In particular, SB 1182 would cover businesses that hold data on more than 100,000 consumers and on those holding data on more than 25,000 consumers while generating 50% gross revenue from data sales.

Consumer opt-outs for data sales and targeted advertising are notable elements, as is a data broker registration, a 30-day right to cure, and a private right of action with 30 days’ notice.

The measure has been referred to the Senate Energy and Technology Committee.

Michigan Personal Data Privacy Act

A bill to establish the privacy rights of consumers; to require certain persons to provide certain notices to consumers regarding the processing and sale of personal data; to prohibit certain acts and practices concerning the processing and sale of personal data; to establish standards and practices regarding the processing and sale of personal data; to provide for the powers and duties of certain state governmental officers and entities; to create certain funds; and to provide remedies.

Access the Bill here →

The post Michigan Personal Data Privacy Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Metaverse: Lawmakers broaden the AI rulebook

A new item has been added to broaden the reach of the rule to include AI system operators in specified metaverse environments that meet a number of cumulative conditions.

These criteria are that the Metaverse requires:

1. a verified avatar;
2. is designed for large-scale involvement;
3. real-world social interactions;
4. real-world financial transactions; and
5. health or fundamental rights risks.

The scope has been broadened to include any economic operator who places an AI system on the market or puts it into operation.

According to the wording, the legislation does not exclude national laws or collective agreements from imposing stricter requirements to protect workers’ rights when businesses utilize AI systems. At the same time, AI systems designed primarily for scientific study and development are not covered.

As raised by several MEPs, the topic of whether any AI system is likely to interact with or impact minors has been postponed until a later date.

Furthermore, the change from center-right MPs that would limit the scope for AI suppliers or users in a third nation has been retained for future negotiations because it is tied to the definition, according to a notation at the document’s margin.

The subject of discussion

The rules outlined in the regulation are designed not only for the placement of AI in the market but also for its development. The goals of harmonizing the regulations for high-risk systems and fostering innovation, with a special emphasis on innovation, have been introduced.

High-risk AI requirements

According to the compromise modifications, high-risk AI systems must comply with the AI Act’s requirements throughout their existence and take into account the most recent and relevant technical standards.

Risk management

Every time there is a significant modification to the high-risk AI, the risk management system must be modified “to assure its continuous effectiveness.”

Risk management must now examine the aspects of health, legal and fundamental rights, the impact on certain groups, the environment, and the spread of misinformation.

If, following the risk assessment, the AI providers believe there are still relevant risks, they should present the user with a reasoned judgment on why these risks are acceptable.

Data management

According to the compromise modifications, for high-risk AI, techniques like as unsupervised learning and reinforcement learning that do not require validation and testing data sets must be created using training datasets that meet a certain set of criteria.

The goal is to prevent biases from developing, which is reinforced by the obligation to analyze potential feedback loops.

Documentation for technical purposes

The wording has been introduced to provide SMEs more leeway in complying with the requirement to keep technical documentation about high-risk systems in place after permission from national authorities.

The list of technical details has been greatly expanded to cover details such as the user interface, how the AI system operates, expected inputs and outputs, cybersecurity precautions, and the carbon impact.

The post Metaverse: Lawmakers broaden the AI rulebook appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

A “notice of intent,” which is a legal document that comes before a possible fine, has been given by the ICO to TikTok Inc. and TikTok Information Technologies UK Limited (collectively, “TikTok”).

The notice outlines the ICO’s preliminary conclusion that between May 2018 and July 2020, TikTok violated UK data protection law.

John Edwards, the information commissioner, stated:

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.

“I’ve been clear that our work to better protect children online involves working with organisations but will also involve enforcement action where necessary. In addition to this, we are currently looking into how over 50 different online services are conforming with the Children’s code and have six ongoing investigations looking into companies providing digital services who haven’t, in our initial view, taken their responsibilities around child safety seriously enough.”

According to the ICO investigation, TikTok might have:

1. handled underage children’s data without getting proper parental authorization;
2. failed to give users accurate information in a clear, transparent, and understandable manner; and
3. processed special category data without a valid legal justification.

The conclusions in the notice made by the Commissioner are preliminary.

At this point, it should not be assumed that there has been a data protection legislation violation or that a fine has been issued.

Before making a decision on this case, the ICO is going to evaluate any response TikTok may make carefully.

The post Possible £27 million for TikTok says ICO appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

After the New York Times reported that a cyberattack had infiltrated the company’s network and prompted it to take many internal communications and engineering systems offline, the California-based corporation said it was reacting to a “cybersecurity incident.” According to the article, the hacker claimed to be 18 years old.

Uber said that there are no problems with the company’s service, which is available in over 10,000 cities worldwide.

A hacker gained access to the employee workplace chat service Slack and used it to deliver an announcement to Uber employees about a data breach.

Sam Curry, a senior engineer at Yuga Labs, said the Uber hacker contacted him on the HackerOne network and showed him “very convincing” screenshots of complete administrative access to Uber’s cloud services.

The company has previously been hacked. Its former chief security officer, Joseph Sullivan, is on trial on charges that he arranged for hackers to be paid $100,000 in order to cover up a 2016 assault in which the personal information of around 57 million users and drivers was stolen.

According to the New York Times, the hacker appears to have gained access to other internal company networks, uploading an explicit photo on an internal information page for staff. The person who claimed responsibility for the hack stated that they got access through social engineering, which is a term for misleading an employee into allowing access.

The hacker sent a text message to an Uber employee posing as a business tech employee, convincing the worker to hand them a password that granted them access to the network. According to the report, the hacker, who provided a Telegram account address, stated that they hacked in because the company’s security was lax.

The post Uber Hacked appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Access the official press release here. 

This is the second-highest fine under the GDPR after a €746 million penalty against Amazon and is the third imposed by the Irish regulator on a Meta-owned company.

The Irish DPC confirmed the fine in an emailed statement but denied additional comment.

The Irish authority issued the fine after triggering a dispute-resolution process to address the penalty’s input from other European data protection bodies.

The fine, which is now the largest for a Meta-owned company after a €225 million fine for WhatsApp and a €17 million fine for Facebook, is intended to punish Instagram for violating children’s privacy, including the publication of children’s email addresses and phone numbers.

At least six more investigations involving Meta-owned companies are now being conducted by the Irish DPC.

A Meta spokesperson has since released the following:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,”

“Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

The post Irish DPC Fined Instagram €405 Million appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Joe Sullivan, Uber’s former security chief, goes on trial this week in what is believed to be the first instance of an executive facing criminal charges in connection with a data breach.

The US District Court in San Francisco will hear arguments on whether Sullivan, the ride-sharing company’s former chief of security, neglected to properly disclose a 2016 data breach that affected 57 million Uber riders and drivers worldwide. At a time when allegations of ransomware attacks have increased, and cybersecurity insurance rates have skyrocketed, the case might set a significant precedent regarding the accountability of US security personnel and executives for how the organizations for which they work manage cybersecurity crises.

The Background

Back in November of 2017, the breach first came to light. Dara Khosrowshahi, Uber’s chief executive, revealed that hackers gained access to 600,00 US driver’s license plates, names, emails, and phone numbers of 57 million Uber riders and drivers. 

Public disclosures such as Khosrowshahi’s are required by law in several US states, with most legislation requiring the notification to be issued “in the most expedient time possible and without unreasonable delay”.

However, Khosrowshahi’s announcement included an admission: the information had been exposed for a whole year beforehand. Khosrowshahi claimed at the time that the business had investigated the delay and removed two officials, one of whom was Sullivan, who had headed the response to the breach.

Uber paid $148 million in a nationwide settlement with 50 state attorneys general in 2018 for failing to disclose the data breach. The two hackers pled guilty in 2019 to hacking Uber and then extorting the company’s “bug bounty” security research program. The Department of Justice charged Sullivan with a crime in 2020.

The Trail

According to the Justice Department lawsuit, only Sullivan and former Uber CEO Travis Kalanick were aware of the entire scope of the hack. They played a role in the decision to classify it as an approved disclosure through the bug bounty program. However, as the New York Times first reported, the security profession is divided on whether Sullivan should be held entirely accountable for the attack. Some have questioned if the role of other corporate officials and the board of directors should also be probed, while others believe Sullivan’s involvement was obvious.

The trial will take place as reports of ransomware attacks increase. According to the threat intelligence firm SonicWall, ransomware assaults in the United States climbed by more than 95% in 2021. Many of those assailants targeted hospitals and schools. Over the Labor Day weekend, hackers launched a cyber-attack on the Los Angeles Unified School District, the country’s second-largest school district.

The post Uber’s Former Chief on Trail appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The post TikTok Breach – Under the Spotlight appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

According to California Attorney General Rob Bonta, in exchange for benefits like targeted advertising and discounted analytics, Sephora made its users’ personal information available to online third-party trackers without telling them it was doing so. The global privacy control browser extension automatically communicates users’ privacy preferences to all websites they visit without requiring them to click on each website’s opt-out link manually. It could also not execute opt-out requests sent to Sephora.

On August 24, 2022, Bonta announced that it had negotiated a $1.2 million settlement with Sephora, Inc. on claims that the company had broken the Business and Professions Code’s (BPC) Sections 17200 et seq. and the California Consumer Privacy Act (CCPA).

Bonta pointed out that the charges surfaced after an enforcement sweep of online merchants as part of its continuing CCPA enforcement.

After an investigation, Bonta concluded that Sephora failed to warn customers about selling their personal information and did not offer them an obvious “Do Not Sell My Personal Information” link on its website or mobile application. Additionally, Bonta found that Sephora did not correct the infractions within the 30-day window currently permitted by the CCPA since Sephora did not execute user requests to opt-out of sale via the user-enabled global privacy controls.

In addition to the previous, Bonta emphasized that it had reached a settlement in which Sephora was required to pay $1.2 million in fines and adhere to Sections 1798.20 and 1798.135 of the California Consumer Privacy Act and Regulations 7011, 7012, 7026, and 7051 of the California Consumer Privacy Act. Additionally, Bonta required that Sephora must abide by the following conditions:

• providing mechanisms for users to opt-out of the sale of personal information, including via global privacy control;
• clarifying its online disclosures and privacy policy to include an affirmative representation that it sells data;
• conforming its service provider agreements to the CCPA’s requirements; and
• providing annual reports to the attorney general regarding its sale of personal information, its service provider relationships status, and its efforts to improve data security.

In addition, the settlement mandates that Sephora implement and maintain a program to evaluate and track whether it is successfully handling opt-out requests for sales, as well as conduct an annual review of its websites and mobile apps to identify the entities with which it shares personal information, within 180 days of the settlement’s effective date and for the following two years.

The post Sephora – First Public CCPA Enforcement Action appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

LastPass Breach

Although the hackers did obtain some of LastPass’s source code and “proprietary LastPass technical information,” the company claims there is no evidence that user data or encrypted password vaults were stolen. The LastPass statement states:

“In response to the incident, we have deployed containment and mitigation measures and engaged a leading cybersecurity and forensics firm.”

Regarding the attack, how the hackers got access to the developer account, and what source code was taken, LastPass has not offered any additional information.

Below you can read the security warning sent to LastPass users.

One of the biggest password management companies in the world, LastPass claims that over 33 million users and 100,000 businesses utilize their services. There are always worries that if the company were hacked, hackers would have access to the saved passwords even if customers and companies utilize the company’s software to store their credentials safely.

But according to LastPass, its “encrypted vaults”—where passwords are kept—can only be opened with a user’s master password, which the company claims was unaffected by the incident.

Last year, LastPass experienced a credential incident that gave hackers access to a user’s master password. It was also discovered that hackers disseminating the password-stealing software RedLine had obtained LastPass master passwords.

In order to prevent hackers from accessing your account even if your password is hacked, enabling multi-factor authentication on your LastPass accounts is crucial.

The post LastPass Breach appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a landmark case concerning user privacy and biometric data, a recent Snapchat lawsuit in Illinois has culminated in a $35 million settlement. Illinois residents who used Snapchat’s filters and lenses might be eligible for financial compensation. This development comes as a significant chapter in the ongoing debate over digital privacy rights.

Understanding the Snapchat Lawsuit and Biometric Privacy

The crux of the Snapchat lawsuit revolves around how the social media giant collected and utilized users’ biometric data through its popular filters and lenses. This practice was deemed a violation of Illinois’ Biometric Information Privacy Act (BIPA) – one of the nation’s strictest laws in the realm of biometric data regulation. BIPA strictly controls how businesses handle biometric information like fingerprints, eye scans, and facial recognition data. The law mandates that companies must provide clear written disclosure about the purpose and duration of data storage when gathering such sensitive information.

Snapchat’s Stance and Illinois’ Rigorous Privacy Laws

Despite the settlement, Snapchat has contested any wrongdoing. Pete Boogaard, a Snapchat spokesperson, emphasized that their lenses do not engage in facial recognition nor collect biometric data that could identify individuals. Boogaard added that the data utilized by Snapchat’s lenses is stored on the user’s device and is not transmitted to Snapchat’s servers. However, to showcase their commitment to user privacy and as a precaution, Snapchat introduced an in-app consent notice for Illinois users earlier this year.

Snapchat lawsuit in Illinois: the Battle for Biometric Privacy

This Snapchat lawsuit is not an isolated event in Illinois. The state has seen similar legal battles, with major companies facing lawsuits over biometric data misuse. Recently, a judge approved a $92 million settlement in a case against TikTok for violating Illinois law. Additionally, Meta settled for $37.5 million over allegations of tracking users’ locations without consent in California.

Eligibility and Claim Submission

Illinois residents who utilized Snapchat’s filters and lenses between November 17, 2015, and the present might be entitled to a share of the settlement, which is expected to range between $58 and $117 per person. Those eligible must submit their claims by September 24th to be considered.

The post Snapchat Lawsuit in Illinois Leads to $35 Million Settlement appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

New legislation in China governs how Internet platform companies must protect user data. They must reveal, among other things, the techniques they employ to track user behavior, how they gather and use user data, and the extent to which they secure user consent.

On March 1st, 2022, China implemented a new regulation that governs the “administration of algorithm recommendations for Internet information services.” This aims to increase citizens’ understanding of algorithms.

30 algorithms employed by several well-known Chinese apps are included in the list the CAC provided in Chinese. These include the short message service Wechat from the company Tencent (which, among other things, offers a widely used payment function), the search engine app Baidu from the company of the same name, and Douyin, the China-based equivalent of Tiktok from the company Bytedance. Taobao is an online marketplace from Alibaba that is similar to eBay for private individuals. There will be ongoing additions to the list.

The designations and descriptions of the algorithms in the published paper provide a succinct explanation of their functions together with pertinent data protection information. For instance, the “search filter” in the Baidu app is intended to weed out anything that might be illegal, divulge personal information, or pose a security risk. The recommendation system on Taobao presents products and services that might be of interest to the user based on their activity and search history when key milestones (such as the home page, shopping, and completion of purchase) are reached. Similar algorithms are used on Wechat to provide users with posts, photos, and videos depending on their browsing history, viewing preferences, and public accounts they follow.

The post China have provided information about app algorithms appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Due to “an error in a Twitch server configuration update that was subsequently accessed by a malicious third party,” Twitch has admitted that a hacker was able to obtain information that was unintentionally made public on the Internet.

“Our staff is working hard to grasp this scope,” the firm said on Twitter. We will update the community when further information becomes available,” the firm said further.

The whole credit card information was not disclosed, and there was “no indication that login credentials had been exposed,” according to company representatives, who gave their clients this assurance.

Instead of giving code that impacts specific user accounts, leakers have been more interested in revealing internal Twitch business resources and data.

According to Sundar Balasubramaniam, managing director of Check Point Software Technologies in India and the South Asian Association for Regional Cooperation (SAARC), any source code leak is bad and could have disastrous repercussions.

The leak is referred to as “part one,” which suggests that more will come. Balasubramaniam has issued a warning to all Twitch users to be cautious because it is anticipated that cyberattacks will increase in the near future.

The post Twitch: Hacker Accessed Company’s Servers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

When the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, the digital rights advocacy group Privacy International filed an official complaint against the spying adtech giant. The sanction was announced today via a tweet from Privacy International.

It claims Criteo is running a “manipulation machine” through the use of a number of tracking tools and data processing procedures that are intended to profile web users so that behavioural ads may be targeted at them and advertisers can pay for “individual-level shopper predictions.”

