New York Attorney General Announces Settlements Over Data Collection Practices

On February 9, the New York Attorney General’s (NYAG’s) office announced two settlements with mobile app developers who allegedly omitted information about their data collection practices in their privacy policies. While the investigation revealed that neither developer misused their customers’ personal information or improperly disclosed such information to third parties, the NYAG’s office determined that both companies failed to properly disclose the fact that they had collected the information as required by law. Both companies have agreed to add privacy policies to their apps.


European Commission Publishes Draft ePrivacy Regulation

Commission announced the release of its Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications (Proposed Regulation), which is set to repeal Directive 2002/58/EC (ePrivacy Directive). The Proposed Regulation— as discussed previously on InfoBytes—is intended to update the current rules to keep up with technical developments and adapting them to the General Data Protection Regulation (GDPR).

Among other things, the Proposed Regulation will expand the scope of the ePrivacy rules to include internet-based voice and internet-messaging services, and to cover the content of communications, including metadata such as the time and location of a call. Furthermore, with regards to cookies, the Proposed Regulation does not require the consent of the user for non-privacy intrusive cookies, which either improve internet experience or measure the number of visitors to a specific website. The proposed Regulation also includes an opt-in requirement for telemarketing calls, unless national laws provide the recipient with a right to object. The Proposed Regulation also contains language extending the remedies currently provided under the GDPR.

Once passed, the Proposed Regulation would become effective on May 25, 2018. Links to other related documents and information may be accessed through the following links:

  1. Proposal for a Regulation of the European Parliament and of the Council
  2. Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC
  3. Executive summary of the ex-post REFIT evaluation
  4. Impact Assessment – part 1
  5. Impact Assessment – part 2
  6. Impact Assessment – part 3
  7. Summary of the Impact Assessment

FTC Hosts Its Second Annual “PrivacyCon” Event

On January 12, the FTC hosted its second annual “PrivacyCon”— a public forum promoted by the regulator in order to “expand collaboration among leaders from academia, research, consumer advocacy, and industry on the privacy and security implications of emerging technologies.” Throughout the day, speaker panels presented research and opened the floor to discussions addressing five major topic areas: (i) the Internet of Things (IoT) and big data; (ii) mobile privacy; (iii) consumer privacy expectations; (iv) online behavioral advertising; and (v) information security. Among other things, panelists discussed the possibility of using machine learning to automatically block or permit user tracking and information collection by applications and websites based on the user’s past practices. Many panelists also examined data “leakage” from devices and the possible privacy and security issues that are raised by such leakage.

full version of the agenda, including links to abstracts of the research being presented, as well as a video recording of the event, is available online. Additional research not present but submitted without a request for confidential treatment is also available here.


EU Releases First Guidance on New Privacy Regulation

On December 16, the European Union’s (EU) data protection regulator, the Article 29 Working Party (WP29), released its first official guidance on the General Data Protection Regulation (GDPR), EU’s new privacy regime. Composed of three sets of guidelines and FAQs, the guidance covers a range of issues, including the qualification, appointment, and personal liability of data protection officers (DPOs). Links to the six guidance documents follow:

The WP29 also announced that it is accepting additional comments on this guidance through the end of January 2017, and that it will release guidelines on Data Protection Impact Assessments and Certifications in 2017. The GDPR is set to take effect in May 2018.


FCC Adopts Privacy Rules for Broadband Providers

On October 27, the FCC adopted privacy rules regulating consumers’ use of broadband internet services. As previously covered in InfoBytes, the FCC issued revised proposed privacy rules for broadband internet service providers (ISPs) in early October to provide consumers with “increased choice, transparency and security online.” Like the proposed rules, the adopted rules (i) require ISPs to obtain confirmative consent to use and share sensitive information; and (ii) permit ISPs to share non-sensitive information unless a customer opts-out.

Because the scope of the rules is limited to broadband service providers and other telecommunication carriers, the FTC maintains its authority over the privacy practices of websites and other “edge services.” In support of the newly adopted FCC rules, FTC Chairwoman commented that “[t]he rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices.”