely to do so before July 11th, 2023.

“If the European Court finds that IAB Europe is not a (joint) data controller and/or the TC String is not personal data, the steps taken in the action plan that are premised on these findings – steps that will need to be taken by vendors, CMPs and thousands of publishers, in addition to IAB Europe – will have to be rolled back. Companies will have wasted resources and made changes to their business practices, while consumers will be negatively impacted and misled through multiple adjustments.” noted Townsend Feehan, IAB Europe CEO.

“The APD’s approval of the action plan in its entirety is an important and welcome confirmation of the legality of the TCF. IAB Europe is moving ahead with positive changes to the TCF that are less impacted by the referral to the CJEU,” continued Feehan. “Pursuing interim measures will allow a serene completion of the remaining legal proceedings on the points that are significantly impacted.”

On the website of IAB Europe, you may find an updated FAQ about the TCF, click here.

The post IAB Europe : Transparency and Consent (TCF)  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Photo: Autorité de protection des données

Further to the report adopted by the EDPD on the work undertaken by the Cookie Banner Task Force a few weeks ago, the EDPD has now published examples of non compliant practices to better assist website managers in attaining compliance. In response to the EDPD’s publications, the French Data Protection Authority, 

“strongly encourages organizations to review their cookie banners in light of the recommendations contained in the report.”

This report is the outcome of collaboration between the various European data protection agencies, which was put up to address complaints the NOYB organization received over cookie banners.

The research includes a number of widespread practices noticed on cookie banners of websites operating in the European region and assesses whether they comply with the various standards that are in force (in particular: the ePrivacy Directive, and the GDPR). It might be possible to use it as guidance for website and application managers when asking for the user’s permission to read or store cookies (and/or other equivalent technologies) on their device.

The report examines, among other things, the following practices:

• The pre-checked boxes. Regardless of the level of the banner in which the checkbox is featured, pre-checked boxes do not represent a legitimate permission within the meaning of the GDPR or ePrivacy.
• Misleading design. The taskforce called attention to many misleading banner layout practices.
• The legitimate interest. Some websites process data further after placing or reading cookies based on legitimate interest rather than user consent. The paper reminds readers that the mere storing or reading of cookies cannot be justified by legitimate interest, and that any further processing that results from those actions must also be compliant with the GDPR.
• The absence of a “refuse all” button at the same level as the “accept all” button. Most data protection agencies, including ODA, viewed this as a breach and believed that users of websites should have access to the choice of allowing or disabling the deposit/reading of cookies on their devices.

The ODA wants to remind readers that the GDPR and Article 5.3 of ePrivacy have a wide application and apply to a variety of technological platforms (such as, among other things, the use of “local storage”).

She also draws attention to the fact that the study simply provides examples of blatant infractions, without going farther. Therefore, it cannot be assumed that any behavior that is not specified in the report will automatically abide by the laws currently in effect.

Visit the EDPB website to read the entire report.

Organizations are strongly urged by the ODA to review their cookie banners in light of the report’s recommendations.

The post The European Data Protection Board Publishes Examples of non-compliant practices appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Per chi non lo sapesse, FlexTax è il servizio di commercialista online che segue a 360 gradi ogni aspetto della gestione contabile delle Partite Iva in regime forfettario e ordinario semplificato, dall’apertura della Partita Iva alla dichiarazione dei redditi.

In questo periodo si parla molto di Flat tax, ci può dire di che cosa si tratta?

Si tratta di una precisa tipologia di tassazione che si discosta dalle altre in quanto applica un’unica aliquota fissa, da qui il nome “flat tax” ossia “tassa piatta” in italiano.

Rappresenta quindi una misura fiscale con delle regole precise da seguire. 

Da qualche anno una forma di flat tax è stata apportata ai lavoratori a Partita Iva in regime forfettario. 

Infatti a questi ultimi viene applicata un’aliquota fissa alla base imponibile (reddito sul quale si pagano le tasse) che attualmente è del 15%.

In questa sede non vado troppo nello specifico, però chi desidera approfondire consiglio di leggere la guida Flat tax 2023 troverà tutto spiegato in modo molto completo e semplice.

Andiamo dritti al punto, cosa dobbiamo aspettarci con la Flat tax 2023?

Sicuramente sarà un percorso e non verrà introdotto tutto subito.

Il primo passo riguarderà una modifica del regime forfettario delle Partite Iva, come detto loro hanno già una forma di flat tax e verrà apportata una modifica alla soglia di reddito massimo consentito per rientrare in questo regime, detto anche “agevolato”. 

Mi spiego meglio, attualmente per rientrare in questo inquadramento fiscale il primo requisito è quello di avere un reddito massimale annuo di 65.000 euro, ci sono poi diversi altri limiti da rispettare che non elenco ora ma che si possono leggere qui.

E questo limite reddituale cambierà? 

Esatto, sono anni che si parla di allargare la soglia fino a 100.000 euro di reddito annuo.

La nuova legge di Bilancio, in elaborazione in questi giorni, si sta muovendo in quella direzione, tuttavia sembra essere più fattibile portare la soglia a 85.000 euro.

Quindi nel concreto il primo passo è rivolto alle Partite Iva in regime forfettario, le quali vedranno lo spostamento della soglia di reddito massimo da 65.000 euro a 85.000 euro.

Come possiamo rimanere aggiornati e capire esattamente come cambierà la propria situazione fiscale?

Consiglio di mantenere sotto controllo questo articolo per vedere le novità in generale sulla flat tax: Flat tax ultimissime notizie.

Se poi si vuole una valutazione più precisa adattata alla propria situazione consiglio di iscriversi gratuitamente al nostro servizio su flextax.it, dopo l’iscrizione l’utente riceverà una chiamata fiscale in cui potrà spiegare il suo caso e ricevere gratis una consulenza ad hoc.

Specifico che il servizio si rivolge ai lavoratori in Partita Iva regime forfettario e ordinario semplificato.

Quindi un lavoratore a Partita Iva può iscriversi gratis al vostro servizio e ricevere assistenza?

