Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses. The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices. While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.
The Spanish Supervisory Authority issues guidance on the use of cookies
On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:
- Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
- Chapter 2: terminology and definitions (g., types of cookies and terminal equipment);
- Chapter 3: obligations (in particular transparency and consent); and
- Chapter 4: responsibility of the relevant parties (g., website owners and advertisers).
The guidance also contains an annex that lists the entities generally involved in targeted advertising and explains their respective roles.
The guidance starts by acknowledging that online advertising is an important source of revenue and employment for many. However, it also highlights that the use of cookies and similar technologies may have an important impact on the privacy of users. It is therefore important to maintain the trust of users in these technologies.
The guidelines do not aim to provide a uniform solution on how to comply with the Spanish rules on cookies. Instead, companies are invited to adapt their compliance measures to their specific interests and businesses models.
Below, we provide a brief summary of each section:
Chapter 1 (scope of the Spanish cookie rules)
This chapter lists the types of cookies that are excluded from the Spanish cookie rules. These include cookies used for purposes of authentication (during the session), online shopping carts, online contact forms, cookies to personalize the user’s interface and, plug-ins used to share content on social media (but only for users who have signed up for a relevant social media account). While the SA recommends informing users in a generic manner of the use of such cookies, the SA acknowledges that this is not strictly required. This also applies if these cookies are dropped by third parties.
The guidance states that the Spanish cookie rules do apply to digital fingerprinting. The SA issued guidance on digital fingerprinting earlier this year.
Chapter 2 (terminology and definitions)
This chapter explains a number of concepts and differentiates, for example, between first party and third party cookies, as well as session cookies and persistent cookies. It classifies cookies according to their purpose in the following 4 types: (1) technical cookies, (2) preference cookies (cookies de preferencias o personalización), (3) analytics cookies (cookies de análise o medición); and (4) behavioral advertising cookies.
Chapter 3 (obligations)
This chapter is divided in two sections: transparency obligations and obtaining consent.
On transparency, it sets out what information users should receive about cookies. This includes: (1) a generic definition of cookies: (2) information about the types of cookies used; (3) the identity of cookie users (e.g., the website owner and/or third parties); (4) information about how to accept, reject, or revoke consent or delete cookies; (5) information about the use of profiles to make automated decisions, if applicable; (6) the retention period and (7) information on where users can find other information required under Art. 13 GDPR.
This chapter also explains how this information should be provided and gives examples. According to the guidance, the information must be adapted to the expected knowledge of an average user of the particular website. The information should be easily accessible (maximum two clicks away) and clearly visible. The guidance recommends disclosing the information in a dedicated cookie policy, rather than a privacy policy, and to provide the information together with the cookie management tool.
In relation to consent, the guidance indicates that consent must be provided through an affirmative action, but that in certain circumstances the continued use of the website can qualify as consent. This is the case, for example, if users are clearly informed about this through a notice that is “clearly visible” (in light of its form, color, size and placing), users are given the possibility to configure their choices through a cookie management tool, and the user’s action qualifies as an affirmative action (e.g., clicking on any section of the website other than the link to the cookie policy or privacy policy). Consent can only be obtained through the browser settings if the browser is able to separately collect consent for each type of cookie and identifies the controllers.
According to the guidance, it is good practice to renew consent at least every 24 months.
In case of minors, the guidance recommends not to use targeted advertising on websites directed at minors, including minors between 14 and 18 for whom parental consent is not required under Spanish law.
Chapter 4 (the responsibility of the parties)
If a website uses third-party cookies, both the website owner and the third party are responsible for clearing informing users and obtaining their consent. The website owner may provide information about the third-party cookies by linking to the third party’s websites. However, the website owner must ensure that the link works. The website owner and the third party should also contractually agree on how to comply with their transparency and consent obligations.
According to the guidance, “each controller is responsible for the concrete processing they conduct. Where different controllers are in charge of the processing, each has its own responsibility”. Only where the controllers jointly determine the purposes and means of the processing will they be considered joint controllers under Art. 26 GDPR. However, even as joint controllers, their responsibility will not be the same, but will depend on the impact their actions/omissions have on the data processing.
EU adopts New Deal for Consumers
On November 8, 2019, the European Union adopted the “Directive Modernizing Consumer Law”. This directive is part of the so-called “New Deal for Consumer” (see here), a package of legislative reforms designed to revise existing EU consumer laws. The main objective of these reforms is to adapt EU consumer protection legislation to the realities of the digital era, as well as to foster transparency and ensure effective enforcement of consumer protection laws.