According to Privacy International’s complaint, Criteo lacks an adequate legal reason for all this tracking and profiling to comply with the GDPR, and it looks like France’s authority is likely to agree.

A spokesperson for Privacy International stated that although they were informed of the development by the French authority they had not received a copy of the CNIL’s preliminary verdict.

A statement on Criteos website in which Ryan Damon, its chief legal officer, also writes:

We strongly disagree with the findings in the CNIL investigator’s report, both on the merits relating to the investigator’s assertions of non-compliance with GDPR and the quantum of the proposed sanction. We find the merits of this report to be fundamentally flawed, and the proposed sanctions to be incommensurate with the alleged non-compliant actions. We look forward to further dialogue with the CNIL as well as to defend our case to the ultimate arbitrator of a final decision. Criteo continues to uphold the highest privacy standards, and operates a fully transparent and regulatory-compliant global business. We will not have any further comment until these ongoing proceedings are resolved.

The fact that the CNIL doesn’t appear to have posted a notice of the decision on its own website suggests that it is still in the preliminary stages. (Even though EU DPAs don’t always make their decisions public.)

It is unclear if the authority would stand by its conclusions in the face of a strong pushback from a French adtech company.

The post GDPR Consent Breaches and 60 million euro Fines for adtech giant in France appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

The federal court determined in April of last year that Google had violated consumer protection regulations by misleading some local users to believe the corporation was not using Android operating systems to acquire personal data about their locations. With a user’s location history set to “off” but their browser and app activity set to “on”, the issue in the case was whether it was sufficiently apparent that Google would still collect and access location data if one of Google’s apps being used.

The company was also discovered to have broken two more consumer laws, one related to conducting that could mislead the general public and the other involving misleading representations about the performance characteristics of a service.

The case law

When the decision was made, the Australian Competition and Consumer Commission said it sent a clear message to digital platforms telling them to be transparent with users about what is happening with their data. When the decision was made, the Australian Competition and Consumer Commission said it sent a clear message to digital platforms telling them to be transparent with users about what is happening with their data.

A brief federal court hearing on Friday heard that the parties had agreed that a $60 million penalty was “fair and reasonable” and that a joint proposal had been made to Justice Thomas Thawley. However, the court heard that there may still be questions regarding whether the penalty rendered the future “economically irrational” and if the penalty was appropriate.

Thawley congratulated the parties and stated that he was confident the fine was within a reasonable range.

The post Google to Pay $60 Million in Fines appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

WhatsApp has announced that it will not fall to the UK government’s demand to undermine end-to-end encryption by adding a backdoor for law enforcement investigations.

The National Society for the Prevention of Cruelty to Children (NSPCC) has slammed WhatsApp’s stance, claiming that direct messaging is “the front line” of child sexual exploitation. According to the government, digital companies must address child-abuse content on the internet. Its recommendations are included in the Online Safety Bill, which has been postponed until autumn.

The government’s measures to discover child sex-abuse photographs may entail analyzing private messages. As part of the Online Safety Bill, the British government suggested the potential of monitoring private messages (e.g. to access images of child sexual abuse or other crimes in this context). In general, the British government is eager to assist in developing programs that can detect photos while protecting the privacy of individuals.

Is it the end of end-to-end encryption?

End-to-end encryption (E2EE) offers the highest level of security since, by design, only the intended recipient has the key to decrypt the message, which is necessary for private communication.

The technological world is now confused by the UK government’s pledge to assist the development of systems that could detect illegal images within or surrounding an E2EE environment while maintaining user privacy.

Experts have questioned whether it is even feasible, with the majority concluding that client-side scanning is the only viable approach. However, this breaks the foundations of E2EE because messages are no longer private.

The UK and EU measures are similar to Apple’s initiative last year to scan photos on people’s iPhones for harmful content before uploading them to iCloud. However, after privacy advocates said the technology giant had built a security backdoor into its software, Apple withdrew the plans.

The Frontline

NSPCC head of child safety online policy, Andy Burrows, has called direct messaging “the front line” of child sexual abuse.

He mentioned that it’s becoming evident that children’s safety and adult privacy don’t have to be set against each other. NSPCC want to open the discussion about what a fair settlement may look like.

The post WhatsApp Won’t Lower Security for Governments appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

According to two people familiar with the situation, the European Commission’s antitrust regulators are looking into Google’s app store rules.

According to 2 individuals who spoke on the condition of anonymity, Google’s competitors have received private questionnaires from Brussels exploring billing arrangements and developer fees for the US tech giant’s Play Store.

According to the sources, an inquiry of Google’s Play Store rules in the Netherlands will likely be halted to make room for the EU investigation, as suspicions of anticompetitive behaviour will need to be investigated on an EU-wide scale.

Developer costs for access to the Google Play Store can reach up to 30%, and developers were previously prohibited from using other billing methods to collect payment from consumers.

According to a Google spokeswoman, the company has been addressing “a number of things” with the Commission, including recent improvements to make Play Store terms and conditions fairer and to address developer claims of unfair behaviour.

In late July, the company announced that it would allow certain app developers to use alternate billing systems in the Play Store for collecting money from European consumers, as well as lower developer fees. Google positioned the decision as a first step toward complying with the EU’s newly approved key laws for the digital economy, the Digital Markets Act. The laws impose a slew of bans and requirements on some of the world’s biggest tech companies, like Google, Meta, Amazon, Apple, and Microsoft.

However, some European Commission officials working on the new regulation’s enforcement are concerned that Google’s recent actions may not be sufficient to ensure compliance.

The Digital Markets Act is on track to be written into the EU law this October, and tech firms that fall under its purview will be required to comply by early 2024.

The post EU Investigating Google Play Store appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

International data transfer is very normal in today’s well-connected, electronic society – just look at the volume of data transported to data centres in other countries. That’s why the Brazilian Data Protection Authority (ANPD) is examining ways to re-regulate international data transfers, moving away from the present GDPR-inspired restrictions. The Brazilian DPA has announced that it intends to base the new discipline on the SCCs of New Zealand and Singapore as they are more practical for companies.

To better understand what’s happening, let’s look into Article 3 of the General Data Protection Act (LGPD), which states:

“this Act applies to any processing operation carried out by a natural or legal person under public or private law, whatever the medium, the country of its headquarters or the country where the data are located, provided that: II – the processing activity has as its object the offer or supply of goods or services or the processing of data of natural persons located in the national territory; or III – the personal data undergoing processing have been collected in the national territory. The personal data whose owner is present at the time of collection are considered collected in the national territory”.

The LGPD reserved articles 33 to 36 to deal with international data transfer to overseas countries or bodies. ANPD will evaluate the foreign country’s level of data protection, taking into account:

• the general and sectorial rules of the legislation in force in the country of destination or international body;
• the nature of the data;
• compliance with the general principles of personal data protection and the rights of holders provided in this Law; and
• the adoption of the security measures provided by regulation.

Article 33 emphasizes that international transfers may be permitted, among other things, when the data controller offers and proves guarantees of compliance with the principles, the data subject’s rights, and the data protection regime, or when the data subject has given his express and express consent to the transfer, after being informed of its international nature and clearly distinguishing it from other purposes.

ANPD has acted forcefully to govern the law; it has developed orientation guides, encouraged public hearings to listen to civil society, and has an agenda with deadlines and topics to be addressed, including international data transmission.

Professionals working in data protection are accustomed to examining European legislation because, in addition to the European Union’s level of development, it is obvious that Brazilian law was influenced by the General Data Protection Regulation (GDPR).

However, European legislation is not the sole source of guidance on the subject; other legislation, especially that of nations with circumstances more comparable to Brazil’s, has much to teach.

Those who have only learned from studying the GDPR will need to broaden their horizons; as Miriam Wimmer, director of the ANPD, stated during her participation in the 11th Internet Forum in Brazil, in terms of international data transfer, the ANPD appears to prefer standard contractual clauses (SCC).

“…after conversations with other countries, we thought it would be interesting to start with standard contractual clauses, because they are ready-to-use mechanisms that are easy for large companies to use in their international contracts, without generating too much cost and time”.

Director Miriam stressed that, while based on EU standard contract clauses, the New Zealand and Singapore standard clauses are the best way forward at the moment because they are simpler.

Given that the transnational flow of data will become more intense as the number of cross-border transactions increases, it is essential to simplify data transfer so as not to negatively impact business or impede international trade while also protecting personal data.

In the context of international data flow, it is necessary to mention Mercosur Decision No. 15/2020, published in January 2021, regarding the agreement on electronic commerce, in which the countries that are part of the mentioned economic area are entitled to the possibility of carrying out the cross-border transfer of information or data in a simplified manner for the purpose of carrying out commercial activity.

According to the aforementioned document, each member state may have its own regulatory instruments, including those related to data protection, with the rule being the free movement of data, obviously, with information security and instruments to ensure data transfer in a more secure manner, such as the anonymization mentioned in the agreement. The ANPD may choose to align the aforementioned agreement with the LGPD.

The post Brazil to Drop GDPR Rules on Data Transfers appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

Through an urgent decision adopted on 7 July, the Garante warned the platform that the personal data stored in users’ devices may not be used to profile those users and send personalized ads without their explicit consent.

Tik Tok has previously told users that those above the age of 18 would begin receiving ‘personalized’ adverts, i.e., ads based on profiling users’ behavior on TikTok, from July 13. In addition, TikTok and its partners have changed their privacy policies, indicating that the processing of personal data will no longer be based on consent but on loosely defined ‘legitimate interests.’

The Garante quickly began an ‘investigation’ into the revised privacy policy and requested information from the social network.

The ruling on TikTok Ads

With the data provided by TikTok, the Garante came to the conclusion that the change in legal basis was incompatible with EU directive 2002/58, as well as with the Italian personal data protection law (the “Code”). Both legal documents categorically state that the consent of the data subjects is the only legal basis for “storing information or gaining access to information already stored in the terminal equipment of a subscriber or user.”

Aside from the insufficient legal basis, the Garante was especially concerned about protecting registered underage users on the platform. According to the Garante, TikTok’s current challenges in establishing compliance with the platform’s age limitations do not rule out the possibility that ‘personalized’ advertising with inappropriate content may be shown to younger users based on the company’s legitimate interest.

The Garante used the powers granted to it by the GDPR to send TikTok a formal ‘warning’‘ that processing data based on its ‘legitimate interest’ would be in conflict with the current regulatory framework, at least with regard to the information stored in users’ devices, and would entail all the relevant consequences, including corrective measures and fines.

The discovery of an ePrivacy directive violation allowed the Garante to intervene directly and urgently in relation to TikTok, bypassing the GPDR’s cooperation procedure, which would have required the Irish Data Protection Commission to lead the proceeding – TikTok’s main EU establishment is in Ireland.

In any case, relying on the controller’s legitimate interest to process information that is not retained on users’ devices does not appear to be in accordance with the GDPR. As a result, Garante notified the European Data Protection Board and the Irish Data Protection Commission of its decision, allowing them to take additional action.

TikTok’s Response

As a result, TikTok has ‘paused’ its privacy policy update in Europe following the regulatory scrutiny from the Garante.

The update in Europe was set to go live today (July 13), which would have meant the platform stopped asking users for permission to be monitored in order to get targeted advertising, according to TechCrunch.

TikTok – A spokesperson from the social media platform sent this statement to TechCrunch:

While we engage on the questions from stakeholders about our proposed personalized advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update. We believe that personalized advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.

We will keep following this story and update as the case evolves.

The post Garante Blocks TikTok Ads appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In short:

Following a report filed by the Guardia di Finanza, the Italian Garante issued Order No. 178, which fined an Italian automotive business € 3,000. The Authority discovered 14 closed-circuit television cameras installed both inside and outside the company’s facilities, allowing employees’ activities to be remotely watched

The Authority considered that the business cooperated during the inquiry and swiftly removed the cameras and erased the stored images when determining the fine. The Garante ordered that the judgment be posted on the company’s website and that employees receive an appropriate privacy notice.

Background

The Garante said, in particular, that the financial police had investigated Zito Auto, where it discovered 14 operational CCTV cameras positioned inside and outside the company’s grounds, allowing remote monitoring of personnel’ actions.

The Garante findings

The Garante determined that the fact that employees had been individually informed of the presence of the closed-circuit television cameras was insufficient, referencing Article 5 of the GDPR, which states that consent is not an adequate legal basis for the processing of employees’ personal data in the workplace.

Furthermore, the Garante concluded that employee monitoring measures did not meet the legal requirements of Law No. 300 of 1970, the ‘Statuto dei lavoratori’ (Italian legislation governing workers’ rights).

Based on the evidence, the Garante concluded that Zito Auto’s processing of personal data via CCTV cameras violates Articles 5(1)(a) and 5(1)(c) of the GDPR, as well as Article 114 of the Code.

The Garante issued an administrative fee in light of the nature of the articles breached, taking into account, among other things, the fact that Zito Auto had cooperated in the course of the investigation and had swiftly removed the CCTV cameras and deleted the photographs saved.

Outcome

The Garante imposed the previously indicated fine of € 3,000 against Zito Auto and ordered:

1. the judgment will be published on its website; and
2. Zito Auto will provide employees with an adequate privacy notice.

Lastly, the Garante stated that Zito Auto has:

• 30 days to settle the disagreement by paying half of the fine imposed, and
• it may also file an appeal within the same timeframe.

The official decision can be found here (in Italian).

The post Garante fines company €3,000 for unlawful employee monitoring appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Authority’s president stated that:

if there is noncompliance, there will be economic sanctions.

The most serious flaws were discovered in the requirements for free consent and information to be given to the user, such as:

• use of non-technical cookies without consent;
• the lack at the first level of the banner of the ability to express refusal to the use of non-technical cookies;
• the difference in the visibility of consent and non-consent buttons for the use of non-technical cookies;
• improper categorization of cookies;
• absence of information about the individual cookies used;
• information about cookies placed in a foreign language.

The survey findings were published on the Authority’s website, with a link at the bottom to specific FAQs relevant to this topic.

Sort on time? Below we’ve summarized the Czech Republic’s FAQs about cookie processing.

Cookie Processing GDPR Compliance in the Czech Republic FAQ 

1. Do I have to get the user’s consent to store all cookies?

For technical cookies, consent is not necessary; however, this exception only applies to the storage and reading of cookies in the user’s browser.

Personal data is typically processed even through technical cookies, and any further processing of this data must therefore comply with the general legislation.

2. What are the conditions for granting consent?

Above all, consent should be free, specific, informed, and unequivocal. The data subject must have the simple option of refusing consent without fear of repercussions (e.g. unavailability of website content).

3. Is it possible to give consent through a browser?

This option is not ruled out by the Office. The administrator of personal data must be able to demonstrate that the user has given consent to the processing (for individual purposes).

4. How to inform users about cookies when obtaining consent?

The information presented should be straightforward and understandable to the ordinary user. The structure of the information will change depending on the number of cookies stored. It will seem different if you store one cookie and no data is transferred to other entities, and it will look different if you store dozens of cookies and data is processed by a lot of other companies. More thorough information should be presented in a structured format for greater clarity.

5. Do I have to allow the user to revoke the consent given?

Yes. Consent to the processing of personal data can be canceled at any time by the data subject, and withdrawing consent should be as simple as providing it.

6. Is it possible to process personal data through cookies on the basis of legitimate interest from January?

Yes. The obligation to obtain consent to store and read cookies in the user’s browser (as required by the Electronic Communications Act) must be distinguished from future personal data processing (analysis, profiling, etc.), which is completely subject to the General Regulation’s regime.

7. Is it possible for the “Accept All” button to be a different color than the “Reject All” button?

The appearance and color of the buttons should be chosen in such a way that the data subject has the freedom to choose whether or not to provide consent. The “I agree” button, for example, should not be significantly larger or more colorful than the “Reject” one.

The banner below is an example of a compliant cookie notice – once implemented in accordance with the law. Remember that cookie notices are just one part of the cookie consent management requirements of the Cookie Law and GDPR. In order to be fully compliant, you must also link to an accurate cookie policy and block cookies prior to user consent.

8. Does the “Reject All” button need to be visible at first glance? Is it possible to place it all the way to Settings?

The decline button should be on the same level as the accept button in order for the data subject to have a free choice.