Esatto l’account gratuito consente di utilizzare la piattaforma gestionale FlexSuite con tutte le sue funzionalità ed è utilizzabile per quanto tempo si desidera senza scadenza di pochi giorni o inserimento di carte di credito.

Tramite la piattaforma si può ricevere assistenza fiscale, utilizzare il gestionale di fatturazione sia per fatture cartacee che elettroniche. 

Utilizzare tutti i tool di simulazione tasse per sapere quante tasse si andranno a pagare e molto altro ancora.

Differisce rispetto all’account a pagamento solo sugli aspetti più tecnici e importanti legati alla gestione della contabilità, come la dichiarazione dei redditi, alcuni aspetti di gestione amministrativa e le telefonate fiscali illimitate. 

Per approfondire consiglio di fare l’iscrizione gratuita su flextax.it e ricevere la spiegazione del servizio oltre alla consulenza fiscale già citata.

Grazie per averci chiarito le idee ora non ci resta che attendere gli sviluppi!

Per chi volesse iscriversi al servizio FlexTax, Iubenda offre uno sconto da 40 euro per l’utilizzo dell’account a pagamento con questo codice sconto: iubenda40

The post Flat Tax 2023: le risposte degli esperti appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

About  FlexTax: FlexTax is the online accountant service that follows every aspect of accounting management for self-employed workers under the flat-rate and simplified ordinary regimes, from the opening of the VAT number to the tax return.

There is a lot of talk about Flat tax these days, can you tell us what it is?

This is a precise type of taxation that differs from the others in that it applies a single flat tax rate, hence the name “flat tax”.

It therefore represents a tax measure with precise rules to follow. 

For the past few years, a form of flat tax has been brought to self-employed workers.

In fact, a fixed rate is applied to these at the tax base (income on which taxes are paid), which is currently 15 percent.

For more information, see this guide for a deeper look: Flat tax 2023 

Let’s get straight to the point, what should we expect with the Flat tax 2023?

Definitely it will be a pathway and not everything will be introduced right away.

The first step will involve a change in the flat tax regime for self-employed workers. As mentioned they already have a form of flat tax, and a change will be made to the maximum income threshold allowed to fall under this regime, also known as “facilitated.” 

Currently, to fall under this tax frame, the first requirement is to have a maximum annual income of 65,000 euros. There are then several other limits to be met that I will not list now, but you can read about them here.

And will the annual income limit change in relation to Flat Tax? 

That’s right, there has been talk for years about expanding the threshold to 100,000 euros in annual income.

The new Budget Law, being drafted these days, is moving in that direction, however, it seems to be more feasible to raise the threshold to 85,000 euros.

So in concrete terms, the first step is aimed at self-employed workers under the flat-rate scheme, who will see a shift in the maximum income threshold from 65,000 euros to 85,000 euros.

Will the 15% tax rate always remain?

On this there are several assumptions, the most common being that the same rate remains, however there are those who argue that the amount between 65,000 and 85,000 may be subject to a different rate.

What does the incremental flat tax consist of?

This type of taxation will affect taxpayers who pay Irpef. In this case, if the taxable income in 2023 is higher than the highest declared in the previous three tax years (2022, 2021, 2020), the flat rate will be applied only and exclusively to the amount of increase.

If in 2023 the taxable income is 20,000 euros, while in 2022 it is 15,000, in 2021 it is 10,000, and in 2020 it is 18,000 euros, we take the income of 2020 (i.e., the highest of the three) subtract it from that of 2023 and on what remains we apply the fixed rate of the incremental flat tax, which is 15 percent.

To be specified, annual income must not exceed 40,000.

When will the flat tax be active?

Right now the new budget bill is being discussed and will have to pass the European Commission’s scrutiny, easily there will be several changes to be made before it is finally approved and made active.

So it will be over the course of 2023, but as I said earlier it will not be all at once, but it will be a path where the first step is the modification of the flat tax that is already there.

How can we stay updated and understand exactly how one’s tax situation will change?

I recommend keeping an eye on this article to see news in general about the flat tax: Flat tax latest news.

If you then want a more precise assessment tailored to your situation I recommend signing up for free to our service at flextax.co.uk, after signing up you will receive a tax call where you can explain your case and receive free ad hoc advice.

I specify that the service is intended for workers under the flat-rate and simplified ordinary VAT regime.

So can a self-employed worker sign up for your service for free and receive assistance?

That’s right the free account allows you to use the FlexSuite management platform with all its features and can be used for as long as you want without expiration of a few days or credit card entry.

Through the platform one can receive tax assistance, use the billing management system for both paper and electronic invoices. 

Use all the tax simulation tools to know how much tax you are going to pay and more.

It differs from the paid account only on the more technical and important aspects related to accounting management, such as tax returns, some administrative management aspects, and unlimited tax calls. 

To learn more, we recommend doing the free registration at flextax.co.uk and receive the explanation of the service in addition to the tax advice already mentioned.

If you’re interested in trying FlexTax’s Plus services, iubenda offers a €40 discount for using the paid account using this discount code: iubenda40

The post Flat Tax 2023 Expert Answers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

According to a statement released by Garante, the investigation found that Replika had failed to adequately inform users about the data it collected and how it was being used. The chatbot also lacked proper security measures to prevent unauthorized access to user data, and did not provide users with the option to delete their data after they had finished using the service.

The ruling from Garante highlights the need for companies to take data protection seriously, particularly in the fast-growing field of AI technology. With the increasing use of AI-powered chatbots and other similar technologies, it is crucial that companies take steps to ensure that user data is protected and used responsibly.

In a statement, Garante’s President, Antonello Soro, said

“This ruling sends a clear message to companies that operate in the field of AI and data protection. The EU’s data protection regulation is clear and must be respected, and companies that fail to do so will be held accountable.”

The ruling against Replika is expected to have far-reaching implications for the AI industry, as companies will be under increased pressure to ensure that they are complying with EU data protection regulations. It is hoped that this ruling will encourage companies to invest in the necessary measures to protect user data and ensure that they are using AI technology in a responsible and ethical manner.

