HFN AdTech and Technology Compliance Client Update
|
| |
|
Dear Clients and Friends,
In this HFN AdTech and Technology Compliance Client Update, you can read about:
- The recent measures taken by Google against deceptive ads, interstitial app install ads and ad injectors;
- FCC's enforcement actions concerning telecommunications carriers’ privacy obligations;
- The new Online Trust Alliance proposed principles for Internet of Things compliance;
- The FCC Declaratory Ruling and Order regarding unwanted calls and texts;
and a few other industry, compliance and regulatory developments in the fields of digital advertising, technology compliance and information privacy regulations.
Kind regards,
Ariel Yosefi, Partner
The AdTech and Technology Compliance Team
Herzog Fox & Neeman
__________________________________________________________
|
| |
|
Industry Compliance Developments
Google to “punish” sites for using interstitial adverts
Starting 1 November 2015, Google will begin to downgrade search results for websites that show an interstitial advert for their mobile app, as part of its ongoing effort to promote “mobile-friendly” sites on its web search.
By cracking down on interstitials adverts (i.e., ads that take up the entire screen to suggest that users should download a site’s app instead of browsing the site), Google hopes that it can make searching easier for smartphones and tablets.
The new policy, which was announced in Google’s blog post, means that websites that show mobile users a whole-page advert for an app before they can use the site itself, will be “penalized” in their search ranking and will “no longer be considered mobile-friendly” and consequently, are likely to be moved further down Google’s search results, making people less likely to click on them.
Google will not punish sites that use an app install banner across the top of the page and as such, these sites will continue to be classed as mobile-friendly under the new rules. Google explained that “as an alternative to app install interstitials, browsers provide ways to promote an app that are more user-friendly. App install banners are supported by Safari (as Smart Banners) and Chrome (as Native App Install Banners). Banners provide a consistent user interface for promoting an app and provide the user with the ability to control their browsing experience”.
Further steps taken by Google against ad injectors
In addition to previous measures implemented by Google to fight against unwanted ad injections, the company has announced a new automated filter, which has been added to DoubleClick Bid Manager, that removes impressions generated by ad injectors before any bid is made.
According to Google, “advertisers often don’t know their ads are being injected, which means they don’t have any idea where their ads are running” and consequently, publishers’ websites where ads are being injected, will not be compensated for these ads.
Although the result of Google’s action is a blacklisting of 1.4% of the ad inventory managed through the company’s DoubleClick Bid Manager, the company found that the percentage of injected ads varied wildly across different ad exchanges, with one having over 15% of its ads blocked by Google’s new filter.
Google disables inline installation for extensions linked to deceptive sites and ads
Following several previous updates on the changes presented and enforced by Google with respect to deceptive tactics in Chrome extensions, Google has recently announced that as part of its ongoing effort to protect Chrome users, it will disable inline installation for extensions linked to what Google considers as deceptive sites and ads, which trick users into installing unwanted extensions. Google began to enforce this new policy on 11 September 2015.
Disabling inline installation results in the redirection to the extension’s product details page in the Chrome Web Store, thereby allowing the user to make an informed decision about whether or not to install. As noted above, this change will only apply to extensions which employ deceptive tactics (e.g., an ad that appears to be a software update, but instead links to an inline installation for a Chrome extension).
Google indicated that less than 0.2% of all extensions will be affected by this change.
This development illustrates Google's ongoing effort to maintain a user informed based extension ecosystem.
Notable Legal and Regulatory Actions
$3.5 million fine on mobile carriers for privacy violations
The Federal Communications Commission (“FCC”) has recently taken action against two telecommunications carriers - TerraCom, and YourTel America - by which the telecommunications carriers agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program in order to settle allegations that the carriers violated the Federal Communications Act by failing to adequately protect consumer data.
According to the allegations, data collected by TerraCom and YourTel from approximately 305,000 customers (included Social Security numbers, names, addresses, and driver’s license numbers) was stored in clear, readable text on servers that were accessible over the Internet, and were not password protected or encrypted.
This enforcement action illustrates the FCC's approach to broaden the enforcement of privacy and telecommunications carriers’ data security obligations. This enforcement action may also have implications on broadband Internet service providers, who recently became subject to the Federal Communications Act following their reclassification by the FCC as "telecommunications carriers".