9. Is it possible to have YES checked in advance for analytical and marketing cookies?

As per the General Regulation, which follows from Recital 32, pre-ticked boxes cannot be considered consent.

10. Is it necessary to inform about all individual cookies that the user accepts? Where, if any, should the statement be placed?

A list of individual cookies, together with their purpose, is highly suggested. The location of this information must be evaluated in relation to the number of cookies so that the information presented is clear and easy to access. The information can therefore be immediately in the structured cookie bar, for example, after clicking “more information,” or there can be a link to a document containing cookie information.

11. Can I prevent the customer from using the site before giving consent to cookies?

According to recital 32 of the general regulation, if the data subject expresses consent through an electronic request, this request must not interfere with the use of the service.

12. If the user closes the cookie bar, can I consider this as consent?

No, the user must express his consent clearly. If the user can close the bar without indicating whether or not he consents, closing it and then continuing on the website cannot be considered consent.

13. How long can consent to the storage of cookies be stored and when can consent be requested again in case of its previous refusal?

In general, 12 months can be considered a reasonable period for which consent to the use of cookies was granted.

If the user declines to grant consent, he or she should not be requested to do so again for at least 6 months following the last display of the cookie bar. This period may be reduced if:

• one or more processing circumstances have dramatically altered; and
• the operator is unable to monitor past consent/disagreement (e.g. the user has deleted the cookies stored on his device).

How can iubenda help?

If you need help getting compliant then you’re in the right place. We help with the legal requirements, so you can focus on the business. Our attorney-level solutions make your websites and apps compliant with the law across multiple countries and legislation.

Easily generate a fully customizable cookie banner, seamlessly collect consent and implement prior blocking with asynchronous re-activation, by clicking here!

The post GDPR Compliance in the Czech Republic appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Danish DPA notified Gyldendal A/S to the police and suggested a fine of DKK 1,000,000 based on an inspection visit.

The company had kept the information of 685,000 people who had opted out of the book club.

Failing to delete data

Instead of deleting the data when the individuals left, Gyldendal stored it in a so-called passive database. Former book club members’ data was stored in it for more than ten years in 395,000 cases.

There were no guidelines or procedures in place for deleting data from the passive database.

During the examination, Gyldendal erased all data from the passive database and declared that in the future, former members’ data will be stored for six years.

Fundamental principles

One of the DPA’s fundamental principles is that you should not keep people’s information any longer than required. The DPA feels that a fine is warranted in this case since it involves a large amount of Danes’ information that has been held without any objective purpose for an extended period of time.

In determining whether punishment should be levied, the Danish Data Protection Authority underlined that the breach involves two fundamental criteria for the processing of personal data – “storage limits” and “accountability” – and affects a considerable number of data subjects.

The post Failing to delete data on 685,000 data subjects appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Luxembourg’s National Commission for Data Protection (CNPD) is developing certification criteria for EU General Data Protection Regulation Certified Assurance Report-based Processing Activities. According to the CNPD, the program verifies a company’s processing processes and provides;

“data controllers and subcontractors with a high level of GDPR compliance.”

The CNPD stated that certification encourages openness and compliance and allows data subjects to

“better assess the level of data protection given by the products, services, processes, or systems of organizations that process their personal data.”

On May 13, 2022, CNPD adopted its GDPR-CARPA certification system. GDPR-CARPA is the first national and international certification system established under the GDPR (General Data Protection Regulation).

Who can use the GDPR compliance certificate?

Companies, public bodies, groups, and other organizations based in Luxembourg can now certify that their data processing activities conform with the GDPR.

GDPR-CARPA provides controllers and processors with a high level of regulatory compliance for the data processing activities covered by the certification.

Rather than the company itself, the GDPR compliance certificate mechanism verifies certain processing methods (e.g., products, services, processes, or systems used or offered by the organizations).  

The CNPD approves organizations that will offer GDPR certificates.

The CNPD certification method is distinguished by the fact that it is based on an ISAE 3000 Type 2 report, which provides for the release of an opinion on the correct execution of the control mechanism while holding the auditor formally accountable.

This contributes to a high level of trust in the certification scheme’s unique processing activity.

The post GDPR compliance certificate appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The proposal’s reasons and goals

The proposal for a Regulation of the European Parliament and of the Council 1 on data governance is accompanied by this explanatory paper.

It’s the first of a slew of data-related initiatives unveiled under the European Union’s 2020 data plan. The instrument intends to increase data availability for use by boosting data-sharing procedures within the EU and increasing trust in data intermediaries, addressing the following:

• Making public sector data re-usable in cases when such data is subject to third-party rights.
• Data sharing among businesses in exchange for remuneration in any form.
• Allowing personal data to be used with the assistance of a “personal data-sharing intermediary,” which is intended to assist persons in exercising their rights under the General Data Protection Regulation (GDPR).
• Allowing the use of data on the basis of altruism.

The DGA, which provides greater access to public sector data to develop new products and services, will come into force on 23 June and will apply to companies 15 months later.

You can read the official text here.

The post The EU Data Governance Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Italian Data Protection Authority received a complaint from an employee of the Italian Ministry of Defense. The basis for this was the unauthorized release of two emails containing personal data documents;

1. In the first instance, an internal report on the investigation of a selection procedure included a copy of an e-mail from the Direzione Generale del Personale Militare to the Competition Commission.

A request for a medical opinion, details on the diagnosis, and a request for the person’s medical examination were all included.

1. In the second, the military unit SDI Battalion South delivered an e-mail from the Registry of the Military Court of Naples to unauthorized military personnel, which contained a plea from the Public Prosecutor’s Office regarding a criminal penalty given against the complainant.

Read the official decision from the Garante here → (In Italian)

The post Fine for Italian Ministry of Defense appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The General Data Protection Regulation (GDPR) has been a massive player in regulating how big tech companies use consumers’ personal data, giving the Data Protection Commission (DPC) broad authority to oversee many companies, including Meta.

However, the actions to penalize Meta in the Instagram case have sparked a disagreement among European data authorities, with six refusing to support the proposed penalties.

The grounds behind regulators’ objections in Finland, France, Germany, Italy, the Netherlands, and Norway are unknown.

The European Data Protection Board, responsible for GDPR compliance in the EU and certain non-EU countries, is currently working to resolve the Instagram dispute.

In response to questions regarding the case, the EDPB stated;

The EDPB has received a formal submission with regard to Instagram, which is the first step in the triggering of the dispute resolution mechanism. We are currently assessing the completeness of the file.

In response to queries regarding the Instagram investigation, Facebook stated;

We continue to cooperate with the DPC on all relevant matters.

Since taking on pan-European powers in 2018 to enforce the EU’s new privacy legislation, the proposed sanction from the Irish DPC is the first linked to breaches of children’s data rights in a cross-border investigation.

The post Meta – Potential large fine for breaching children’s data on Instagram appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Congressional Research Service has updated its report on the Trans-Atlantic Data Privacy Framework between the EU and the United States.

Short on time? We’ve summed up the paper’s key points below, or you can read the full report from the congress research service here.

Overview

The US and the European Union (EU) reached a political agreement in March 2022 on a new Transatlantic Data Privacy (TADP) Framework to protect commercial cross-border data transfers. For decades, data privacy and protection have been a stumbling block in US-EU ties. The new approach is designed to meet EU data protection requirements while still facilitating transatlantic trade.

Confused about the new Trans-Atlantic Data Privacy Framework? Click here for our guide on everything you need to know and what to do.

Data transfer and surveillance issues

The EU views communication privacy and personal data protection as fundamental rights, but the US government policy safeguards specific data on a sectoral basis.

Several data transfer agreements (both commercial and law enforcement) have been signed between the US and the EU over the years to address EU concerns about US data protection procedures.

Despite assurances from the US, many EU people are concerned about US intelligence and surveillance legislation and the possibility of US government access to EU individuals’ personal data.

As a result of the resulting tensions and legal battles, data transfer agreements between the US and the EU have been harmed, jeopardizing bilateral trade for US and EU enterprises and increasing congressional concerns.

TADP framework’s

The Biden Administration and the European Commission (the EU’s executive, responsible for negotiating on behalf of the EU) declared in announcing the “deal in principle” on the TADP Framework that the agreement;

“reflects the strength of the enduring U.S.-EU relationship.”

Negotiators from the United States and the European Commission are working on fleshing out the details of the new framework and turning the agreements into official papers. After that, the President’s commitments will be formalized through an executive order (congressional approval would not be necessary).

The EU would next have to study the official documents before giving the framework its final approval.

The future of data transfer

By the end of 2022, EU officials intend to have finalized and adopted the new TADP Framework. The new framework’s implementation may help reduce the uncertainty caused by the CJEU’s decision on the former Privacy Shield, but stakeholders will be keeping a careful eye on future enforcement.

In addition, new legal challenges from EU privacy advocates might put the agreement’s long-term viability to the test.

The post Trans-Atlantic Data Privacy Framework Report 🇪🇺🇺🇸 appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Twitter required users to provide their phone numbers and email addresses to protect their accounts. The company then made money by letting marketers target specific consumers with this information. Twitter ad revenue was boosted in the millions.

Twitter’s deception is in breach of a 2011 FTC judgment that forbids the company from misrepresenting its privacy and security processes. Under the proposed ruling, Twitter would have to pay a $150 million punishment and would be prevented from profiting from its improperly collected data.

In addition to the $150 million penalty, other provisions of the proposed order would:

• make it illegal for Twitter to profit from falsely acquired data;
• allow customers to use other multi-factor authentication methods that do not need them to submit their phone numbers, such as mobile authentication apps or security keys;
• notifying users that phone numbers and email addresses acquired for account security were also used to target adverts at them, as well as providing information on Twitter’s privacy and security measures;
• create and maintain robust privacy and information security program that requires the organization to assess and address any privacy and security risks associated with new products, among other things;
• employee access to users’ personal data should be limited; and
• if the company suffers a data breach, the FTC should be notified.

For more information on this see the FTC press release here. 

The post Investigation against Twitter for targeted advertising appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Image by Alexander Shatov 

The lawsuit, filed in the capital by Attorney General Karl Racine of the District of Columbia, claims that Zuckerberg was actively involved in policies that allowed Cambridge Analytica to collect personal data on US voters without their consent in order to aid Donald Trump’s presidential campaign.

“This unprecedented security breach exposed tens of millions of Americans’ personal information, and Mr. Zuckerberg’s policies enabled a multi-year effort to mislead users about the extent of Facebook’s wrongful conduct,” Racine said in a news release.

Meta has declined to comment.

While we are used to hearing about the big tech giants such as google, amazon, and apple fulling under legal scrutiny, this is the first time a lawsuit has been filed against the CEO of one of the industry leaders.

Mr. Racine claims that hundreds of documents he has now obtained in the case prove Zuckerberg’s direct involvement in Cambridge Analytica’s decision-making, and he is thus suing Zuckerberg directly.

“Our investigation shows extensive evidence that Zuckerberg was personally involved in failures that led to the Cambridge Analytica incident,”

The post Lawsuit against Mark Zuckerberg appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

While face recognition technology has long been a source of concern for civil rights advocates, the payments giant announced that it was moving forward with a biometric checkout program that it claimed would speed up payments, reduce queues, and provide greater security than a standard credit or debit card.

“Once enrolled, there is no need to slow down the checkout queue searching through their pockets or bag,” Mastercard said. “Consumers can simply check the bill and smile into a camera or wave their hand over a reader to pay.”

Mastercard also claimed that the new payment mechanism would be more sanitary, capitalizing on health worries raised by the Covid outbreak.

The first tests will begin this week at five St Marche supermarkets in So Paulo, with customers able to register for biometric payments in-store or via an app with Payface, the local partner.

Although campaigners have long highlighted concerns about data storage and monitoring, Mastercard highlighted studies indicating that 74% of worldwide customers had a “positive attitude” toward biometric technologies.

There are also discussions concerning how the information may be used to follow, screen, or monitor unsuspecting customers.

The post Mastercard – smile or wave to pay appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Update:

The ICO also issued an enforcement notice, directing the firm to stop accessing and exploiting personal data on UK residents that is freely available on the internet, as well as to erase UK resident data from its systems.

Clearview AI Inc’s usage of people’s photos, data scraping from the internet, and the use of biometric data for face recognition were all investigated jointly by the ICO and the Office of the Australian Information Commissioner (OAIC).

Who is Clearview?

Customers, including the police, can upload an image of a person to the company’s app, which is then compared to all of the photographs in the database.

The software then displays a list of photographs with comparable features to the customer’s photo, along with a link to the websites where those images were obtained.

Given a large number of UK internet and social media users, Clearview AI Inc’s database is likely to contain a significant quantity of data collected without their consent from UK people.

Although Clearview AI Inc no longer provides services to UK businesses, the company has customers in other countries, thus personal data from UK people are being used.

Clearview AI Inc, according to the ICO, violated UK data protection legislation by:

• failing to use people’s information in the UK in a fair and transparent manner, provided that people are not informed or would not reasonably expect their personal data to be used in this way;
• failing to have a legal basis for collecting people’s data; failing to have a framework in place to prevent data from being kept forever;
• failing to fulfill the stricter data protection requirements necessary for biometric data (referred to as “special category data” under the GDPR and UK GDPR);
• requesting more personal information, including images, when asked whether they are on their database by members of the public. Individuals who want to object to their data being gathered and utilized may have been discouraged by this.

The post Online database for face recognition penalized appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Google sued in the High Court for exploiting 1.6 million Britons’ NHS data ‘without their knowledge or consent.’ The data was obtained in 2015 from the Royal Free NHS Trust in London with the aim of testing a smartphone app called Streams by the company’s artificial intelligence branch, DeepMind.

Following an examination by the Information Commissioner’s Office, the Royal Free NHS Trust in London, which handed Google the patient data, was previously notified that the move was illegal.

How did Google gain access to medical records?

In order to test a smartphone app that may detect acute kidney damage, Google obtained data from 1.6 million patients, some of whom had only visited A&E in the previous five years.

The Royal Free NHS Trust later received a discount on the smartphone software, which is aimed to address the 25% of preventable fatalities from acute kidney injury if they are discovered early enough.

According to a leaked letter from the NHS’s most senior data security adviser, Royal Free released the patients’ data on an “improper legal basis,” according to Sky News.

The contract was later deemed to be illegal by the UK’s privacy authority, which chose not to sanction Royal Free because of a lack of direction for the industry.

DeepMind stated at the time of the statement by the Information Commissioner’s Office that its “findings are about the Royal Free, [but] we need to reflect on our own actions too”.

What will the outcome of the High Court case be?

The representative action comes as the British government considers how the commercial sector may access NHS data to help patients and the country’s booming AI industry.

“I hope that this case can achieve a fair outcome and closure for the many patients whose confidential records were – without the patients’ knowledge – obtained and used by these large tech companies.” Mr Prismall added.

The post Google sued for using NHS data without consent appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The massive data breach affected nearly 500,000 people, including their personal information and, above all, their medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people.

The Case’s Background

Dedalus Biologie provides laboratories with tools, specifically computer software, to facilitate processing implementation.
A data breach from two laboratories serviced by Dedalus Biologie was revealed in the press. The data breach affected nearly 500,000 individuals and affected various data types, including personal medical information (illnesses, genetic diseases, pregnancies, drug treatments, etc), and was subsequently investigated by CNIL.

What CNIL found

CNIL determined that Dedalus Biologie violated Article 28(3) of the GDPR since the commercial papers established between Dedalus Biologie and its clients did not include the information required under the above-indicated clause.
CNIL discovered that as part of the data migration from one tool to another (as requested by two laboratories using Dedalus Biologie’s services). One extracted a larger volume of data than required and thus processed data beyond the instructions given by the data controllers, violating GDPR Article 29.
Finally, CNIL discovered many flaws in technological and organizational procedures to safeguard the exposed data mentioned above, including:

1. a lack of a standardized protocol for data migration procedures;
2. a lack of encryption of personal data kept on the server;
3. a lack of data erasure the following transfer to other software;
4. a lack of authentication required to access the server’s public area; use of user accounts shared by several employees on the server’s private zone; and
5. a lack of supervision procedure and security alert escalation on the server.

As a result, CNIL determined that Dedalus Biologie violated Article 32 of the GDPR.

Outcome

In light of the previous, and considering the violation of affected data subjects’ privacy to be harmful due to the specific type of data in question, as well as Dedalus Biologie’s multiple and serious negligences, CNIL decided to impose the fine as mentioned above and publish the decision.