The Ruling:

Based on the above, the Garante:

1. Orders under Article 58(2)(f) of the Regulation that a temporary limitation be imposed urgently on the processing of personal data relating to users in the Italian territory as performed by Luka Inc., the US-based developer and operator of Replika.
2. Provides that the said limitation be enforced immediately as from the date of receipt of this order, whereby this shall be without prejudice to such additional determinations as may be made upon finalization of the ongoing fact-finding activities.
3. Pursuant to Article 58(1) of the Regulation, the Garante calls upon the controller to provide information within 20 days from the receipt.

Failure to comply with an Article 58 request entails imposition of the administrative fine referred to in Article 83(5)(e) of the Regulation.

The ruling by Garante against Replika is a wake-up call for companies operating in the AI industry. It highlights the importance of data protection and the need for companies to take their obligations under EU data protection regulation seriously. As AI technology continues to grow in popularity and use, it is essential that companies take steps to ensure that user data is protected and used responsibly.

The post Garante: Replika in breach of EU data protection regulation appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

“will enhance cooperation between the EU and the US in the development and application of AI and computing technologies for the public good. It will facilitate the exchange of best practices, technical expertise and data, and provide a framework for joint activities on AI and computing.”

The United States government has also expressed its support for the agreement, with the US Secretary of Commerce, Gina Raimondo, saying

“This agreement represents an important step forward in our cooperation on Artificial Intelligence and computing technologies. The US and EU share a commitment to developing AI and computing technologies that benefit society, and this arrangement will help us work together to achieve that goal.”

The agreement is seen as a positive development for the global AI and computing communities, as it opens up new opportunities for collaboration and knowledge-sharing between the EU and the USA. With the two sides working together on the development and application of AI and computing technologies, it is hoped that the agreement will help to advance the field and bring new solutions to global challenges.

The Administrative Arrangement on Artificial Intelligence and computing between the European Union and the United States of America represents a significant milestone in the development of AI and computing technologies for the public good. With both sides committed to working together, it is hoped that this agreement will lead to a future filled with innovative solutions to some of the world’s biggest challenges.

The post European Union and United States Strengthen Cooperation on Artificial Intelligence and Computing appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

AI Art

Recent months have seen a rise of concern among individuals involved in the arts due to the acceleration of generative AI technologies that can create textual or visual works of material that are sometimes controversially referred to as “AI Art.”

Massive amounts of data must be scraped from already-existing web resources for these tools. However, creators whose work has been incorporated into technology are sounding the alarm about the consequences of this practice for copyright and the possible harm it could cause to their industries.

Concerns about copyright

In the EU, the Copyright Directive has been in effect since 2019, however is the situation is different now?

The AI generation of content and its impact on copyright law is a topic that is currently being widely discussed and debated by legal experts and the tech community. AI-generated content raises various legal questions, such as who owns the copyright, what constitutes originality, and how fair use laws apply.

The fast pace of technological advancements in the field of AI requires that copyright laws be updated and interpreted to address these new challenges. However, the ultimate impact of AI on copyright law is still uncertain, and it will take time for the legal system to fully address these issues.

AI upcoming laws: The AI Act

The AI Act refers to legislation that governs the use and development of artificial intelligence. AI is governed by a variety of existing laws, such as data protection, consumer protection, and intellectual property laws. Currently, there is no specific AI Act in place.

However, it is now being discussed by EU politicians. Adaptable AI systems like ChatGPT that may be used for a variety of applications were not included in the draft law’s original version.

Artist associations are organizing to have a portion of the Act devoted to the creative arts, with safeguards demanding clear informed consent from the rights holders before any use of their work.

What does AI think?

We thought we’d add the other side to the argument and ask ChatGPT itself what it thought on the matter:

AI has the potential to enhance creative industries by automating repetitive tasks and freeing up time for more creative endeavors. However, it is unlikely that AI will completely replace human creativity, as it still lacks the emotional and cultural understanding that is central to many forms of creativity. Additionally, there will always be a need for human creativity in areas such as original content creation, innovation, and artistic expression.

The post The Creative Community Sounding the Alarm on AI appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Jourová emphasized that everyone must adhere to European digital regulations.

It doesn’t matter who owns Twitter; they still hold true. Musk should not disregard the work we are doing to hold large platforms accountable, the commissioner said.

Regulators are already keeping a careful eye on adherence to the relevant data protection laws, and we will also be able to enforce the Digital Services Act later this year, according to Jourová.

European institutions are taking notice of billionaire Elon Musk’s purchase of Twitter and his subsequent actions. For instance, he made the decision to fire content moderators who were looking for possibly offensive or unlawful content. The platform also shut down the accounts of some well-known journalists.

If Twitter doesn’t abide by the EU regulations, it might be subject to fines of up to 6% of its annual global revenue. Jourová says,

I want them to observe the law and lessen the hazards they bring to all their users.

Although Twitter’s recent actions have caused some worry, Commissioner Jourová sees the social media site as a crucial ally in the struggle against false information and unlawful hate speech.

She continued by saying that Twitter had reaffirmed its commitment to upholding the Code of Practice on Disinformation under Musk’s direction. The Commissioner said,

“We will have our first assessment (of implementation of the Code) later in January, which will also be a stress test.”

The post Twitter Closely Scrutinised by the European Commission appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

The investigation was prompted by a complaint about WhatsApp submitted by a German data subject on May 25, 2018. Before the GDPR went into effect on May 25, 2018, WhatsApp Ireland updated its Terms of Service and informed users that if they wanted to continue using the WhatsApp service after the GDPR went into effect, existing (and new) users were asked to click “agree and continue” to indicate their acceptance of the updated Terms of Service.

The services would not be accessible if users declined to do so.

WhatsApp Ireland considered that a contract was made between WhatsApp Ireland and the user when they agreed to the amended Terms of Service.

Additionally, it claimed that the processing of users’ data in connection with the provision of its service was required for the fulfilment of that contract, including the provision of service enhancement and security features, and that as a result, such processing operations were legal under Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).