The directive amends the following existing EU consumer laws:
- Directive on Consumer Rights
- Directive on Unfair Commercial Practices
- Directive on Unfair Contract Terms
- Directive on Price Indication
EU Member States have 2 years to transpose the changes into their national laws. Below we highlight some key updates introduced by the new directive:
- Free services: The Directive on Consumer Rights now explicitly applies to digital content and digital services that are provided free of charge but in exchange for personal data, except where such personal data is only used to supply the digital content or service, or to comply with the law. In this regard, EU lawmakers appear to support the notion that personal data can be used as consideration for a service.
- Functionality, compatibility and interoperability of digital services and content: Traders must provide information on the functionality, compatibility and interoperability of digital content and digital services, including applicable technical protection measures in place.
- Mandatory contact information: Traders must provide their physical address, telephone number and email address. On an optional basis, traders may also provide a contact form on a website, provided it allows the consumer to save the communication.
- Personalized pricing: Traders must inform users when a price is personalized on the basis of automated decision-making.
- User content after withdrawal: If the consumer withdraws from an agreement, the trader is prohibited from using any content (other than personal data) which was provided or created by the consumer when using the digital content or digital service, subject to a few limited exceptions. In addition, in certain circumstances the trader must provide users with access to their content after their withdrawal from the agreement, as well as assist them with porting that content.
- Dual quality of branded food products: Traders are prohibited from marketing non-identical products as identical in different Member States, unless justified by legitimate and objective factors. This only applies to products, not services.
- Rankings explained: Traders who allow users to search for products or services must explain on what basis the search results are ranked. They must also clearly disclose any paid advertising or (direct or indirect) payment to receive a higher ranking. This information must be clearly accessible from the page on which the search results are shown.
- Trustworthy reviews: Traders must inform users on their website or application about how they ensure that reviews posted by consumers are authentic reviews from actual consumers who have used or bought the respective product or service. Traders are prohibited from stating that reviews of a product or service have been submitted by a customer who used or bought the product or service without taking reasonable and proportionate steps to check the accuracy of that statement. Traders are also prohibited from asking a party to submit false reviews or endorsements, or to misrepresent reviews or social endorsements in order to promote products or services.
- Re-selling tickets: Traders are prohibited from reselling tickets if they acquired the tickets by automated means aimed at circumventing measures to restrict the purchase of tickets.
- Price reductions: When announcing a price reduction for a product, traders must indicate the product’s price prior to the reduction. The lower price must be the lowest price for that product during a period of time not shorter than 30 days prior to the reduction (unless Member State laws set out a shorter time period). This only applies to products, not services.
- Trader/not trader: Online marketplaces must indicate whether the person offering a product or service on the marketplace is a trader or not (on the basis of the declaration of that person).
- Applicability of consumer law: Online marketplaces must inform consumers that when the provider of the products, services or digital content offered on the marketplace is not a trader, EU consumer laws do not apply to the agreement between the consumer and the provider. This information should be easily accessible and not merely included in the terms and conditions.
The New Deal for Consumer also includes a proposal for a directive on representative actions for the protection of the collective interests of consumers (“Directive on Representative Actions”) (latest draft here). The adoption of this directive is still pending.
Earlier this year, the EU approved two other directives on consumer rights:
- Directive on certain aspects concerning contracts for the supply of digital content and digital services
- Directive on contracts for the sale of goods
These directives amend the pre-existing rules on conformity of goods and expand these rules to digital content and digital services.
State Privacy Laws Have the Potential to Haunt Industry
With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020. But the rapid pace of privacy legal developments could continue next year. This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.
This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020. In total, at least eighteen states considered comprehensive privacy bills this year. This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland. Continue Reading
Real Estate Company Fined € 14.5 Million in Germany for Violating GDPR Principle of Privacy By Design
On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release here in German). It is the highest GDPR fine imposed so far in Germany.
Deutsche Wohnen SE owns 100,000 rental apartments in Berlin. In 2017, the SA started an investigation against the company after receiving a complaint by one of the company’s tenants. An inspection of the company’s data archiving systems in June 2017 revealed that these systems did now allow the company to delete obsolete personal data. Moreover, the SA found that Deutsche Wohnen stored tenants’ personal data “without checking if this was legal or even necessary”. According to the SA, the company was also retaining data relating to the tenants’ personal life and creditworthiness considerably longer than necessary to fulfil the purpose for which the data was initially collected. The SA newly inspected the company in March 2019. Following the SA’s second inspection, the SA decided that the company had not done enough to overcome the deficiencies identified during the SA’s first inspection.