The post Violation of Health Data appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In short:

The Privacy Sandbox on Android will bring new technologies that do not rely on cross-app identifiers, such as Advertising ID. The Privacy Sandbox attempts to prevent covert monitoring and data gathering, as well as safer ways for apps to interface with third-party developers.

The four essential components or “design proposals”:

1. SDK Runtime allows for the more secure integration of third-party SDKs into programs.
2. Topics API, which allows for interest-based advertising without the usage of user-level identifiers.
3. Fledge API allows retargeting and personalized adverts based on prior app usage without sharing data with other parties.
4. To assess and enhance performance without exposing user-level information, utilize the Attribution API.

What Should Advertisers Do?

There isn’t much you can do right now other than study the design suggestions and try to participate in collaborative forums with Google or others in the business (find out how to get involved below!)

Feedback

Android has received feedback on its first design concepts from developers across the ecosystem since the announcement.

We recently announced the Privacy Sandbox on Android to enable new advertising solutions that improve user privacy and provide developers and businesses with the tools to succeed on mobile.

According to the Andriod Developers Blog, this feedback is vital to ensuring that the design solutions work for everyone, and they are encouraging people to keep sharing feedback via the Android developer site.

The post Android Privacy Sandbox appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This “tsunami” of worldwide privacy legislation requires Facebook to understand how user data moves through its systems in order for the social media pioneer to implement policies that limit what’s done with users information and reflect people’s privacy preferences.

According to a leaked internal document obtained by Motherboard/Vice, the “fundamental” problem is that Facebook has no idea where all of its user data goes or what it’s doing with it.

Motherboard/Vice published an explosive investigation on Facebook’s operations, which is expected to raise new concerns about the adtech giant’s failure to follow European privacy rules.

The story is based on a leaked internal paper prepared by privacy engineers on the company’s Ad and Business product team last year.

Meta; the mother company of Facebook, have claimed that the leaked internal paper does not show any signs of non-compliance with any privacy laws. Furthermore, the company has released a statement in response to Motherborad/Vice stating that:

New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations.

Not sure which privacy regulations across the globe you should be following? Take this 1-min quiz to find out what laws apply to your business! 

The post Leaked Facebook docs appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The European Data Protection Supervisor (EDPS) launched the public test phase of two social media platforms: EU Voice and EU Video. 

The two platforms are a privacy-oriented environment based on Mastodon and PeerTube software. The EDPS hopes to contribute to the strategy to advance Europe’s independence in the digital world.

People participating in the pilot phase of these platforms will be able to interact with the public by:

EU Voice

• sharing short texts;
• images; and
• videos.

EU Video

• sharing;
• uploading;
• commenting on videos; and
• podcasts.

By beginning the pilot phase of EU Voice and EU Video, the EDPS hopes to contribute to the European Union’s data and digital sovereignty policy, which aims to strengthen Europe’s independence in the digital world.

“Our goal is to offer alternative social media platforms that put people and their rights to privacy and data protection first”said Wojciech Wiewiórowski of the European Data Protection Supervisor.

Using EU voice and EU video will mean that users personal data is not sent to servers located outside the European Union or the European Economic Area. Furthermore, the two new platforms will not have adverts nor profiles of those who can utilize the platforms.

What does this mean?

No user profiling will mean no user targeted ads.

“These measures, among others, give individuals choice and control over how their personal data is used” said Wiewiórowski.

Even without the two points mentioned above, profiling and targeted ads, the new social media platforms will be launched free of charge.

The post EU Voice & EU Video appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Background

Following the Schrems II decision, The European Center for Digital Rights (NOYB) filed complaints in the European Economic Area over corporations allegedly transferring personal data to Google and Facebook in violation of the GDPR.

The Austrian Data Protection Authority initiated a cross-border inquiry into Google and Facebook’s data transfer procedures in response to these allegations.

The Austrian DPA published its decision based on one of those complaints on January 13, 2022. The complaint was aimed at an operator of an Austrian website (Website Operator) which used the Google Analytics tracking and analytics tool on its website and google LLC as the provider of this tool in the U.S., to whom data was transferred through the tool. The Austrian DPA stated that the Website Operator had neither; properly activated the option to “anonymize” website users’ IP Addresses, which is normally accessible for Google Analytics; or requested consent from its website users for data transfers to Google LLC.

Austrian DPAs second ruling

The two reasons for this second ruling from the Austrian DPA are as follows:

1. Google’s IP anonymization only applies to IP addresses, whilst other data such as online IDs set for cookies or device data are transferred unencrypted. Also, IP anonymization occurs only after the data has been transferred to Google.
2. The Authority also rejected Google’s argument in the proceedings on a “risk-based strategy.” The Authority emphasized that the GDPR does not recognize a risk-based approach for data transfers to unsafe third countries, such as the United States.

On the other hand, both the Spanish and Luxembourg DPAs have closed their case because the website provider uninstalled Google Analytics from the site following NOYB complaint, without commenting on the improper usage of Google Analytics.

The post Second decision of the Austrian DPA on Google Analytics appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The Google Play Data safety section is a simple method for you (the app owner) to assist people (your users) in understanding what user data your app gathers or distributes and highlight your app’s essential privacy and security standards. 

This information will enable users to make better-educated decisions about which programs to install.

What’s changing?

By July 20, 2022, all developers must declare how they acquire and manage user data for apps they publish on Google Play and offer information on how they safeguard this data using security techniques such as encryption. This includes information gathered and processed by any third-party libraries or SDKs used in their apps.

From this point forward, app owners will have to start entering this information into Play Console using a form in the new Data safety section on the App content page.

This can be found on your developers’ account → Policy > App content  

After completing and submitting the Data safety form, Google will examine the information given as part of the app review process. 

A report of such will then be displayed on app owner’s store listing. This is to assist Google Play users in understanding how the app gathers and shares data before users download the app.

I own app; does this apply to me? 

All who have an app published on Google Play, including those on internal, closed, open, or production testing tracks, must complete the Data safety form.

Even those whose applications do not gather any user data are obliged to fill out the form and include a link to their privacy policy. 

In this situation, the completed form and privacy policy can show that no user data is collected or shared.

What users will see if an app share data:
(Please note: this is an example and is subject to change)

What users will see if an app doesn’t collect or share data with organizations or companies:
(Please note: this is an example and is subject to change)

What users will see if an app doesn’t share any data with organizations or companies:
(Please note: this is an example and is subject to change)

How does google recommend I prepare for these changes?

Read and understand the requirements for completing the Data safety form in Play Console and complying with our User Data policy.

In other words, you’ll need to:

1. Make sure you’ve included a privacy policy;
2. Examine how your app collects and distributes user data, as well as its security standards;
3. Examine your app’s specified permissions as well as the APIs it employs;
4. Examine how any third-party code (such as third-party libraries or SDKs) in your app collects and shares data.

The post Google Play guideline updates appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

“Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote.

Not only has the text of the banner been updated but the options at the bottom of the screen are different.

Users used to have two options with the previous design: “I Agree” or “Customize.”

If a user clicked on “Customize,” Google redirect users to a different web page with various possibilities. To turn off all personalization options, you had to click “off” three times and then confirm.

There are now three buttons in the new design. The previous two buttons, “Customize” and “I Agree” plus an additional “Deny All” button that allows users to opt out of all tracking with a single click. The two major buttons are identical in color, size, and form.

The new popup will initially be available on YouTube in France. However, Google says it intends to roll out the new look across all Google services in Europe. Check out the new design below:

The post New three button banner for Google appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Since the introduction of App Tracking Transparency (ATT) in iOS 14.5, every iPhone and iPad app must now ask users whether they want to be tracked or not.

Some developers, however, have discovered new ways to follow iOS users even when they opt out of being tracked by third-party apps.

According to a new independent study (via Ars Technica), these developers have been circumventing the new iOS privacy measures to identify and monitor users even when they don’t want to.

While ATT is effective, it still has significant flaws that allow applications to capture data from the user’s device without them knowing.

The researchers looked at nine iOS applications that used server-side code to establish a user identity even when App Tracking was turned off. The code appears to have been given by a subsidiary of the Chinese corporation Alibaba, which can trace this identity across apps. As a consequence, advertising firms can still tailor material to a specific user.

The study analyzed 1,759 applications before and after ATT was made available to iOS users. Despite the fact that a quarter of these applications promise not to collect any user data, 80 percent of them include at least one tracking library.

The post iOS privacy measure not enough? appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Cookies that were not necessary, were activated directly when viewed on the online video portal run by JIMBO NETWORKS S.L., without the users’ consent. Some of these activated cookies were provided by third-party vendors.

The website does not provide the option to disable all or specific cookies. Users were instead instructed to configure the cookies through their browser settings.

The cookie policy also lacked information on whether the cookies used were created by the firm or by third-party suppliers, as well as when they were active on the users’ end devices. Furthermore, the videoportal lacked a cookie banner.

The initial fine of EUR 15,000 was made up of the following components:

• EUR 5000 for a breach of Art. 6 (1) GDPR;
• EUR 5000 for a violation of Art. 13 GDPR; and
• EUR 5000 for a violation of Art. 22 (2) LSSI.

It was lowered to EUR 9’000 due to acknowledgment of guilt and voluntary payment.

During its examination, the Spanish DPA discovered that Jimbo Networks had breached Articles 6(1) and 13 of the GDPR by processing personal data without a valid basis and without the data subject’s agreement, and that that information had not been effectively communicated to data subjects. Furthermore, the DPA found Jimbo Networks to be in violation of Article 22(2) of the LSSI since the website lacked an effective cookie policy.

Want to see how to create an effective GDPR compliant cookie policy in under 2 minutes? Watch the video here!

The post Cookies activated without consent  appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Data of more than 8 million Cash App users were potentially breached after a former employee downloaded customer information. 

A former employee downloaded customer information, potentially exposing the data of over 8 million Cash App users. Cash App has not specified how the former employer had access to the data, although it is probable that he had access to it long after leaving the company.

Block is the owner of Cash App Investing, which is an equities trading platform. According to Block’s admission, the former employee had access to the information during his office hours and downloaded it for consumers using Cash App’s stock investment function.

In a regulatory filing to the United States Securities and Exchange Commission (SEC), Block said it discovered the intrusion in December 2021.

“We know how these reports were accessed, and we have notified law enforcement.” Block’s spokeswoman Fiona Lee said.

Although the investigation is still ongoing, Block has warned that the eventual cost of the data breach is difficult to anticipate. They have also stated that they will continue to assess and tighten administrative and technical protections to protect information.

The data breach at Cash App Investing will not affect business operations.

According to Block, the data breach did not reveal sensitive client information, including usernames, passwords, bank account information, or social security numbers.

The post Data Breach for Cash App appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The case concerned the processing of personal data by a bank as a data controller, which automatically analyzed the recorded audio of customer service calls.

The analysis results were used by software to determine which customers should be contacted again. Specifically, this involved voice signal processing software that automatically analyzed the call based on a list of keywords and the caller’s emotional state. This data is used to establish a ranking of customers to be called back in order of priority.

The bank defined the processing activity’s goal as quality control based on changeable factors, preventing complaints and customer migration, and improving the efficiency of its customer care.

In the Authority’s view, the bank’s privacy notice referred to these processing activities only in general terms, and no material information was available regarding the voice analysis itself. The privacy notice only indicated quality control and complaint prevention for data processing purposes.

The processing was based on the bank’s legitimate interests in retaining customers and improving the efficiency of its internal operations. However, they were unclear because the data processing activities associated with these interests were not separated in the privacy notice and the legitimate interests tests.

The bank had failed to provide the data subjects proper notice and the right to object for years because it had determined that it could not do so. The Authority emphasized that the only legitimate legal basis for the processing activity of emotions-based voice analysis can be the data subjects’ freely provided, informed consent.

The Authority has stated that the legitimate interest legal basis cannot be used as a “last resort” when all other legal grounds are inapplicable and that data controllers cannot rely on it at any time or for any purpose. As a result, the Authority, in addition to imposing a record punishment, ordered the bank to stop analyzing emotions during speech analysis.

The post Record fine for illegal use of artificial intelligence appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

New Data Governance Act; what you need to know.

The new regulations aim to increase trust in data sharing by making it safer and easier while maintaining compliance with data protection legislation.

The new Data Governance Act will:

• improve the use of data collected in some areas of the public sector;
• enable the establishment of common European data spaces in critical areas like as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills;
• have new standards for data marketplaces;
• assist new intermediaries in being recognized as reliable data organizers;
• contain the initial steps toward limiting non-personal data transfers; and
• make it easier for businesses, individuals, and public organizations to share data for the public good (data altruism).

Is the EU data-sharing law in force?

The Data Governance Act was passed by Parliament on April 6, 2022. The Act will become effective 15 months after entering into force, i.e., the summer of 2023.

How will this affect business owners?

Adding an extra layer of regulated data requires businesses’ to identify this data, where it stays, and how it is utilized.

As the last phases of this legislative process come to a close, the need for businesses to have a comprehensive privacy and data governance program is being highlighted. As part of that effort, having effective data discovery and mapping systems in place to accommodate this expanded spectrum of data is essential.

The post Data Governance Act appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

After its existing approach was found to violate EU legislation, Google’s intention to include a “reject all” button on cookie banners was supported by Hamburg’s top data protection commissioner.

According to the general framework of French Data Protection Authority CNIL,

“rejecting cookies should be as easy as accepting them.”

Google has agreed to make a one-click-button available by default. The button will most likely be published in France first, where it had previously been penalized €150 million.

Hamburg’s Commissioner for Data Protection and Freedom of Information Thomas Fuchs said on Wednesday (6 April) during a presentation of his 2021 activity report that,

“Google has told us that they now want to gradually implement this ‘reject all’ button in the European Union, Switzerland, and the United Kingdom”

Google stated that it would discontinue the use of third-party cookies by 2023. The organization is working on the Topics API, which will eliminate the need for data to be sent to third-party providers or Google’s servers.

About Googles Topics API

For the Google Privacy Sandbox initiative, Google intends to depend on in-house tracking technologies rather than cookies.

Topics API is a Google Privacy Sandbox project component in which Chrome is expected to record the five most important topics that relate to the users’ interests on a weekly basis. These topics are updated weekly, while prior data is erased every three weeks.

What does this mean for advertising?

Advertisers would be able to target their ads depending on the top three topics. According to Google, these settings would be saved locally on the device, with no data sent to third-party suppliers or Google servers. Users will be able to see, modify, or entirely disable their preferred themes.

The post Google’s ‘reject all’ cookie button appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

This investigation was launched in response to 22 personal data breach reports made to the Data Protection Commission (DPC) by Bank of Ireland Group plc (BOI) between 9 November 2018 and 27 June 2019. The notifications were connected to information corruption in the BOI’s data feed to the Central Credit Register (CCR), a centralized system that collects and securely stores loan information. Unauthorized disclosures of customer personal data to the CCR and unintentional revisions of customer personal data on the CCR were among the instances.

When the DPC first approached Bank of Ireland about the issue, it stated that only one client was affected. “It ultimately transpired that approximately 47,000 data subjects were affected by this breach,” the DPC stated, adding that it took Bank of Ireland over 18 months to get a final tally for those affected.

The decision found:

Article 33 of the GDPR was infringed by BOI in 17 of the incidents. In some incidents, Article 33(1) was infringed by BOI’s failure to report the personal data breach without undue delay.

Article 34 of the GDPR was infringed by BOI in 14 of the incidents. The infringements concerned a failure by BOI to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms.

Article 32(1) of the GDPR was infringed as BOI failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in transferring information to the CCR. The DPC considers that “Article 32 of the GDPR will not automatically be infringed if an incident occurs which renders personal data inaccurate. Rather, in considering whether the requirements of Article 32 have been met by the controller, it is necessary to assess whether the controller has adequately gauged the level of risks to data subjects and whether the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The post GDPR data-privacy violations appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

67 % of US websites violate European data protection laws

The General Data Protection Regulation (GDPR), which came into effect in 2018, is one of several rules implemented by the European Union to protect digital identities.

According to one survey, the GDPR was violated by 67% of the top 1,000 websites in the United States, making American websites among the worst offenders of these regulations.