Want to know more about the legal basis for processing? Find out here, Legal basis for processing data →

Contrary to WhatsApp Ireland’s declared position, the complainant argued that WhatsApp Ireland was actually trying to utilize permission as a legal justification for processing user data. They claimed that WhatsApp Ireland was in fact “forcing” users to consent to the processing of their personal data for service development and security by making the use of its services contingent upon acceptance of the amended Terms of Service.

This, according to the complainant, violated the GDPR.

The Investigation

In compliance with Article 60 GDPR, the DPC created a draft decision after conducting a thorough investigation and sent it to its peer authorities in the EU/EEA, generally known as Concerned Supervisory Authorities (“CSAs”).

Notably, the DPC discovered:

• Users were not given a clear explanation of the legal basis WhatsApp Ireland was using, in violation of its transparency obligations. As a result, users were not adequately informed about the processing operations being carried out on their personal data, the purposes for which they were being used, and which of the six legal bases listed in Article 6 of the GDPR was being used. A lack of transparency on such essential issues, in the DPC’s opinion, violated Articles 12 and 13(1)(c) of the GDPR.

The DPC did not suggest the imposition of any additional fine or corrective measures, having already done so in a previous inquiry, given that it had already imposed a very significant fine of €225 million on WhatsApp Ireland for violations of this and other transparency obligations over the same period of time. This portion of the draft decision of the DPC was approved by all 47 CSAs.

• The “forced consent” portion of the complaints could not be upheld since the DPC determined that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data. The DPC then considered whether WhatsApp Ireland was required to use permission as its legal justification for the provision of the service, including for the purposes of service enhancement and security.

The DPC determined that consent was not necessary in this case for WhatsApp Ireland. Since the CSA did not object to this analysis, this complaint’s element has been dismissed. In accordance with Article 60(9) GDPR, the German Supervisory Authority where the initial complaint was filed is now in charge of making a separate decision for those portions that have been rejected, notifying the complainant and alerting WhatsApp Ireland.

The DPC then considered whether WhatsApp Ireland’s reliance on the contractual legal foundation it claimed was prohibited by the GDPR in theory, but came to the conclusion that it was not.

The decision

The binding judgment made by the EDPB, as described above, is reflected in the final decision made by the DPC on January 12, 2023. As a result, the DPC’s decision states that WhatsApp Ireland is not permitted to rely on the contract legal basis for the delivery of service improvement and security (aside from what the EDPB refers to as “IT security”) for the WhatsApp service and that it’s the processing of this data up to this point, in purported reliance on the contract legal basis, constitutes a violation of Article 6(1) of the GDPR.

Due to this new GDPR violation, the DPC has sanctioned WhatsApp Ireland with an administrative fine of €5.5 million and mandated that within 6 months, WhatsApp Ireland must restore its processing operations in line with the GDPR.

Separately, the EDPB has also allegedly instructed the DPC to launch a new probe that would cover the entire,

“WhatsApp IE’s processing operations in its service in order to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.”

Get started with GDPR Compliance

Or learn more about iubenda’s solutions

The post Whatsapp Fined an Extra 5.5 Million Euros appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The background

The CNIL conducted a number of online investigations between May 2020 and June 2022 using the “tiktok.com” website and the company’s response to document requests from the CNIL. The investigations weren’t conducted on the mobile application, simply on the TIKTOK website, in an unlogged session.

What did they find?

The restricted committee, a CNIL body in charge of imposing sanctions, determined that TIKTOK INFORMATION TECHNOLOGIES UK LIMITED (TIKTOK UK) and TIKTOK TECHNOLOGY LIMITED (TIKTOK IRELAND) had violated the requirements outlined in Article 82 of the French Data Protection Act based on the findings from the inspections.

The severity of this consequence was determined based on the documented violations, the number of individuals affected, including children, and the numerous prior communications from the CNIL stressing the requirement that rejecting cookies be just as easy as accepting them.

The firms TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, but the CNIL saw during the inspection conducted in June 2021 that they had not implemented an equivalent solution (button or other) to allow the Internet user to immediately reject their deposit. To reject all cookies, more clicks were needed than it took to accept them.

The restricted committee believed that making the refusal mechanism more difficult actually drove users to favor the simplicity of the “accept all” button and discouraged them from utilizing the refusal mechanism at all. When the online investigation was conducted in June 2021 and up until the deployment of a “Reject all” button in February 2022, it was determined that this method violated Internet users’ rights to free consent and constituted a violation of Article 82 of the French Data Protection Act.

Additionally, neither the first-level information banner nor the context of the choice interface available after clicking on a link in the banner adequately informed users of the goals (objectives) of the cookies.

As a result, multiple violations of Article 82 of the Data Protection Act were discovered by the restricted committee.

CNILs response

The CNIL has the necessary authority to investigate and punish activities using cookies that businesses place on the computers of French Internet users. Since the operations associated with the use of the identifiers are outside the purview of the “ePrivacy” directive, as implemented in Article 82 of the French Data Protection Act, the GDPR’s “one-stop shop” mechanism is not intended to apply in these procedures.

Due to the fact that the use of cookies occurs inside the “context of the activities” of TIKTOK SAS, which serves as the “establishment” of TIKTOK UK and TIKTOK IRELAND on French soil, the restricted committee believed that the CNIL also possesses territorial competence.

Read about the Decision in English
Access the Official text in French

The post The CNIL imposes a 5 million euro fine on TIKTOK appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Please see ICO’s official site for the published “Direct Marketing Detailed Guidance”.

Data collection from many sources is combined, then sold or rented to other organizations in the process of data broking for direct marketing reasons:

• selling lists of contact details;
• selling copies of the open electoral register;
• profiling and data enrichment (eg adding data to the profile you already hold people);
• data matching (eg providing phone numbers for people who you only hold address details for);
• data cleansing and tracing (eg removing deceased records from your database and tracking down new contact details for people);
• screening services (eg screening the telephone numbers you hold against the Telephone Preference Service); and
• audience segmenting or other profiling (eg identifying target sub-groups within an audience for tailored messaging).