The SA used Germany’s new calculation model for data protection to determine the amount of the fine. The SA classified Deutsche Wohnen’s offences as moderately severe. The SA took into account the following four factors: (i) that the systems did not contain special categories of data, (ii) that the data had not been transferred to any third parties, (iii) that it could not be proven that the company had used the unlawfully stored personal data, and (iv) that Deutsche Wohnen had been cooperative during the investigation.
Deutsche Wohnen publicly announced its intention to appeal the decision.
Spanish Supervisory Authority and EDPS Release Guidance on Hashing for Data Pseudonymization and Anonymization Purposes
On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages.
The AEPD explains that the probability of re-identification increases if more information is available on the hash values used (e.g., that they were created on the basis of Spanish phone numbers of a certain operator). The guidance provides examples of how controllers can make the re-identification of hashed messages more difficult. These examples include encrypting the message (prior to hashing), encrypting the hash value, or adding “salt” or “noise” (i.e., a random number) to the original message.
According to the AEPD, the use of hashing techniques for pseudonymization and anonymization purposes requires companies to analyze the risk of re-identification, taking into account the hashing technique used. The risk analysis must assess the hashing process and all the other related elements, such as the information that the controller retains about the hash value after the hashing (e.g., that the hash values consist of Spanish phone numbers). The analysis should lead to an objective evaluation of the probability of re-identification of the hashed message over time.
The guidance also lists a number of “basic” considerations when using hashing for anonymization or pseudonymization purposes, such as ensuring secure access to the hashing process and periodically auditing the management processes of the hashing system.
Finally, according to the guidance, in order for a hashing technique to be considered an anonymization technique, the risk analysis must—in addition to the above considerations—assess two factors:
- whether information which permits the re-identification of the hashed message has been deleted; and
- whether the applied hashing technique will remain sufficiently robust over time.
Note that earlier this year the AEPD also released guidance on applying K-anonymization to data sets.
AI/IoT Update: UK’s Information Commissioner Issues Opinion on Use of Live Facial Recognition Technology by Police Forces
On October 31, 2019, Elizabeth Denham, the UK’s Information Commissioner issued an Opinion and an accompanying blog urging police forces to slow down adoption of live facial recognition technology and take steps to justify its use. The Commissioner calls on the UK government to introduce a statutory binding code of practice on the use of biometric technology such as live facial recognition technology. The Commissioner also announced that the ICO is separately investigating the use of facial recognition by private sector organizations, and will be reporting on those findings in due course.
The Opinion follows the ICO’s investigation into the use of live facial recognition technology in trials conducted by the Metropolitan Police Service (MPS) and South Wales Police (SWP). The ICO’s investigation was triggered by the recent UK High Court decision in R (Bridges) v The Chief Constable of South Wales (see our previous blog post here), where the court held that the use of facial recognition technology by the South Wales Police Force (“SWP”) was lawful.
The ICO had intervened in the case. In the Opinion, the Commissioner notes that, in some areas, the High Court did not agree with the Commissioner’s submissions. The Opinion states that the Commissioner respects and acknowledges the decision of the High Court, but does not consider that the decision should be seen as a blanket authorization to use live facial recognition in all circumstances.
China Enacts Encryption Law
On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020. The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations. In this blog post, we provide a few highlights of the new Encryption Law as enacted. Continue Reading
IAPP: ‘Sale’ Under CCPA May Not Be as Scary as You Think
As the effective date of the California Consumer Privacy Act looms closer, companies are grappling with the significance of the law and its definitions. One defined term in particular, “sale,” has sparked heated debate between industry and consumer advocates, and even within the legal profession. While much has been said about this term, more needs to be said. Specifically, a review of the relevant legislative history and case law suggests that “sale” should mean the disclosure of data as part of a bargained-for exchange for money or similarly valuable consideration. For the full article published by the IAPP on this subject, click here.
IoT Update: NIST Seeks Public Comment on Security Review of Smart Home IoT Devices
Earlier this month the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Draft NISTIR 8267, Security Review of Consumer Home Internet of Things (IoT) Products, for public comment. NIST will accept public comments on the report through November 1, 2019. Continue Reading