There are a variety of infractions at work here, with:

43% of websites failing to provide European users the option to opt-out of selling their data;
55 % failing to alert European users of cookies when they first visit the site; and
32 % of sites using ad trackers, without European users consent.

But why should US companies care about GDPR compliance?

• Companies in the US can be fined even if they’re not in Europe; and
• European data protection laws like the GDPR (which still applies to the UK) give users the right to sue where their rights have been violated (this is similar to American laws like the CCPA in California)

Take this 1-min quiz to find out which laws are relevant to you!

Unless companies agree to change their operations for European visitors, this lack of compliance could have severe consequences for them.

Violation of the GDPR can result in a range of penalties that can go up to $120,000. EU data protection Authreties hand out a lot of fines for various businesses, so it’s a good idea to ensure you aren’t one of them!

The post GDPR compliance in the US appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In response to the faked “emergency data requests,” Apple and Meta gave basic subscriber details, such as a customer’s address, phone number, and IP address, in mid-2021. According to the persons, such demands are usually only granted with a search warrant or subpoena signed by a court. On the other hand, emergency demands do not require a court order.

Cybersecurity experts believe that some of the hackers who sent the fraudulent requests are minors from the United Kingdom and the United States.

According to sources, one of the minors is suspected of being the brains behind the cybercrime group Lapsus$, which has attacked Microsoft and Samsung Electronics. The City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking gang; the investigation is still ongoing.

A potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult to find, said Nixon of Unit 221B.

“The situation is very complex,” she said. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”

According to the Apple guidelines, a supervisor for the government or a law enforcement official who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

The post Hackers used fake legal requests to get data from Apple & Meta appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Google is updating its Workspace Settings, including a change that enables activity tracking for all users of Google Workspace accounts, even if the organization’s admin previously blocked it. Furthermore, admins no longer have authority over this setting for their users; instead, all users must individually toggle the tracking off.

“These changes will give users additional control over their search data and better clarify how that data is gathered and used,” Google writes in an email to Workspace admins.

Here’s an overview of the email Google sent to Workspace administrators:

1. Starting March 29th, if Google Workspace admins block tracking via the “Web & App Activity” setting, Gmail, Drive, Docs, Calendar, Chat, and several other services will ignore their decision.
2. Users will have individual control over a new user feature called “Google Workspace search history.”
3. By default, tracking is enabled, independent of the organization’s previous admin settings.
4. Google Workspace organizations no longer have the option to turn off “Web & App Activity” for all users.

Tracking turned on by default.

Unless they opt out again, all Google Workspace users will have the Google Workspace search history switched on by default.

Regardless of any organization’s preference for its Workspace users not to be monitored by Google, Google feels it should enable tracking for all users to improve their user experience by optimizing search results.

The post Google Tracking Activity Activated appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Despite opposition from big sector players such as Coinbase and legal experts, who warned that overly harsh privacy violations could face legal challenges in EU courts, the decision was passed on Thursday.

According to records obtained by CoinDesk, more than 90 lawmakers voted in favor of the idea.

The plans aim to expand anti-money laundering (AML) laws to the crypto sector, which now apply to traditional payments exceeding EUR 1,000 ($1,114). They also raise the bar for crypto payments, requiring the identification of payers and recipients of even the tiniest crypto transactions, including those involving unhosted or self-hosted wallets.

How will this affect Bitcoin users?

The measure criminalizes anonymous cryptocurrency payments. It includes transfers done through exchanges like Coinbase Global (ticker: COIN) and transfers made using self-hosted or private wallets like MetaMask, the most popular crypto wallet with over 30 million users.

According to Coinbase CEO Brian Armstrong, the exchange would be required to notify authorities if a customer purchased more than EUR 1,000 in bitcoin via a self-hosted wallet under the new regulation.

As the vote came through for making anonymous crypto transactions illegal Bitcoin’s price decreased around 2% in minutes, from $47,500 to $46,400.

The post A vote to make anonymous crypto transactions illegal appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Since the Privacy Shield became invalidated, many of you have reached for more information on potential alternatives to the Privacy Shield. We have closely followed the ruling and have prepared some guidance for you on the topic should you need it

.

In short:

• The Privacy Shield is a system that allowed US companies to abide by stricter data protection standards and thus be regarded as safe data recipients for EU personal data.
• The EU Court of Justice has recently ruled that the Privacy Shield’s system does not guarantee adequate standards of data protection.
• If your service providers previously relied on the Privacy Shield for data transfers, then you should check whether or not they now use an alternative such as Standard Contractual Clauses (SCCs) or consider alternative options.

For your convenience, we’ve put together a full list of all the services in our generator that are self-certified under the Privacy Shield, and made it available in the guidance post linked below.

Read the full post here →

iubenda Talks: Upcoming challenges for publishers and how to solve them

Over the years, we’ve come to serve clients from all levels of business – from freelancers to publishers, developers and enterprise businesses. We’re always trying to ensure that we’re providing support tailored to you, the user, regardless of what type of business you’re in.

For this reason, we’re happy to announce the first in our new series of iubenda Talks industry-focused webinars.

This first webinar is aimed at publishers (anyone that monetizes their site content via ads) and will cover some of the upcoming challenges publishers will face in Q4 and Q1, opportunities for growth and how to be ready for both.

The webinar will feature our CEO and Head of Product Andrea Giannangelo and Augustin Decré, the Regional Managing Director for South Europe at Index Exchange.

Register for the free webinar here →

Black Friday deal goes live!

What’s better than a Black Friday deal? 100+ SaaS tools with Black Friday deals!

Black Friday is just around the corner and you, like most business owners, are probably looking for deals on tools and services to help you improve your efficiency and reduce your costs.

That’s why we’ve joined over 100 SAAS tools to get you the best Black Friday deals – all in one place.

Get the most out of this Black Friday with discounts on some of the most useful SaaS solutions for your business (including our own!)

See all the deals here →

Our webinars

We have prepared the following webinars for you that cater to users of all levels — whether you’re a beginner or advanced.

At our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant. We also provide all attendees with useful resources after each webinar, so if you haven’t already, come experience it for yourself!

Reserve your spot by clicking the links below.

Thursday, December 3rd
Privacy Policies and Cookies: How to set your website/app up for success →
Everything you need to know about privacy policies and cookies from legal basics to set-up.

Thursday, December 10th
Our Terms and Conditions Generator – Protect your business from potential liabilities →
Designed to cover everything about our Terms and Conditions Generator.

Thursday, December 17th
Compliance for your website/app: Manage user consents and internal data processing for GDPR →
Everything you need to know about getting consent from your users and managing privacy for your company.

CPPA: the new privacy Act proposed by Canada

The Canadian Government has proposed a new privacy act on November 17 2020.

The proposed Consumer Privacy Protection Act (CPPA) is aimed at “modernizing the framework for the protection of personal information” and the legislation is projected to include “the strongest fines among G7 for privacy laws”.

➤ The Act will apply to Organizations that use, collect or share any personal information between Canadian provinces or internationally.

➤ The term Organization under the CPPA includes an association, a partnership, a person or a trade union.

➤ Under the Act, personal information is any information about an identifiable individual, living or deceased.

Full details here →

New privacy policy integrations and updates

We have also integrated the following services, which are now available to our users from within the generator:

• IVO
• Remixd
• Prebid
• GADSME
• Admo.TV
• BE A LION
• Nielsen
• Threedium
• Pokkt
• Ipsos MORI
• Fido
• digidip
• Advisible

Visit your dashboard →

The post Latest News: Privacy Shield guidance, upcoming challenges for publishers, Black Friday deals, Canadian privacy law, webinars + more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

On August 21, 2019 IAB Europe, the leading European-level industry association for the digital marketing and advertising ecosystem, announced the launch of the second iteration of the Transparency and Consent Framework (TCF).

What’s the IAB Framework and how it works

The Transparency and Consent Framework was created to help publishers, advertisers and ad networks to comply with the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive (Cookie Law) by giving the publishing and advertising industries “a common language with which to communicate consumer consent for the delivery of relevant online advertising and content”.

First introduced in April 2018, the TCF allows publishers and website operators who monetize their content via third-party advertisers to communicate to vendors, in a standardized way, what preferences users have expressed when it comes to their personal data.

A vendor is a company that participates in the delivery of digital advertising within a publisher’s website, app, or other digital content, that either accesses an end user’s device or browser or processes personal data about end-users visiting the publishers content.

The communication between publishers and vendors via the framework is facilitated by IAB registered Consent Management Platforms (CMPs). CMPs act as an intermediary between the publisher, end-user and vendors, providing transparency for end-users and communicating their preferences to the relevant parties.

You can read more about how the TCF works here.

What’s new in version 2.0

The latest update to IAB’s Transparency and Consent Framework increases the total number of categories. These categories generally make legal disclosures about how and why data is used, which improves overall transparency – making it easier for users to understand their options, and control their data. These latest changes are also aimed at giving publishers more control over how their ad-tech vendor partners can use their data and for what purposes.

Purposes

The original five purposes for processing personal data have been expanded to a more granular 12, including additional controls for things like geolocation data and fingerprinting. This adds an element of specificity that didn’t exist before, allowing end-users to make even more informed choices and potentially allowing publishers more opportunities for informed consent.

For example, publishers will be able to specify whether data is being used for content measurement, audience insights or ad performance rather than simply using the blanket category of “measurement”. This would allow users who are comfortable consenting to audience insights but, let’s say, not ad performance, to still provide consent.

Publishers implementing TCF 2.0 will also be able to restrict the purposes for which personal data is processed by third-parties on the publisher’s website, and on a per-vendor basis.

Legitimate interest and right to object

Under TCF 2.0, consumers can not only withhold consent on data collection, but can also exercise the right to object to how data is processed (for example, the use of precise geolocation). They’ll be able to deploy a right to object even if a business is using the legitimate interest basis, just as easily as they would be able to when revoking consent.

Messages

To better help users to understand how their data is being used and by whom, TCF 2.0 includes standardized messaging templates that offer both legal-language and user-friendly language versions. Users can have access to both the legal (mandatory) and user-friendly (optional) versions.

Variation options

One of the new additions to the TCF is a stack of variation options. Variation options allow Publishers to set their own preferences regarding which vendors are allowed to process user data for a particular purpose. For example, they can select which vendors they’d allow to carry out data processing for ad measurement and targeting purposes, and which they wouldn’t. A vendor can be de-selected for a particular purpose while still being selected for another.

Google and TCF 2.0

The latest version of the IAB Framework will also mark a big win in terms of industry traction, as Google has announced that it will integrate TCF 2.0 by early next year:

“We welcome the announcement of the final terms of TCF 2.0. Google has collaborated with the IAB Europe and its members throughout this process.” said Chetna Bindra, senior product manager for user trust, privacy and transparency at Google. “In line with the IAB Europe timeline we expect to integrate with TCF 2.0 shortly after the switchover from TCF 1.1 and when 2.0 goes fully live, which we currently understand as by end of Q1 2020. We will provide greater detail on our integration approach in the coming weeks.”

When

As businesses adopt the new updates, the TCF 2.0 will operate in the market alongside TCF 1.1 through to the closing of Q1 2020 – 31st March. This will grant publishers and CMPs an appropriate transition period in which they can properly integrate and fully adopt TCF 2.0. It will also provide vendors enough time to develop and implement the code needed to adhere to the new protocol.

It’s worth noting that the Transparency and Consent Framework version 2 is not backward compatible: after the initial transition phase, older versions will be deprecated on 30th June 2020.

iubenda

As a registered CMP, and active member of IAB Europe, iubenda has been heavily involved in the drafting process of the TCF 2.0 and are making every effort to ensure that our TCF compatible cookie management solution integrates with TCF 2.0 as seamlessly it already does with v1.1.

You can read more in our guide on how to enable the Transparency and Consent Framework in our Cookie Solution.

The post IAB Europe releases TCF v2.0. Google set to join appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Avoid common compliance traps – Part 3

Continuing from last month’s newsletter, the third common compliance trap that many people fall into is — confusing the roles and responsibilities of the data controller and the data processor. To clarify, the term “data controller” means any person or legal entity involved in determining the purpose and ways of processing the personal data. The term “data processor” means any person or legal entity involved in processing personal data on behalf of the controller.

For example, an e-commerce company collects user information and stores it using a 3rd party cloud service. In this scenario, the e-commerce company is the data controller and the organization running the cloud service is the data processor.

Ultimately, the data controller bears the responsibility for the user data processed, and, therefore, knowing which role applies to you is vital.

If you’re in any way confused about how this applies to your situation, if you have questions about our solutions, or if you’d simply like more information about the GDPR in general, we strongly suggest that you register for our upcoming webinar where you can have your questions answered in real time and learn from our experts.

Recap: The second common trap in this 5-part series is — assuming that the GDPR does not apply to you if you reside outside of the EU.

Guide to WordPress’ GDPR Changes: Benefits & Limitations

The changes are part of WordPress’s effort to make it easier for their users to be GDPR compliant, however simply utilizing these tools themselves will not make you compliant. In this guide, we go through the most important GDPR changes, how they can benefit you and how to address their limitations.

Read our comprehensive and practical guide here →

Webinar overview for March

We have prepared the following webinars for you that cater to users of all levels — whether you’re a beginner or advanced. At our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant. We also provide all attendees with useful resources after each webinar, so if you haven’t already, come experience it for yourself!

Top user question: Can the Privacy Policy of a multilingual site be in English only?

The short answer is that your legal documents (privacy/cookie policy & terms) should be available in the same language(s) as your site or app so that all your users are able to understand them.

More details can be found here →

New privacy policy integrations

We have also integrated/updated the following services which are now available to our users from within the generator.

Services/clauses updated:

• Facebook pixel

Services/clauses added:

• Rackone
• Nagios

The post Latest News: Avoid compliance traps pt.3, WordPress’ GDPR updates, Top user questions + more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Avoid common compliance traps – Part 2

Continuing from last month’s newsletter, the second common compliance trap that many people fall into is — assuming that the GDPR does not apply to them if they reside outside of the EU. If you’re based in a country outside of the EU such as the US, Canada, Australia, etc., the GDPR will still apply to you if you meet certain conditions (and you likely do).

Read more about when the GDPR applies here →

—

Recap: The first common trap in this 5-part series is — failing to keep Records of Processing Activities.

How to manage your Newsletter or Email Marketing list in a compliant way

A Newsletter is an incredibly powerful marketing tool and a cost-effective way to build and maintain a relationship with your customers. Unfortunately, it can also end up costing you if you’re not meeting your legal obligations.
Some of these requirements depend heavily on your method for collecting consent, how you design your forms and your newsletter itself.

For a full overview of what’s required, and visual examples of how you can implement it,

Read our comprehensive Email Newsletter guide here →

Webinar overview for February

We have prepared the following webinars for you that cater to users of all levels — whether you’re a beginner or advanced. At our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant. We also provide all attendees with useful resources after each webinar, so if you haven’t already, come experience it for yourself!

Cookie Solution plugins: New custom scripts field makes it easier to block scripts

Our most recent update to the interface of our Cookie Solution plugins makes it easier than ever for you to identify and block on-site scripts from directly within the plugin console — greatly reducing the necessity for direct interventions in the site’s code.

Find full details in the dedicated plugin guides below.

WordPress Plugin Guide →
Magento Guide →
Joomla! Guide →
PrestaShop Guide →

New privacy policy integrations

We have also integrated/updated the following services which are now available to our users from within the generator.

Services/clauses updated:

• Remarketing with Google Analytics
• Google Ads
• Mailchimp
• Update mobile permissions services
• SharpSpring
• Audiweb

Services/clauses added:

• Robly
• OpenStreetMap
• Bing Maps
• TomTom Maps
• AWStats
• WeChat widget (Tencent, Inc.)
• Weibo button and social widgets (Sina Corp)
• Google Analytics Signals
• IO Technologies

The post Latest News: Avoid compliance traps pt.2, how to manage your Email Marketing list, Cookie Solution plugins + more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Your challenge for 2019: Avoid common compliance traps

Based on the work we’ve done in the last year surrounding the GDPR we’ve noticed some popular compliance traps that many users fall into. We’ll be detailing the top 5 compliance traps over the next few newsletters and we’ll show you how to avoid them.

The first common trap in this 5-part series is — failing to keep Records of Processing Activities.