You must keep in mind that you are responsible for ensuring that your processing of personal data complies with data protection law if you use or intend to use the marketing services of data brokers.

You must perform the necessary due diligence to confirm that the personal data given to you conforms with data protection law before using data broking services.

Due diligence could include ensuring you have certain details such as:

• Who compiled the data – was it the data broker you are buying it from or was it someone else?
• Where was the data obtained from – did it come from the individuals directly or has it come from other sources?
• What privacy information was used when the data was collected – what were individuals told their data would be used for?
• When was the personal data compiled – what date was it collected and how old is it?
• How was the personal data collected – what was the context and method of the collection?
• Records of the consent (if it is ‘consented’ data) – what did individuals consent to, what were they told, were you named, when and how did they consent?
• Evidence that the data has been checked against opt-out lists (if claimed) – can it be demonstrated that the TPS or CTPS has been screened against and how recently?
• How does the data broker deal with individuals’ rights – do they pass on objections?

You must be honest and upfront with consumers about what you intend to do with their personal information, including when and where you plan to employ data brokering services to gather more information about your clients or create profiles of them.

Before requesting data from a data brokering service, make sure you have an appropriate legal basis.

The post ICO investigation: Direct marketing data brokers’ compliance with data protection laws appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Facebook Head of Security Policy Nathaniel Gleicher urges democracies worldwide to step up efforts to criminalize these types of businesses and activities. “No single company can tackle a society-wide challenge like this alone.”

Fighting surveillance operations on the platform has been a top concern for Meta for a while. It has an ongoing case against NSO Group, the well-known Israeli spyware vendor, saying that after using its surveillance software against 1,400 users of WhatsApp, which Meta owns, the firm broke federal anti-hacking law. NSO Group denies the accusations and has made unsuccessful attempts to get the lawsuit dismissed.

In a study released on Thursday along with a policy paper outlining 13 proposals for taking on the surveillance-for-hire industry, Meta detailed its most recent activities:

1. the sale of surveillance software should be prohibited;
2. organizations should be created to assist victims in pursuing legal action; and
3. export control lists should be used to restrict the accessibility of monitoring technologies.

The company’s first report on surveillance-for-hire, which was published last year, is built on Meta’s research. According to that study, Meta had disabled seven separate surveillance-for-hire companies’ access to its internet infrastructure, which may have been used to target 50,000 Facebook and Instagram users.

The Biden administration is preparing to issue an executive order next year intended to limit the use of spyware by American intelligence services as Meta makes its recommendations.

The European Parliament is looking at NSO Group’s Pegasus software, which Meta publicly testified about earlier this year.

The post Meta stops companies that provide surveillance for hire and demands that the government regulate the sector appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Declaration, which was presented by the Commission in January of this year, outlines the EU’s commitment to a secure, safe, and sustainable digital transformation that puts people first and is consistent with the EU’s basic values and fundamental rights. The Declaration demonstrates to citizens the importance of upholding European ideals, as well as the rights and liberties protected by EU law, both online and off.

The text, which is organized around six chapters, will offer guidance to businesses and policy officials dealing with new technology. The Declaration will also direct how the EU responds to global digital change.

Guidelines for digital transformation’s rights and principles

The digital revolution has an impact on all facets of people’s life. It provides chances for increased individual well-being, sustainability, and growth, but it can also increase risks that call for a public policy response. The European Union seeks to safeguard European ideals through the Declaration on Digital Rights and Principles:

1. Putting people at the centre of the digital transformation;
2. Supporting solidarity and inclusion through connectivity, digital education, training and skills, fair and just working conditions and access to digital public services;
3. Restating the importance of freedom of choice and a fair digital environment;
4. Fostering participation in the digital public space;
5. Increasing safety, security and empowerment in the digital environment, in particular for young people;
6. Promoting sustainability.

These rights and principles specifically entail the following: universal, low-cost, high-speed digital connectivity; well-equipped classrooms and digitally proficient teachers; easy access to public services online; a safe digital environment for children; disconnecting after working hours; obtaining clear information on the environmental effects of our digital products; and control over the use and sharing of personal data.

Upcoming

The EU and its Member States’ shared political commitment to promoting and putting these principles into practice in all facets of digital life and achieving the goals of the 2030 Digital Compass is reflected in their signing of the European Declaration of Digital Rights and Principles at the highest level. The Declaration will also serve as a roadmap for the actual work being done on the Digital Decade Policy Programme, a vehicle for monitoring and cooperation to achieve the shared digital goals for the end of this decade.

The Commission will keep track of developments and provide reports through the yearly “State of the Digital Decade” report in order to meet the 2030 goals and for the Declaration to have real-world consequences.

The Declaration will also serve as a roadmap for the EU in its foreign relations as it relates to how to design a digital transition that prioritizes human rights.

The post Presidents of the Commission, the European Parliament and the Council sign European Declaration: Digital Rights and Principles appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The extent of the processing justified the amount, the number of people affected and the profits the company made from advertising revenue generated indirectly from the data collected by the cookies. In addition to the administrative fine, an injunction was also issued to force the company to obtain the consent of the data subjects within three months, failing which the company will be required to pay the penalty for each day of delay.

Background information

The CNIL conducted multiple investigations on the website between September 2020 and May 2021 as a result of a complaint regarding the terms for depositing cookies on “bing.com.”

It was discovered that visitors who visited this site had cookies installed on their computers without their knowledge and that these cookies were used, among other things, for advertising. Additionally, it noticed that there was no button that made it as simple to reject the cookie deposit as it was to accept it.

As a result, Microsoft Ireland Operations Limited was fined €60 million by the restricted committee, the CNIL body in charge of imposing sanctions.

The extent of the processing, the number of data subjects, and the profits the business made from advertising profits indirectly produced by the data obtained via cookies were used to validate this figure.

The corporation must obtain the consent of people residing in France on the website “bing.com” within three months of putting cookies and tracers with advertising purposes on their device, according to a restricted committee order that was issued in addition to the administrative punishment. In any other case, the business risks paying a fine of 60,000 euros per day that it is overdue.