Read about this GDPR requirement and how to approach it here →

How to create a Privacy and Cookie Policy for Google Analytics (full guide)

In accordance with international privacy laws, Google generally requires you to have a legally compliant privacy policy in place if you use Google products. For Google Analytics in particular, there are a few specifics that you need to be aware of.

Find all details in our hands-on guide here →

Webinar overview for January

We have prepared an updated list of webinars for you that caters to all levels, whether you’re a beginner or advanced user.

In our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant. We also provide all attendees with useful resources after each webinar, so if you haven’t already, come experience it for yourself!

Most popular article of the month: Privacy Policy for iOS and macOS Apps

Since the release of iOS 8, Apple has implemented many requirements that need to be met in order to avoid having your app rejected. One of the major requirements (that often results in Apps being rejected where conditions are not met) is that of data privacy.

Read all details here →

Android developer? Use this link instead →

New privacy policy integrations

We have also integrated/updated the following services which are now available to our users from within the generator.

New services/clauses added or updated:

• Freshsales, Freshchat + Freshdesk
• Jetscale
• Funding choices by Google
• Microphone permissions clause

The post Latest News: Avoiding compliance traps, policy for Google Analytics + more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

How to make your blog compliant (full guide)

If you’re the owner of a blog or relatively simple website, you are probably wondering if the same rules of commercial sites and apps apply to you. We’ve written this straight-forward and extensive guide to help you understand what your legal obligations are and how to address them.

Read the hands-on guide here →

User question: Is using Google Analytics to track visitors considered monitoring behavior under GDPR?

One of the most up-voted user questions across many of our free webinars, given that Google Analytics is such a popular tool. The answer, as you may have guessed, is a bit complicated.

Read the full answer here →

Webinar overview for December

With the Christmas break right around the corner this may be the perfect time to work on making your website or app compliant so that you are all set for 2019.

In our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant. We also provide all attendees with great resources after each webinar. So if you haven’t already, come experience it for yourself!

How to use Contact Form 7 with the Consent Solution

This hands-on tutorial shows you exactly how to integrate the Consent Solution with this popular WordPress contact form tool. Though the tutorial is centered around Contact Form 7, users of other third-party contact form tools will also find this tutorial practical and helpful.

See the full tutorial here →

The best part of the Consent Solution (so far)

As you may have seen already the Consent Solution now features the eagerly anticipated visual Dashboard.

The new aesthetic and user-friendly interface makes it easier than ever for you to review, filter, analyze and otherwise maintain your records.

You can find your Consent Solution Dashboard by simply visiting your main account dashboard > [Your website/app], then Consent Solution > Consent Solution Dashboard. 

Interface improvements for our PrestaShop and Joomla! Plugins

If you’re a PrestaShop or Joomla! user, you can now benefit from our recently implemented plugin interface improvements which include a more structured backend layout and label explanations where needed. You can find the plugins below.

PrestaShop plugin and installation guide →

Joomla! plugin and installation guide →

New privacy policy integrations

We have also integrated/updated the following services which are now available from within the generator for our users.

New services/clauses added or updated:

• Facebook permissions clause
• HockeyApp/App Center
• Font Awesome

The post Latest News: Make your blog compliant, Google Analytics and the GDPR + how to use the Consent Solution with CF7 and more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Our hands-on webinars are getting ever more popular…

You, our users, often reach out to let us know how much our webinars have helped you, and we couldn’t be more thrilled!

We’re especially happy to continue providing webinars that are useful to both experienced users and users who don’t yet know the legal basics or our products that well.

In our webinars, you can ask our experts live and learn from others facing similar challenges on the route to becoming compliant with websites or apps. Also, we provide all attendees with great resources after each webinar.

If you haven’t already, come experience it for yourself.

Sign up now by clicking the links below.

Two highly anticipated features will be released this week (preview)

Both of these features will be going live by the end of this week but we wanted to let you know in advance today since we’ve received a lot of requests for them. We’ll also alert you again when they’re live in your account.

• The Consent Solution (which allows you to easily track, store, manage and retrieve consent from your users), will receive the eagerly anticipated visual Dashboard. This interface will allow you to manage all your consents in a more aesthetic and user-friendly way.
• The Privacy Policy generator will additionally allow you to (optionally) assign a purpose to a service from within the “Create custom service” interface.

New privacy policy integrations

We have also integrated/updated the following services which are now available from within the generator for our users.

New services/clauses added or updated:

• GroupM/mPlatform
• Xaxis
• Light Reaction
• Adobe Fonts (formerly Typekit)

The post Latest News: Get your questions answered, learn from other users + two long-awaited features going live and more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

October webinars – ask our experts live

We’ve prepared a new set of free English webinars for you. They are all practical and designed to really help you with understanding and achieving compliance for your websites or apps. View live demos and have your questions answered in real time.

Sign up now by clicking the links below.

23rd October: Live Q&A and Demo: Consent Solution + Internal Privacy Management →
30th October: Live Q&A and Demo: Privacy Policy + Cookie Solution →
31st October: Agency webinar: How to make your clients’ websites and apps compliant →

Our support chat is back and better than ever before

Due to ever-increasing demand and support requests, we’ve reintroduced our live chat feature and increased our support team to better serve you, our customers.

Our response rate is now better and faster, with an average response time of less than 3 mins for chat and less than 6 hrs for tickets and complex requests.

You can find the support chat within our Help Center and on all other pages by clicking the green “Help” tab on the right of your screen.

Apple requires all new and updated apps to have a privacy policy

In an announcement posted on the App Store Connect portal, Apple has stated that all new and updated apps — including those still in testing and even basic ones that do not share data in any way — are required to have a privacy policy effective October 3, 2018.
Find out all details in our blog post →

Cookie Solution plugins & PHP class updated

We’ve updated and unified the parsing engine of our Cookie Solution PHP class and plugins for WordPress, Magento, Joomla! and PrestaShop, making it easier and faster than ever for you to set up the Cookie Solution on your website.
These plugins automate prior blocking for the following scripts: Facebook, Twitter, Google+, Google AdSense, Google Maps, YouTube, AddThis, ShareThis & Vimeo.
To read more or download, see our blog post →

New and better searchable help documentation

We recently extended our help service to include onsite contextual help when you click on the “?” button within your dashboard, and by suggesting you articles specific to your issue when submitting a ticket request. This and the aforementioned new and improved customer support chat are part of our ongoing effort to better serve you and answer your questions faster than ever before.
Go directly to the help section →

New privacy policy integrations

We have also integrated/updated the following services which are now available from within the generator for our users.

New services/clauses added or updated:

• Google Ad Manager (formerly Doubleclick)
• Google Ads (formerly AdWords)
• new clause for Direct bank payment

The post Latest News: Apple Guidelines, Ask our experts live + Cookie Solution plugins and more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Apple stated that all new and updated apps, including those still in testing and basic ones that do not share data in any way, are required to have a privacy policy. The new guidelines came into force on October 3, 2018.

To ensure privacy policies aren’t tweaked after apps have been submitted, Apple also adds that the privacy policy’s link or text cannot be changed until developers submit a new version of their app.

App Store Review Guidelines state that the privacy policy must be available within the app in an “easily accessible manner” and must explain (among other things) which data the app collects, how that data is collected and used, and how a user can delete that data.

You can read more about Privacy Policy for iOS and macOS Apps on our guide to Apple’s App Store Review Guidelines.

Generate a privacy policy for your macOS, iOS & tvOS apps

The post Apple requires all new and updated apps to have a privacy policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

New Cookie Solution configurator allows for advanced visual styling and configuration

The configuration of the Cookie Solution and the creation and styling of the cookie banner has now become a lot simpler and more intuitive. We have received a lot of positive feedback, especially for the advanced styling features.

All details can be found here →

New comprehensive use-case guides published

Our content team has been working hard on publishing new use-case guides and updating existing documentation. The most recent guides are the legal requirements overview which includes general requirements, region-specific requirements and situational legal requirements such as e-commerce and email/newsletters.

The email and newsletter guide has detailed information in regards to data collection, legal obligations when adding users to a mailing list, single opt-in versus double opt-in plus a lot more.

Our blogger’s guide dives into legal requirements specific to bloggers and how to comply.

Find the legal requirements guide here →
Find the email and newsletter guide here →
Take me directly to the blogger’s guide →

New data processing agreement

In order to ensure compliance with the GDPR, we’ve adapted iubenda’s T&Cs to the new legal framework. In particular, we’ve added a Data Processing Agreement pursuant to art. 28 of the GDPR that becomes a binding part of our contractual relationship with you. You can read the new T&C and DPA as well as some details about what’s changed here.
The DPA outlines iubenda’s duties concerning certain data processing practices. Acceptance of this change is a condition to continue using iubenda. It does, in any case, not affect the way you use iubenda.

GDPR templates free to download

We have also released some helpful templates for your convenience, based on the work we’ve done in the last couple of months surrounding GDPR:

• Data Processing Agreement (GDPR Template) →
• Non-Disclosure and Confidentiality Obligation for Employees (GDPR Template) →
• Data Protection Officer (DPO) Appointment Letter (GDPR Template) →
• EU Representative Appointment (GDPR Template) →
• Data Protection Impact Assessment (GDPR DPIA Template) →

New features released regularly for the Consent Solution + Internal Privacy Management plan

A few months back we released our new Consent Solution + Internal Privacy Management Plan to further help you with legal compliance, especially in regards to the GDPR. The plan includes both the Consent Solution, which allows you to easily track, store, manage and retrieve user consent, and the Internal Privacy Management Solution, which allows you to easily document all the data processing activity within your organization.
For everyone who has not tried the above solutions yet, it is still available at the great introductory bundle price $39/month for an unlimited number of websites or projects. We are releasing new features for both solutions on a monthly basis. One of the recent, most requested features released was the auto-sync feature for the Consent Solution.

Cookie Solution: enable advertising preference management

If your website runs ads the following announcement is very important to you. The new IAB Framework gives users a convenient way to manage preferences and is quickly becoming industry standard. If you’re a first-party publisher, we highly recommended that you enable this feature as some ad networks may limit access to their network if not implemented, potentially causing you to lose ad revenue.
Read more about the framework and how to enable it here →

Sorting in the dashboard and multiple processing locations

We have introduced more filters for the Privacy Policy generator including alphabetic and date of creation filtering. The filter state is saved in your user preference, so that you find the same settings when you go back the next time.
On the Privacy and Cookie Policy Generator, we now allow you to specify, for services that support it, the place of processing. You can even select multiple ones. For instance, if you use Amazon Web Services, you can now specify the region(s) when adding or editing the service.

New privacy policy integrations

We have also integrated the following services which are now available from within the generator for our users.
New services/clauses added:

• Airbrake
• Adobe Audience Manager
• AdKaora
• Beta by Crashlytics
• Crips Live Chat
• Oracle BlueKai
• Datadog
• Elevio
• Freshsales + Freshchat
• Feedblitz
• Facebook Messenger live chat plugin
• Savings United
• Storeden
• Google Play Beta Testing
• MainAd
• MailChimp Landing Page
• Seedtag
• SMS Aruba
• Siteground Hosting
• Transactionale
• iOL Advertising
• FreeWheel
• LinkedIn Conversion Pixel and Remarketing
• Quantum
• Viralize
• WOW TRK
• Zendesk Chat
• Tools from the Webtrekk Suite added
• Tools from the Customerly Suite added
• Updated Piwik clause to new Matomo
• Updated Testflight
• Updated HockeyApp
• Updated Tag management systems purpose

Visit your dashboard →

The post Latest News: New Cookie Solution configurator, Free GDPR templates + blogger guide published and more appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

The aforementioned can, however, be a technical challenge to implement in practical terms. This is especially true for internal privacy management and getting consent from your users. You must be able to describe which data you are collecting, for which purposes, the parties involved and some other details for the entire company, including data of your employees.

More detailed information on the GDPR can be found in our guide →

Our solution for Internal Privacy Management

In short this solution was created to easily document all the data processing activity within your organization. We believe that this is a great solution to help you comply with the GDPR. However, it was not exclusively made for that purpose and can assist you with your internal privacy management in general.

Our solution allows you to create your record of processing activity: add processing activities from 600+ pre-made options, divide them by area, assign processors and members, document legal bases and other GDPR-required records.

All details can be found here →

The iubenda Consent Solution

In short this solution enables you to easily track, store, manage and retrieve user consent.

This solution is an API that allows you to easily store proof of consent and manage consent and privacy preferences for each of your users, tracking every aspect of consent, including the legal or privacy notice the user was presented, the consent form and the preferences the user has expressed.

All details can be found here →

Great value introductory pricing

We are launching our 2 news services (the Internal Privacy Management solution and the Consent Solution) at a great introductory bundle price of 39$/month for unlimited websites, apps and projects.

Take me directly to the pricing page →

The post We’ve launched 2 new services to help you comply with the GDPR appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

As mentioned here, Google has started implementing major product and contractual changes in preparation for the GDPR. The latest update comes with a clear message that action is required regardless of location. Google states, in no uncertain terms, that even non-EEA customers will have their service impacted by the updates.

This latest statement focuses on the particular changes to the Google Analytics and Analytics 360 products, and highlights which actions you need to take as a result.

Product Changes
The first major product changed mentioned is the new granular data retention controls which allows you to manage how long your end user data is kept on Google servers before being automatically deleted. The controls allow you to set retention periods on both a user and event level, with the settings taking effect on 25th May 2018, when the GDPR becomes enforceable. The retention period applies to data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers and the settings will not affect reports based on aggregated data. You are required to take action in the form of reviewing and modifying your retention settings to prevent accidental data loss. You can read more about the new controls here.

The second product change mentioned is the new user deletion tool which seems to be aimed at meeting the requirements outlined within the user’s “Right to erasure” under the GDPR. The tool will allow you to manage the deletion of all data associated with any individual end-user from within your Google Analytics and/or Analytics 360 properties. The tool isn’t actually launched yet, but the company states that it will be made available before 25th May, with details to be released on the developer site here.

Google also mentions a number of Analytics and Analytics 360 data related tools/features made available to assist you in meeting your particular GDPR obligations while continuing to use Google products. They include features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization.

Contractual Changes
Google is including the new GDPR terms as a supplement to your contract with Google, where (regarding Analytics and Analytics 360 products) Google has defined itself as the “data processor”. If you’re based in the EEA, your contract has already been updated to include the updated terms; for Analytics and 360 clients based outside the EEA, the updated terms are available in your account (under Admin→ Account settings) for your review.

Updated EU User Consent Policy
As previously outlined here Google is making significant changes to their EU User Consent policy in order to meet GDPR requirements. The new changes set out your responsibilities for informing and obtaining valid consent from EEA users. As GDPR requirements can apply to you whether or not you’re based in the EEA, Google requires that you accept the updated terms if continuing to use Analytics and related products, and suggests that you review and define your path for compliance with the Regulation.

Here’s the full email text from Google:

Dear Google Analytics Administrator,
Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA).
Product Updates
Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.
Action: Please review these data retention settings and modify as needed.
Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.
As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation.
Contract And User Consent Related Updates
Contract changes
Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018.
In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service. For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ➝ Account Settings).
For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.
Updated EU User Consent Policy
Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA.
Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy.
Find Out More
You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms.
We will continue to share further information on our plans in the coming weeks and will update relevant developer and help center documentation where necessary.
Thanks,
The Google Analytics Team

Looking for more in-depth information on the GDPR? You can access the recording from our last GDPR webinar here (it’s free).
If you’d like to attend one of our other free webinars, you can use this link to sign-up. We have webinars available in several languages and as always, they are free to attend.

iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system (Cookie Solution)

Take me to the privacy policy generator

Take me to the Cookie solution

The post Google Analytics: Latest GDPR Changes appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

But, what is it really? And more importantly, why should you care?

What exactly is the GDPR

The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.

The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).

Does GDPR apply to you?

The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).

This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.

As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.

What exactly does “Personal Data” comprise of?

Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.

Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.

Examples of non-personal data include company registration numbers, generic company email addresses such as info@company.com, and anonymized data.

Are there penalties for non-compliance?

Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.

• The fines are up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).
• Sanctions include official reprimands (for first-time violations) and periodic data protection audits (which can lead to the potential seizure of valuable data in cases where similar data was obtained using non-compliant methods).
• Under the GDPR, users have the right to compensation for any damages resulting from an organization’s non-compliance, hereby leaving violators open to potential legal action.

So it’s pretty important to be ready.