CNIL

The CNIL has the necessary authority to investigate and sanction activities involving cookies that the corporation has placed on the computers of French Internet users. Since the activities associated with the use of cookies fall under the jurisdiction of the “ePrivacy” directive, as implemented in Article 82 of the French Data Protection Act, the GDPR’s “one-stop shop” mechanism is not intended to apply to these procedures.

Click here for the official notice from CNIL.

The post Microsoft Receives 60 Million Euro Fine from CNIL appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Background

The organization, France Digitale, which represents the majority of France’s digital entrepreneurs and venture investors, claimed in the lawsuit that iPhone maker Apple’s previous operating program, iOS 14, did not comply with EU privacy requirements.

While iPhone owners were asked in iOS 14 whether they were willing to allow installed mobile apps to gather a key identifier used to define campaign ads and send targeted ads, France Digitale argued that default settings allowed Apple to carry out its own targeted ad campaigns without explicitly asking iPhone users for their prior consent.

Apple’s privacy changes, known as App Tracking Transparency, allow users to prevent apps from tracking their activities across apps and websites controlled by other firms.

What now?

Francois Pellegrini, the chief adviser, made his suggestion following an examination by the authority, which was prompted by a complaint lodged last year by France Digitale. The sanctioning body of CNIL is able to disregard the rapporteur’s suggestions, although these usually carry a lot of weight in the watchdog’s final judgment.

At the hearing, Apple’s chief of privacy, Gary Davis, disputed Pellegrini’s findings, stating that Apple was committed to protecting consumers’ privacy.

Davis also has stated that he believes the amount of the fine should be ‘decreased’ considering the ‘absence of any seriousness to the breach’. He has requested that the official amount not be made public.

CNIL has not yet disclosed when it will make a decision. 

The post Potential 6 Million Euro Fine for Apple appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The dispute began when two investment managers asked Google to disregard search results that were returned based on their names and linked to several articles that criticized the group’s investment strategy. They contend that the articles make incorrect statements.

Google argued that it was unsure of the accuracy of the information in the articles and declined to cooperate.

However, the Court of Justice of the European Union allowed investment managers to successfully invoke the so-called “right to be forgotten” under the EU’s General Data Protection Regulation in a decision on Thursday.

Users who want to remove misleading information from search engine results must offer solid evidence that it is untrue.

“to provide only evidence that can reasonably be required of [them] to try to find,” the court said.

The judgment returns to the complex issue of the online ‘right to be forgotten, where for years, there have been opposing camps of those who believe that priority should be given to freedom of information and those who believe in the right to privacy.

About the right to erasure, “right to be forgotten”

Users have the right to request that their data be deleted, and all distribution stopped when it is no longer relevant for its original purpose, when users have withdrawn consent, or when the personal data have been processed unlawfully. Requests must be fulfilled without undue delay and, at the latest, one month after they are made.

For more on this, see here.

A user requested to exercise their right to erasure how do I prove that I honored that?

In general, the GDPR’s protections apply to “personal data,” which is defined by the Regulation as information that can be used to directly or indirectly identify a natural person.

Therefore, if a user requests to have all of their personal data deleted, you would theoretically no longer have access to that user’s personal information, and the individual would no longer be “identifiable” to you or your systems.

Practically speaking, the best way to respond to such a request would be to explicitly inform the user (at the time of the initial request) that by granting the request, all of their data will be removed, making it impossible for them to exercise any further rights regarding this data because it no longer exists on your systems.

We go into further details on this here.

Psst! To effortlessly comply with regulations and fulfill your legal duties, you can easily record and control every data processing activity within your organization with the help of our solution.

For a list of the full features of the Internal Privacy Management tool click here or read the guide here.

The post Google to delete ‘inaccurate’ information about you appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.” said Australia’s attorney-general, Mark Dreyfus.

This action comes after a recent wave of data breaches. 

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,”

The new legislation will dramatically enhance Australia’s online privacy laws.

Quick facts:

• In addition to asking for information and documents, the Office of the Australian Information Commissioner has the authority to issue infringement notices to individuals who don’t comply.
• The maximum penalty for violations of the Australian Privacy Act is now:
  • AUD 50 million;
  • three times the benefit the firm received from the violation; or
  • thirty percent (30%) of the company’s adjusted turnover (if the value of the benefit cannot be derived).

What do I need to do?

Companies that previously did not fall under the Act or its cross-border reach should consider whether they now need to enhance their compliance status.

Want to keep up to date on the latest in Data Protection and Privacy news? Join our DPO Newsletter and receive the news in your inbox!

The post Australia Passes New Privacy Bill appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

Tanya O’Carroll, a tech and human rights activist, filed the lawsuit, claiming that this amounts to “surveillance advertising.” According to her legal team, when O’Carroll tried to opt-out of having her personal information processed by Meta for marketing purposes, “Meta repeatedly refused to respect… O’Carroll’s absolute right to object to being surveilled and profiled.”

The case

O’Carroll’s complaint centers on claims that Meta is violating UK GDPR, which governs data protection, by doing this. According to her legal counsel at AWO, internet users have had the “right to object” since the GDPR was adopted in the UK in 2018.

Data rights organization AWO’s legal director, solicitor Ravi Naik, stated: “Meta is straining to concoct legal arguments to deny our client even has this right. But Tanya’s claim is straightforward; it will hopefully breathe life back into the rights we are all guaranteed under the GDPR.”

The announcement comes after a judge in Washington fined Meta $24.6 million for willfully violating the state’s campaign finance transparency 822 times.

O’Carroll stated in a press release: “While the case is being brought by an individual data subject in the UK against Facebook, a win could set a precedent for millions of users of search engines or social media in the UK and EU who have been forced to accept invasive surveillance and profiling to use digital platforms.”

 Meta

Meta announced earlier this month that it would lay off more than 11,000 workers as a result of the sharp reduction in profitability and accompanying drop in share price at the end of October.