Core requirements of the regulation

Lawful basis for processing data (Article 6):
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:

• The user has given consent for one or more specific purposes.
• The data processing is necessary for a contract in which the user is a participant or necessary in order to take steps (requested by the user) prior to entering the contract.
• The processing is necessary for fulfilling a legal obligation to which the data controller is subject.
• The processing is necessary for protecting the vital interests of the user or of another person.
• The processing is necessary for doing a task carried out in the interest of the public or as contained under the official authority given to the data controller.
• The processing is necessary for the legitimate interests of the data controller or third party, except where overridden by the interests, rights and freedoms of the user, in particular where the user is a child.

Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.

User Rights:
Under the GDPR users have specific rights that must be honored. These include:

• The right to be informed (Articles 13&14): In addition to the generally required disclosures outlined above, the GDPR further requires that you ensure that your privacy notices are concise, easy-to-understand and easily accessible throughout your website/ app.
• The right of access (Article 15): Users have the right to access to their personal data and information about how their personal data is being processed.
• The right to rectification (Article 16): Users have the right to have their personal data rectified if it is inaccurate or incomplete.
• The right to erasure (Article 17): When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased and all dissemination ceased.
• The right to restrict processing (Article 18): Users have the right to restrict the processing of their personal data in specific cases.
• The right to data portability (Article 20): Users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.
• The right to object (Article 21): Under the GDPR, users have the right to object to certain activities in relation to their personal data.
• Rights related to automated decision making and profiling (Article 22): Users have the right to not be subjected to a decision when it is based on automated processing or profiling, and it produces a legal or a similarly significant effect on the user.

Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.

Maintain records of processing activities (Article 30): 
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.

Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).

Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.

Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.

Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.

What this means for businesses

As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.

Next Steps

In terms of compliance, some of the first logical steps are to:

• Make sure that your privacy policy is up to regulation. You can click here for information on what your privacy policy should contain (at the very least) or you can simply generate one here.
• Review your current data processing systems and ensure that they are up to regulatory specifications.
• Review your data processors’ GDPR readiness (data processors can include your cloud service provider, email marketing service providers, analytics companies etc.). The ICO’s controller/processor Contracts and liabilities Guide is a good place to start.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).

You can also read our GDPR overview here and the full GDPR legal text here (available in several languages).

iubenda helps you to:

• easily create your legally required privacy and cookie policy;
• fully manage consent to cookies via our Cookie Solution;
• meet GDPR-relevant recordkeeping requirements for both consent and your overall processing activities.

Start Generating

The post What is the GDPR and how will it affect your business appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Google has started implementing major policy, contractual, and product changes in preparation for the soon-to-be-enforceable General Data Protection Regulation (GDPR). The changes largely reflect Google’s status as either data controller or processor in regards to their products; sets out your responsibilities in light of the new legal requirements and includes product and network modifications.

Policy updates

Google’s EU User Consent Policy is being updated to better reflect the new legal requirements. Central to these policy changes is the statement of your responsibilities in regards to disclosures to and obtaining consent from EEA users.

In regards to sites/ apps or other “properties” under your control that make use of Google services, you are required to:

• acquire legally valid consent from end users for the use of cookies or other local storage (where legally required);
• acquire legally valid consent for the processing of personal data for ads personalization of ads or remarketing services;
• keep records of consent given by end users;
• provide end users with clear instructions for the withdrawal of consent; and
• identify and disclose details of all third-parties involved in the processing of the personal data of end users, in an easily accessible and visible way

Google has stated that failure to comply may lead to limited or suspended accounts and/termination of your agreement.

Contract changes

Google is including the new GDPR terms as a supplement to your contract with Google. These modifications will come into force on 25 May 2018.

Currently, these contract changes will affect AdWords, DoubleClick, and the Google Analytics suite. The terms will be incorporated into your terms of service (also known as the terms and conditions) agreement with Google and you may be required to log-in and accept the new terms in your account if you haven’t already.

Product changes

In order to comply with the GDPR, Google is making product changes across their global network of publisher sites, which:

• give publishers the ability to select which third-party ads get displayed to their end users and give them the ability to show non-personalized ads;
• limit the processing of personal information for children under the GDPR Age of Consent;

The company has also stated that they are “exploring consent solutions for publishers” and launching new controls that give Google Analytics customers the ability to manage the storage and deletion of their data.

Update:You can read more about the specific changes to Google Analytics and Analytics 360 here.

Here’s the full email text from Google:

Dear Customer, Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on 25 May 2018. The GDPR affects European and non-European businesses using online advertising and measurement solutions when their sites and apps are accessed by users in the European Economic Area (EEA). Today we are sharing more about our preparations for the GDPR – including our updated EU User Consent Policy, changes to our contract terms, and changes to our products, to help both you and Google meet the new requirements. Updated EU User Consent Policy Google’s EU User Consent Policy is being updated to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users in the EEA. For example, under that policy, advertisers will be required to obtain consent from users for the collection of data for personalized ads (e.g. remarketing tags to build audience lists) and for the use of cookies where legally required (e.g. conversion tags). The policy is incorporated into the contracts for most Google ads and measurement products globally. Contract changes We have been rolling out updates to our contracts for many products since last August, reflecting Google’s status as either a processor or a controller under the new law (see full classification of our Ads products). The new GDPR terms supplement your contract with Google and will come into force on 25 May 2018. For AdWords customers globally, our GDPR terms are incorporated into the terms of service, which (if you’ve not done so already) you can accept in your account. In the case of AdWords Customer Match and Store Sales Direct, Google acts as a processor; for the rest of AdWords we act as a controller. For customers using DoubleClick and the Google Analytics (GA) Suite, processor terms are available for you to review and accept from within your account. If you are an EEA client of GA, data processing terms will be included in your terms shortly. GA customers based outside EEA and all GA 360 customers may accept the terms from within GA. If you don’t contract with Google for your use of Google products, you should seek advice from the parties with whom you contract. Product changes To comply, and support your compliance with GDPR, we are: Making some changes across the network of publisher sites on which your ads may appear – enabling publishers to show non-personalised ads and to select which third parties measure and serve ads for EEA users on their sites and apps. Taking steps to limit the processing of personal information for children under the GDPR Age of Consent in individual member states. Unifying our ads data retention practices; and launching new controls for Google Analytics customers to manage the retention and deletion of their data. Exploring consent solutions for publishers, including working with industry groups like IAB Europe. Find out more You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms and data controller terms. If you have any questions about this update, please don’t hesitate to reach out to your account team or contact us through the Help Center. We will continue to share further information on our plans in the coming weeks. Sincerely, The Google Team

Here’s what you can do right now to comply with Google’s GDPR-based consent policy requirements:

• Put in place on your site/ app an easily-accessible, comprehensive privacy policy which includes details on how you process end-user data, for which purposes and who else has access. Be sure to include each third-party service used with links to their policies where possible and detail their involvement in the processing (you can do this with just a few clicks via our privacy policy solution)
• Implement a method of obtaining verifiable and valid consent. For consent to be valid, it must be informed, freely-given and verifiable. This means that your end users should know precisely and honestly, exactly what they’re consenting to and the consent must be based on an explicit affirmative uncoerced action.

 Here’s an example of a method of acquiring valid consent for the processing of personal data for ads: Yes, I would like the ads I view to be personalized. I have read the privacy policy and understand the requirements for this function (optional).

• Implement a “cookie consent solution” that allows you to obtain valid, verifiable explicit consent BEFORE installing cookies on the end users’ device. Our cookie solution simplifies this process -end users are informed via a customizable cookie banner; active consent is facilitated via either clicking or scrolling, and user consent settings are remembered.
• Keep clear records of the consent attained. Your records of consent should at least include the identity of the user giving consent; when they consented; what disclosures were made (what they were told) at the time they consented; methods used for obtaining consent (e.g., newsletter form, during checkout etc.); whether they have withdrawn consent or not.

Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to sign-up NOW as our webinars often fill up quickly.

iubenda helps you with the generation of your privacy policy and a fully fledged cookie management system (Cookie Solution)

Take me to the privacy policy generator

Take me to the Cookie solution

The post Google’s latest GDPR preparations and what they mean for you appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Yesterday, on the 17th of February 2015, the WP29 has published a statement [link no longer up] on the results of their cookie surveys.

Their main takeaway is that cookie information and disclosure has indeed improved, but at the same time cookies were still being set without consent.

The survey is the result of the work by 8 data protection agencies across Europe being,

• Czech Republic – Úřad pro ochranu osobních údajů,
• Denmark – Erhvervsstyrelsen,
• France – Commission nationale de l’informatique et des libertés,
• Greece – Hellenic Data Protection Authority,
• Netherlands – Authority for Consumers & Markets,
• Slovenia – Informacijski pooblaščenec Republike Slovenije,
• Spain – Agencia Española de Protección de Datos,
• United Kingdom – Information Commissioner’s Office.

Methodology of the cookie survey

The cookie sweep was done in two major stages. The first was a statistical review of cookies used by websites and their technical properties. The second was a more in-depth manual review of cookie information and consent mechanisms.

What are cookies anyways?

In the words of the press release published yesterday, cookies are “a small piece of information placed on a person’s computer when they visit a website. They can be used to remember the users’ preferences, record items placed in a shopping basket and carry out various other tasks based on how that person uses the site. Some cookies, known as third party cookies, can also be used for many purposes including to record information based on how the user is interacting with other websites.”

And whilst the sweep focused on the classical http cookies, there’s one thing to keep in mind (and it has also been pointed out in the press release itself), similar technologies such as the ones known under the term device fingerprinting, also fall under the cookie rules.

Targeted sites

Target sectors were selected as those which were considered by the WP29 to present the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector.

Target web sites were selected as being amongst the 250 most frequently visited by individuals within each member state taking part in the sweep. In order to remove potential duplication of sweeping, websites of organisations which were not firmly established within a member state taking part in the sweep were suggested to be excluded.

Results of the cookie survey in detail

Considering that big sites have known about these rules for a while and that guidance by national data protection agencies AND the WP29 was out there, these results must be quite disappointing.

• More than 16000 cookies were set across the sites with those in the media setting the highest average number of cookies (50);
• 22 sites set more than double this average (>100 cookies) when a user visited their home page;
• 70% of the cookies encountered were set by third-parties and more than half of these cookies were set by just 25 domains;
• The average expiry of cookies was found to be between 1 and 2 years, 20% of cookies observed had an expiry date of between 2 and 5 years and 374 were observed with an expiry date of greater than 10 years. However, 3 cookies seen in the sweep had been set with the expiry date of 31 December 9999, nearly 8000 years in the future. Given that the duration can be intentionally renewed by the website operator on each visit it is the case that many of these cookies would survive the lifetime of the device;
• 26% of sites provided no notification that cookies were being used. Of those that did provide a notification, visibility could be improved in 39% of cases and half (50%) merely informed users that cookies were in use without requesting consent;
• Only 16% of sites gave users a granular level of control to accept a subset of cookies with the majority relying on browser settings or a link to a third-party opt-out tool;
• Seven sites set no cookies on the first page.

For further insights, it’s worth reading the guidance made public by the WP29:

• Document 02/2013 providing guidance on obtaining consent for cookies
• Opinion 04/2012 on cookie consent exemption

It’s worth noting that for valid content an operator needs it to “be specific, freely given and
unambiguous“.

Future for cookie notices?

If anything, this cookie survey shows that there is still work to be done. If the data protection agencies want to see the existing rules implemented, that is. And that is very likely what we are going to see down the road: more guidance, more actions by the national data protection agencies to push for better cookie practices.

Update: of all countries in the European Union, the situation must be the most confusing in Germany. Some parties think that the e-Privacy directive has been adopted into German law (into the TMG), others like the data protection officers disagree and published a statement on their own regarding the matter saying that work needs to be done to make corrections and properly introduce the e-Privacy rules regarding cookies.

The post Article 29 Data Protection Working Party: we’re not quite happy about cookies yet appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We have our first third party integration with a provider of HTML5 games. GamePix is a marketplace and provider of html5 games on the web.

Since yesterday there’s a post on the GamePix blog outlining why it may be a good idea for a games site to provide a privacy policy for their users and for AdSense, for example.

The short version is that there are 3 players that might want to see a privacy policy provided by these sites:

• the law: privacy laws require privacy notices when personal data is processed or/and when those sites are commercial. That is mostly given with (html5) games websites because of monetization through ads. 
• the game providers: the companies that provide (in our case GamePix) may require their users (websites) to have a privacy policy. The reason for this is that if the websites don’t have a privacy policy they may get penalized by the ads providers like AdSense. This is bad for business.
• the monetizers: here enters AdSense as our example. AdSense requires a privacy policy to be in place in their terms of use. 

We had written about AdSense and their privacy policy requirement before here. Because the privacy notice for AdSense is so beautifully vocal I’m repeating it here as well:

8. Privacy
(…) 
You will ensure that at all times you use the Services, the Properties have a clearly labeled and easily accessible privacy policy that provides end users with clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users’ devices in connection with the Services, including, as applicable, information about end users’ options for cookie management.  You will use commercially reasonable efforts to ensure that an end user gives consent to the storing and accessing of cookies, device-specific information, location information or other information on the end user’s device in connection with the Services where such consent is required by law.

How do I write a privacy policy if I am embedding games like the ones provided by GamePix?

If you happen to run a gaming site and embed games from providers you’ll need to look out for two things.

1) you are embedding content from another site which allows them to measure certain things happening on your site.
2) be careful to disclose all the info required by the ads provider. 

In the case of GamePix it may be adviseable to disclose the fact that you use GamePix and maybe you are monetizing with AdSense?

• Publishers of GamePix’ games: since GamePix provides HTML5 games as a third party for your site, you should include GamePix inside your privacy policy as a third party service, linking back to the GamePix privacy policy, so the user understands what’s happening when they’re playing games on your website or blog.
• Displaying ads provided by AdSense: state the fact that you use AdSense and describe what it does for you exactly. Link to their site and privacy policy. Also, you should tell people how they can opt-out from the DoubleClick cookie. The same is true for other advertising networks, a general opt-out can be found at this link: http://www.networkadvertising.org/managing/opt_out.asp.

Since we’ve integrated both GamePix and AdSense into our privacy policy generator, we may be able to help you getting started.

Generate a privacy policy for GamePix and AdSense

The post Privacy Policy for Game Sites appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Your app is getting rejected after having submitted it potentially weeks earlier and being very hopeful. What happened?

The most annoying reason you can get is “Metadata Rejected” and you’re being sent to the Resolution Center. It’s annoying because it hasn’t got anything to do with the app itself and because it could be so easy to do.

The process usually goes something like this:

Apple: How do you secure user data?
You: I use Parse and Stripe.
Apple: You need a privacy policy.
You: Okay.

What happens then is that you’ll be sent to the actual rule that Apple thinks applies to you. And this is what’s happening a lot of times since the launch of iOS 8. Even Dave Verwer an iOS developer and known newsletter host wrote about the fact that Apple posted about privacy policies on their developer blog:

I’m guessing that this post was prompted by the fact that using HomeKit, HealthKit or keyboard extensions in iOS 8 all now requireyou to include a privacy policy. However if you look at the list of conditions for where a policy is necessary, I won’t be surprised if this field gets changed to be mandatory for all apps soon. If you don’t have a privacy policy then you might want to check out iubenda who have a really good, simple policy generator.

Of course there’s a good reason why there are a lot of posts about this topic on this blog. We’d like to help iOS developers crafting their privacy policies.

The post About App Store Rejection: “Metadata Rejected” appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

In a nutshell, the changes mostly include the new data use policy and statement of rights and responsibilities that lay out more clearly what Facebook already does with your personal information. [links are no longer up]

This change comes after a U.S. judge granted final approval to Facebook’s $20 million settlement of a lawsuit over targeted advertising on last Monday, August 26.

That being said, I’d like to remind you that iubenda operates a privacy policy generator for Facebook apps. Facebook requires every app to have a privacy policy. Find it here.

Update 9.9.2013:

Facebook has announced the delay of their privacy policy update for an additional week after the feedback has come in overwhelmingly negative.

Additionally, Facebook has “received” an open letter addressed to the Federal Trade Commission signed by six privacy groups titled “Facebook’s Changes Regarding Sponsored Stories“.