As some commentators have highlighted, the lawsuit strikes at the core of Facebook’s economic model. Since demonetizing some of the data that powers current ad sales would be preferable to shareholders to investing billions of dollars in an unsuccessful Metaverse

The post Lawsuit in High Court of England and Wales Against Meta appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Although the technical conference was not successful, the document provides the framework for further debate.

The clause at the heart of the talk defined the conditions under which electronic communications data can be handled.

“The necessity of the processing of electronic communications data for the purposes provided for in this Regulation should be assessed only on the basis of objective technical requirements and not be based on commercial considerations”

Additional text was added to accommodate specific situations where users’ requests for communication include the storage of sent electronic communications, such as email services where emails are saved in the cloud so that users can search for them later.

In an effort to reach a compromise with the legislators who eliminated this issue entirely, the EU policymakers proposed requiring that service providers cannot analyze data stored in or emitted by users’ devices to discover technical defects and errors.

The subject of data retention was temporarily put on hold due to its complexity.

Metadata, or data on who is talking with whom and how, for example, in terms of time, place, and IP address, is a crucial topic for discussion under the ePrivacy Regulation. Only a few circumstances outlined in the compromise text will allow for metadata processing. Here are a few examples:

1. that the users explicitly consented to the use of their data for one or more objectives that would be impossible to achieve without such metadata. A data protection impact assessment would need to be done first if there is a significant chance that the liberty and rights of the users could be jeopardized.
2. that processing metadata is absolutely required for billing, calculating interconnection payments, and identifying or preventing unauthorized or abusive usage of electronic communications services.
3. that the telecom industry requires metadata analysis to comply with the Open Internet Regulation, prevent network congestion, or enhance network performance.

The goal is to only permit the processing of location data in cases where it is clearly required to safeguard a person’s vital interests in the event of an emergency and only in cases where the person in question is incapable of giving consent.

Additionally, location data may be kept for statistical analysis purposes in response to a governmental authority’s request or in accordance with a specific contractual obligation. In this situation, the location data would need to be promptly pseudonymized, aggregated, kept with encryption, and then deleted once it was no longer required.

The post ePrivacy Regulation Talks appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

The ICO specifically stated that, between 1 January and 1 August 2021, Zuwyco used a public telecommunications service to make 93,558 unsolicited calls for direct marketing purposes to subscribers/data subjects on the ICO’s ‘no call’ register, in violation of Regulation 21(1)(b) of the PECR, resulting in seven complaints to the Telephone Preference Service and the ICO.

ICO Investigation

The ICO determined that Zuwyco violated Regulation 21(1)(b) of the PECR by using a public electronic communications service to make unsolicited calls for the purpose of direct marketing to numbers that were listed on the “no-call” register maintained by the ICO in accordance with Regulation 26 of the PECR. The ICO further asserted that Zuwyco violated Regulation 24 of the PECR by failing to provide the call recipient with the information outlined in Regulation 24(2) of the PECR. The ICO also noted that, in cases where Zuwyco provided the caller’s name on such calls, the name used appeared interchangeable and was difficult to associate with Zuwyco or its clients.

Outcomes

The ICO additionally mandated that Zuwyco perform the following actions within 30 days of receiving its notice:

• neither utilize nor encourage the utilisation of a public electronic communications service to contact data subjects via unsolicited calls for direct marketing purposes if they:
  • have previously let Zuwyco know they don’t want to receive these calls;
  • have registered their phone number with the ICO’s register at least 28 days before the communications, and haven’t told Zuwyco they don’t mind receiving these calls; and
• When direct marketing communications are sent via a public electronic communications service, Zuwyco should make sure the recipient is given:
  • the caller’s name; and
  • Depending on what the recipient desires, either the caller’s home or business address or a free phone number.

Notably, the ICO specified that Zuwyco must pay the £160,000 punishment by no later than December 9, 2022 and that the fine may be lowered to £128,000 if the business pays the full amount of the monetary penalty by December 8, 2022.

But the ICO said that if the business exercised its right of appeal, the early payment discount wouldn’t be offered.

The post Zuwyco Misused a Public Telecommunications Service appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What happened?

On Tuesday, Royal Mail found the Click & Drop the issue. The company, which is owned by International Distribution Services (IDS), has stated that it has temporarily discontinued the platform and is investigating the problem.

“Royal Mail has temporarily suspended its Click & Drop website as a precautionary measure following reports that a limited number of customers were able to see information about other customers’ orders following a technical problem. We are investigating the incident in order to fix the IT issue so that you can post as soon as possible.”

During the investigation, the Royal Mail advised customers to utilize paper alternatives, offering a link to the necessary forms.

The interruption left business owners without access to a critical service, and many vented their rage on social media.

A spokesperson said:

“Royal Mail has restored its Click & Drop service as we have now fixed the IT systems issue. We temporarily suspended the website this afternoon as a precautionary measure following reports that some customers were able to see information about other customers’ orders following a technical problem. We apologise to our customers for any inconvenience.”

The representative declined to remark on the incident’s cause. Tech Monitor has inquired with the Information Commissioner’s Office about the Royal Mail data leak. According to the regulator, the Post Office has not yet provided an update. “Organisations must report the ICO within 72 hours of becoming aware of a personal data breach unless there is no harm to people’s rights and freedoms,” an ICO representative told Tech Monitor.

The post Royal Mail Data Breach appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

The AEPD specifically underlined that the complaint had claimed that CaixaBank had failed to respond to their personal data rectification request in a timely and acceptable manner. Furthermore, the AEPD added that the complainant claimed CaixaBank had not corrected their address, which was visible on CaixaBank’s home banking web platform.

The AEPD’s findings

Following its inquiry, the AEPD determined that CaixaBank had violated Article 16 of the GDPR by failing to change the complainant’s address and rejecting several rectification requests.

The Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00183-2022, in which it imposed a fine of €25,000 on CaixaBank, S.A. for a violation of Article 16 of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

 Outcomes

The Spanish Data Protection Authority (AEPD) imposed a fine of EUR 25,000 on Caixa Bank S.A. for a violation of Article 16 of the GDPR following a complaint by a customer of the same company. The sanction resulted from the failure of the company to update the complainant’s address, ignoring the multiple rectification requests sent by the same

As a result, the AEPD fined CaixaBank €25,000 for violating Article 16 of the GDPR.