The letter is signed like this:

Respectfully,
/s/ Marc Rotenberg_____________________
Marc Rotenberg, Executive Director
Electronic Privacy Information Center (EPIC)

/s/ Jeff Chester_____________________
Jeff Chester, Executive Director
Center for Digital Democracy (CDD)

/s/ John Simpson_____________________
John Simpson, Privacy Project Director
Consumer Watchdog

/s/ Deborah Peel_____________________
Deborah Peel, Founder and Chair
Patient Privacy Rights

/s/ Edmund Mierzwinski________________
Edmund Mierzwinski, Consumer Program Director
U.S. PIRG

/s/ Beth Givens_____________________
Beth Givens, Director
Privacy Rights Clearinghouse

It’s worth a read.

Via Bits.

The post Facebook Privacy Policy Update (29/08/2013) appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

We’re happy to let you know that PAYMILL has shared iubenda as a privacy policy generator for their service via various channels today.

By now, iubenda has a collection of more than 130 pre-crafted clauses for third party services out there. Paymill is one of those services and to celebrate that fact we’ve decided (along with Paymill) to give a 10% discount for the month of August for you as a Paymill user.

If you are new to iubenda, this is how it works:

1. You are a PAYMILL user
2. You need a privacy policy for your app
3. You sign up for iubenda
4. Tell iubenda what services you are using: Paymill, other services
5. Generate and embed that privacy policy into your app, site or Facebook appplication
6. Get your PAYMILL discount here.

Just today, by the way, we have also added Stathat (a very popular statistics app) to our generator.

The post Paymill Privacy Policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

If you look only at the mobile applications that figure climbs up to at over 50%.

In another comment the release details the often lacking quality in privacy notices (if they are present) as being too general or, conversely, too focused on one technical aspect, such as the use of  “cookies”.

Par ailleurs, lorsque ces politiques de protection des données existent, elles sont parfois trop généralistes ou, à l’inverse, trop focalisées sur un seul aspect technique, comme par exemple celui des ” cookies “.

Further interesting takeaways from the French sites (250 of the most visited sites by French users) are that 99% of them actually collect personally identifiable information and some 50% of websites and mobile application included their privacy policies in a way that would make it hard to discover.

About the Internet Sweep Day and GPEN

The operation “Internet Sweep Day” was a first coordinated audit by the member agencies of the Global Privacy Enforcement Networt (GPEN). The GPEN is an informal network of Privacy Enforcement Authorities that pursues a number of tasks:

• Discuss the practical aspects of privacy law enforcement co-operation;
• Share best practices in addressing cross-border challenges;
• Work to develop shared enforcement priorities; and
• Support joint enforcement initiatives and awareness campaigns.

Some of the members of the GPEN include:

• Australia: Office of the Australian Information Commissioner; Office of the Victorian Privacy Commissioner; Office of the Information Commissioner, Queensland
• Belgium: Data Protection Commission
• Bulgaria: Bulgarian Commission for Personal Data Protection
• Canada: Office of the Privacy Commissioner of Canada; Information and Privacy Commissioner of British Columbia
• China (Special Administrative Regions): Office for Personal Data Protection, Macau SAR, China
• Czech Republic: Office for Personal Data Protection of the Czech Republic
• European Union: European Data Protection Supervisor
• Estonia: Estonian Data Protection Inspectorate
• France: Commission Nationale de l’Informatique et des Libertés
• Germany: Federal Data Protection Commission; Berlin Commissioner for Data Protection and Freedom of Information
• Guernsey: Data Protection Office
• Ireland: Office of the Data Protection Commissioner
• Israel: The Israeli Law, Information and Technology Authority
• Italy: Garante Per La Protezione Dei Dati Personali
• Korea: Ministry of Public Administration and Security; Korea Internet Security Agency; Personal Information Protection Commission
• Mexico: Federal Institute for Access to Information and Data Protection (IFAI)
• Netherlands: Dutch Data Protection Authority
• New Zealand: Office of the Privacy Commissioner
• Norway: Data Protection Authority
• Poland: Office of the Inspector General for the Protection of Personal Data (GIODO)
• Slovenia: Information Commissioner
• Spain: Agencia Española de Protección de Datos
• Switzerland: Federal Data Protection and Information Commissioner
• Ukraine: State Service of Ukraine on Personal Data Protection
• United Kingdom: Information Commissioner’s Office
• United States: Federal Trade Commission

The post Internet Sweep Day appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Today, the Privacy Act 1988 regulates the handling of personal information. This includes the collection, use, storage and disclosure of personal information. The Privacy Act includes among others:

• 11 Information Privacy Principles that apply to the handling of personal information by most Australian, ACT and Norfolk Island public sector agencies
• ten National Privacy Principles that apply to the handling of personal information by large businesses, all health service providers and some small businesses and non-government organisations
• credit reporting provisions that apply to the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies, credit providers and some third parties.

From 12 March 2014 those principles will be replaced by a single set of Australian Privacy Principles (APPs) which will apply to both businesses and government agencies (here’s a summary of those Principles).

Lets look at some of the significant changes the privacy act law reform brings for you.

Three things are of increased importance: there is a) additional information to be added to your privacy policy, b) an increased liability section for Australian companies when transferring personal information overseas as well as c) increased penalties and greater executive powers for the Australian information commissioner.

All businesses falling under the act, must post a privacy policy. Its contents are specified in Privacy Principle 1 of the act:

• (a) the kinds of personal information that the entity collects and holds;
• (b) how the entity collects and holds personal information;
• (c) the purposes for which the entity collects, holds, uses and discloses personal information;
• (d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
• (e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
• (f) whether the entity is likely to disclose personal information to overseas recipients;
• (g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

Especially the subsection (e) is interesting. You now need to post how you will deal with such a complaint and how that individual may complain about a breach of the Australian Privacy Princinples.

Importance of compliance with the Privacy Act 1988

The act is bringing a critical rise to liability for Australian companies, where an Australian business can be held liable for a breach of Australian privacy principles by an overseas recipient/data processor as if it were their own breach. As Peter Karcher puts it, “not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with out-sourced IT service providers and cloud computing services”.

Additionally there is an increased penalty for violations which should drive home the point for increased attention by companies.

What will be important for websites and privacy policies?

This being a new law we can only guess what will be important for websites and the exact crafting for websites. Luckily there’s a quote by Australian Privacy Commissioner, Timothy Pilgrim, from a recent survey of Australian websites and their privacy policies that may help us to understand what may be important down the way:

Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues in the following areas: ‘easy to find’, ‘easy to read’, ‘contacts for further information’, relevance and length.

‘It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to,’ Mr Pilgrim said.

‘We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use ‘layered’ privacy policies is encouraging.’

The most interesting part is the layered approach that the Information Commissioner wants to see on websites. This is one thing we had implemented into our policies from the very start.

Who is covered by the new Privacy Act?

The Privay Act covers

• any business that:
  1. collects or discloses personal information for a benefit, service or advantage
  2. handles health information, or
  3. has an annual turnover of more than $3 million
     
• credit providers and credit reporting agencies
• most Australian, ACT and Norfolk Island Government agencies (Government agencies).

iubenda and the Privacy Act 1988

Our mobile app generator has been mentioned in “A better practice guide for mobile app developers” and we’ll keep working on our solutions as new laws and challenges arise. Why don’t you take a look at what we are doing to help you craft a privacy policy for your site, Facebook app or mobile app? We’d be happy to help.

Privacy Policy Generator »

Further helpful resources for Australia

This post is meant to be a general update on the privacy developments in Australia. More information can be found on the site of the Australian Information Commissioner.

• Website of the Australian Information Commissioner
• Privacy Resources

The post Australian Privacy Act 1988 and iubenda appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

• Wieso mobile Apps Datenschutzerklärungen brauchen
  • Datenschutzerklärung für iOS Apps
• Generator für Datenschutzerklärungen

Today we are launching our German privacy policy text to the public.

We’ve been testing it internally for a good while and are happy to release it for you to use.

The German version will be handy for everyone who wishes to add an additional German policy to their website or whose websites just target German speaking people in general (the so-called DACH region has 95 to 100 million people living inside).

Legal grounds

Update May 2018: in the meantime the legal sourcec for privacy policies is called GDPR and we have dedicated an entire landing page to it.

Privacy law in Europe has its legal framework in European privacy directives and state law. The Data Protection Directive and the ePrivacy Directive are the European minimum standards that have to be implemented into member state law.

In Germany these privacy laws can be found in the BDSG and – more specifically – in the online arena in the TMG (as well as in Federal State law).

Legally speaking almost anyone must post a privacy policy or “Datenschutzerklärung”. The trigger event for this requirement is the collection of personal data or “personenbezogene Daten”. Personal data constitutes anything that can be linked back to you, arguably also IP-addresses.

Austria: Privacy policie requirements are based on the TKG (Telekommunikationsgesetz) and the DSG (Datenschutzgesetz). Owners of commercial websites should therefore inform their users of the personal data collected, processed and shared, what the legal basis is, what the personal data is used for as well as for how long the data is going to be saved (§ 96 TKG).

Switzerland: The collection of personal data is an act that is dealt with by the DSG (Datenschutzgesetz) in Switzerland. According to the Federal Data Protection and Information Commissioner the collection of personal data is to be made known via a “Datenschutzerklärung” or privacy policy. The users are to be informed, which data is collected and who it is shared with (stated in context of Google Analytics).

How Do I Make a German Privacy Policy?

Around the site you’ll find a couple of (green) buttons indicating that you can generate a new privacy policy. Clicking that you will find this blue button with a dropdown menu from which you may choose your language.

Choose your privacy policy language right there to start the generation in the correct language. In addition to English and Italian we now offer that German policy you’ve been waiting for for so long.

If you want to add another language to an existing site/policy read on below.

How Do I Add an Additional Privacy Policy to the Site?

If you already have an English or Italian policy running on the site, but you would like to add a second language you may do so from the user  dashboard.

When you’ve logged into your dashboard and have chosen the site you’d like to add a second policy to, you may do so in the sidebar on the right:

Along with the document preview you have the language management widget right there at your service.

We hope you will enjoy our localization efforts. if German is not the language you were waiting for, then stay tuned because we have a whole bunch of regions on our roadmap.

Get a German Privacy Policy

Heute lancieren wir unseren privacy policy-Text in Deutsch, dementsprechend also als “Datenschutzerklärung“.

Nach internen Tests sind die Texte zum Datenschutz nun erfreulicherweise auch endlich für iubenda Nutzer erhältlich.

Die deutsche Version ist für alle iubenda Nutzer von Belang, die ihrem bestehenden Projekt (Website, mobile App, Facebook App) entweder eine zweite Sprache hinzufügen wollen, oder aber falls eine Seite als Hauptsprache Deutsch hat.

Die gesetzlichen Grundlagen

Update Mai 2018: mittlerweile ist die Grundlage für Datenschutzerklärungen in der DSGVO zu finden, dazu gibt es auf der iubenda Seite weitere Informationen.

Deutschland: Datenschutzvoraussetzungen für das Web kommen in Deutschland hauptsächlich aus dem BDSG (und Bundeslandgesetzgebung) und dem spezifischeren Telemediengesetz (TMG). Diese sind unter anderem an die Europäischen Richtlinien angepasst wie die Data Protection Directive und die neuere ePrivacy Directive (diese haben auch für Österreich und in geringerem Masse die Schweiz Auswirkungen).

Gesetzlich gesehen ist es praktisch für alle Personen die eine Webseite betreiben (dank oder wegen der sehr breiten Auslegungen der Definitionen) notwendig eine Datenschutzerklärung auf der Webseite einzubinden. Dies ist ein Ausfluss aus dem Recht des Einzelnen zu Erfahren, dass seine personenbezogenen Daten erhoben werden und zu welchem Zweck dies geschieht (und dann im Einzelfall auch die Einsicht zur Möglichkeit zum Widerspruch).

Auch personenbezogene Daten werden sehr breit ausgelegt und es dürfte dabei auch die Erfassung der IP von erfasst sein. Ein gutes Beispiel ist immer die Nutzung von einem Service wie Google Analytics, die die Anzeige dieses Faktes auslöst und auf viele Webseitenbetreiber bereits zutrifft.

Österreich: Datenschutzerklärungen sind nach dem Telekommunikationsgesetz (TKG) und dem Datenschutzgesetz (DSG) erforderlich. Betreiber von kommerziellen Webseiten haben die Benutzer darüber zu informieren, welche personenbezogenen Daten sie ermitteln, verarbeiten und übermitteln, auf welcher Rechtsgrundlage und für welche Zwecke dies erfolgt und für wie lange die Daten gespeichert werden. (§ 96 TKG)

Schweiz: Auf die Erhebung von personenbezogenen Daten ist in der Schweiz das Bundesgesetz über den Datenschutz (DSG) anwendbar. Gemäss der schweizerischen Datenschutzbehörde sind die Nutzer in einer Datenschutzerklärung darauf hinzuweisen, welche Daten über sie gesammelt und an wen sie weitergegeben werden (im Zusammenhang mit Analysediensten wie Google Analytics).

Wie erstelle ich eine Datenschutzerklärung

Auf der Seite sind ein paar (grüne) Verlinkungen zu finden (“generate privacy policy”). Folgt man diesen, so findet man einen blauen Button mit einem Dropdown Menü in welchem man die Auswahl “German” als Flagge vorfindet.

An dieser Stelle kann dementsprechend direkt der deutsche Text generiert werden. Hiermit ist also Deutsch die Dritte Sprache in der iubenda Datenschutzerklärungen generiert.

Im Falle, dass man einer bestehenden Privacy Policy eine deutsche Datenschutzerklärung zufügen möchte, gehe man wie folgt vor:

Wie füge ich eine zweite Datenschutzerklärung einer bestehenden bei?

Falls bereits eine Englische oder Italienische privacy policy besteht, kann dieser im eingeloggten Bereich eine zweite (oder Dritte) Sprache hinzugefügt werden.

Im Kontrollzentrum/iubenda Profil muss dafür erst die Seite mit der Datenschutzerklärung ausgewählt werden und dann können in der rechten Seitenhälfte die Modifikationen vorgenommen werden:

Auf der rechten Seite sind neben der Textvorschau auch die Spracheneinstellungen vorzufinden.

Wir hoffen, dass iubenda auch in Deutsch so viel Freude bereitet wie die bereits 60’000 in anderen Sprachen generierten Datenschutzerklärungen. Bei Fragen sind wir jederzeit über unser Forum oder die Email im Footer-Bereich zu erreichen. Sollte Deutsch nicht die einzige gewünschte Sprache sein, dann kommt möglicherweise mit Französisch, Spanisch und Portugiesisch bald Abhilfe!

Eine Datenschutzerklärung erstellen

The post Launching our German Privacy Policy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.

Amazon App Store for Android: privacy policy required (of you collect PII, personally identifiable information)

If you are an Amazon App Store for Android developer you have likely received an email asking you to take steps according to their outline:

Dear Mobile App Developer, Customer privacy is important to us, and we know it is important to many of you too. That’s why we want to make sure you know how to include links to your privacy policy on product detail pages for your apps. We require all apps that collect personally identifiable information or personal information to provide a link to their privacy policy, so if you haven’t already done so, please take a moment to submit the privacy policy link for each of your apps today. It’s quick and simple to do. Please follow these steps to update the product detail page for your app with a link to your privacy policy (…)

This is what the guide “Publishing Android Apps to the Amazon Appstore” says: 

Privacy policy URL (optional): If your app includes account creation or otherwise collects personal information from users, you must enter an URL for your app’s privacy policy.

Amazon app privacy stance: this means you are now required to provide a privacy policy for your app on the Amazon app store. For your convenience I will repeat the steps to take here:

• Sign into the Amazon Mobile App Distribution Portal with your developer account
• Go to the My Apps page then click on your app name
• Click on Edit in the bottom right corner of the page
• Add a link to your privacy policy in the Privacy Policy URL field, then click Save

What do I have to include in the app’s privacy policy?

Here’s where we come in. Here’s a report by the California Department of Justice with actionable data and best practices for you to follow. It’s a great start into crafting a privacy policy for the Android/Amazon store. However, if you are looking for a solution to create your privacy policy with just a few clicks very conveniently for you: look no further. Soon with mobile support.

Generate Amazon App Privacy Policy

The post Amazon App Privacy appeared first on Compliance Solutions for Websites, Apps and Organizations | iubenda.