The judgment, which is only available in Spanish, can be found here.

Latest update

The AEPD rejects Caixabank’s appeal. On 3 November 2022, the AEPD issued its judgment dismissing CaixaBank’s appeal of the AEPD’s decision in Proceeding No. PS-00183-2022.

The ruling, which is only available in Spanish, can be seen here.

The post AEPD Fines Caixa Bank for Violation of the GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Read about it here! Legal content you can understand with iubenda

You can access the final text of the DSA here.

The Digital Services Act was officially published in the Official Journal of the European Union on October 27, 2022, the rules regulate how platforms and marketplaces must handle illegal content, goods, and services, as well as introduce specific provisions for larger platforms to increase the transparency of data processing through algorithms.

Legal teams will have their work cut out for them as they determine how to modify policies and procedures to assure compliance and avoid penalties that can scale up to 6% of worldwide sales for the more severe violations.

By streamlining how platforms and marketplaces must address illicit information, commodities, and services and introducing particular restrictions for larger platforms that are designed to increase transparency surrounding sophisticated algorithms, the guidelines are meant to promote accountability online.

The DSA regulation will go into effect in 20 days in accordance with EU procedure (so in mid-November). However, that isn’t the actual start date because there is still a wait until the provisions take effect to give firms time to adapt and align. According to the Commission, the majority of the DSA requirements will take effect on January 1, 2024.

So-called VLOPs (also known as very large online platforms) — will be the first obligated to conform to the new compliance requirements, starting to apply as early next year – so, in the first quarter of 2023, compliance obligations will probably start to weigh heavily on a number of larger IT companies and Big Tech giants.

The Digital Markets Act, a related policy that exclusively targets Big Tech for ex-ante regulation, will also begin to take effect at the beginning of next year.

The post NEW Digital Services Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

What is Clearview AI

The facial recognition system used by Clearview AI harvests images from online videos and gathers publicly available photos from social media and other sources. Access to Clearview AI’s image database is sold, and it includes a search engine where a person may be looked up using a photo. Law enforcement agencies can use the image database to find criminals or victims of crime as a service.

Clearview AI develops a biometric template, which is a digital representation of a person’s physical traits, to enable the search for a specific person. Biometric data is considered sensitive personal data under the EU General Data Protection Regulation (GDPR), and its processing calls for enhanced security.

Background

Since May 2020, the CNIL has received complaints from individuals over the facial recognition technology used by Clearview AI. As a result, CNIL launched an investigation and worked with other EU data protection authorities in accordance with the GDPR’s system for cooperation (i.e., each local authority is competent to act on its own territory as Clearview AI is not established in the EU).

The CNIL’s investigation discovered the following:

Due to Clearview AI’s failure to obtain data subjects’ consent for collecting and using their images and its inability to rely on the legal basis of legitimate interest – in light of the intrusive nature of the data collection and the lack of awareness on the part of the data subjects of the data collection – Clearview AI was processing sensitive data without a valid legal basis.

If you’d like more information, you can read CNIL’s official notice here →

The post CNIL Fined Clearview AI €20 million appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The post Shein owner fined $1.9 Million appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Following investigations by the ICO, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and Article 5(1)(a) of the UK General Data Protection Regulation (UK GDPR) were violated by Easylife Ltd. 

The Information Commissioner’s Office (ICO) published two penalty notices on October 6, 2022, imposing fines of £1.35 million and £130,000 on the company.

Background 

The ICO specifically mentioned that when the company was brought to its notice, it had looked into Easylife. While the inquiry first focused on violations of the PECR, concerns regarding potential violations of the UK GDPR were also found, according to the ICO.

The investigation 

According to the UK GDPR, the ICO concluded that Easylife had targeted 145,400 consumers with health-related items without their permission by using their personal information to anticipate their medical conditions. Specifically, the ICO found that considerable consumer profiling and health data processing had occurred and that those affected by it were unaware that their personal data had been collected and used for such reasons.

According to the ICO, Easylife violated the PECR by making 1,345,732 unsolicited marketing calls to persons registered with the Telephone Preference Service between August 1 and August 19, 2020. These calls are forbidden under the PECR unless the receiver gives their consent.

The ICO came to the conclusion that Easylife had broken both Regulation 21 of the PECR and Article 5(1)(a) of the UK GDPR.

Outcomes

The ICO issued a total fine of £1.48 million, consisting of £1.35 million for the UK GDPR infringement and £130,000 for the PECR violation. The ICO further stated that both fines must be paid by November 4, 2022, and that if paid by that date, the penalty for breaking the PECR will be reduced by 20% to £104,000.

The post ICO Fines Easylife £1.48 Million  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

According to the lawsuit, the Facebook app’s built-in browser unknowingly provides Facebook privacy-sensitive data. The Facebook app would achieve this by getting beyond iPhones’ tracking protection.

Last year, Apple enhanced the tracking security of its iPhone and iPad operating system. That should stop tech firms like Meta and Google from monitoring users’ browsing patterns. The lawsuit claims that Meta uses the Facebook app’s built-in browser to get around this security.

The two accusations are supported by a study by data privacy expert Felix Krause. He claims that when users access websites using the built-in browser, the Facebook and Instagram applications upload JavaScript (programming code) to such sites. Meta would be able to monitor “anything you do on a website,” including entering passwords.

A Meta representative in the Netherlands was unable to respond to inquiries about the lawsuits. The representative acknowledged that built-in browsers are widespread “across the industry.”

“We use built-in browsers in the app to let users surf the Internet safely, easily, and reliably,” the spokesperson said. “Correcting or completing Web addresses prevents people from being redirected to malicious sites.”

“Adding this type of feature requires additional programming code. We carefully designed the code to respect users’ privacy choices,” the spokesperson said. Meta denies that the company illegally collects data from users.

The post Meta sued by Facebook Users appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.