German DPA imposes fine for unlawful acquisition of personal data in asset deal
The Data Protection Authority of Bavaria (“BDPA”) has imposed a significant fine on both the seller and the purchaser of a company, which unlawfully transferred customer e-mail addresses of online shop customers as a part of their asset transaction.
According to the BDPA, businesses that acquire customer email addresses and phone numbers and which plan to use the information for advertising purposes must obtain the express consent of customers to do so. Failure to obtain this consent is a breach of both German data protection laws and laws against unfair competition.
The BDPA has stated that it will act similarly in future cases and will not hesitate to fine companies that sell customer data in a non-compliant manner during asset deals.
Google granted permission to appeal the UK Safari Cookie’s collection case
The UK Supreme Court announced its decision to grant permission in part in order for Google to appeal the England and Wales Court of Appeal’s decision in Google Inc. v Vidal-Hall and Others.
As we previously reported, the Court of Appeal ruled back in March 2015 that Google violated the UK Data Protection Act, as it deliberately bypassed security settings in the Apple's Safari browser, in a manner that allowed it to place tracking cookies on users' devices in order to track the users' online browsing activity and target them with personalized advertisements. Google's tracking cookies gathered information on Safari browser users for nine months in between 2011 and 2012, without the users' knowledge or consent. The information stored on the cookies encompassed information of sensitive nature, including browsing habits, ethnicity, sexual interests, religious and political beliefs, and financial data. The Court of Appeal dismissed Google's appeal that the Safari users had not suffered any financial harm, and held them accountable for breach of the users' privacy rights.
The Court of Appeal also held that the claimants could recover damages from Google without the need to demonstrate financial harm. This ruling could potentially open the door to further litigation against Google since it encourages UK Safari users to bring legal actions against Google over its alleged privacy violations, even if they cannot prove any financial harm has occurred. However, in the recent decision, the UK Supreme Court has granted Google permission to appeal this part of the ruling.
Standards and Best Practice Guidance
New draft compliance framework for Internet of Things
Recently, the Online Trust Alliance released a draft framework introducing guidelines for best practices for developers and manufacturers of "Internet of Things" (IoT) products.
The draft guidelines unveiled core principles with respect to privacy requirements and security standards. Among these requirements, developers and manufacturers are required to:
- Add a privacy policy that will be readily available prior to the purchase, download or activation of an IoT product;
- Disclose any personally identifiable data that is being collected;
- Disclose the duration of any data retention;
- Provide the consumer with control or documentation in order to manage the privacy and security preferences;
- Place mechanisms for consumers to contact them regarding any product issues;
and more.
This draft demonstrates the mounting concerns and the collective impact of IoT products (e.g., connected home devices, wearable fitness and health products, etc.) on users' privacy expectations, as well as the evolving regulatory requirements in this field.
Regulatory and Legislative Developments
FCC Strengthens Consumer Protections Against Unwanted Calls and Texts
On July 10, 2015, the Federal Communications Commission (FCC) issued its Declaratory Ruling and Order (“the Ruling”) addressing 21 petitions filed with the agency by various companies and trade associations seeking relief or clarification regarding the Telephone Consumer Protection Act of 1991 (“TCPA”).
The Ruling, which became effective immediately, redefines what equipment falls within the definition of “autodialer”, specifies liability for calls to reassigned telephone numbers, provides consumers with a right to revoke consent by any reasonable means, and establishes new exceptions for financial and healthcare related calls, among other changes.
Highlights of the new ruling include:
- Broad definition of an “automatic telephone dialing system” (“autodialer”): The Ruling expands the scope of this term and thus potentially subjects many additional types of dialing equipment and platforms to a case-by-case determination of their inclusion within the reach of the TCPA. Key issues in determining whether a system is an autodialer under the Ruling, will be its potential functionality and how easily it could be made to function as an autodialer.
- Consumers will be granted the broad ability to revoke their consent, creating a substantial new burden on businesses to track and record consent. Prior to this proposal, there was a split among courts over whether a consumer could revoke consent orally or if the revocation had to be in writing. By interpreting the TCPA to hold that a consumer can revoke consent “in any reasonable way at any time,” there is now a wide variety of ways that a consumer can now attempt to revoke a previously given consent.
- The FCC decision reaffirms that robocalls (phone calls that use a computerized auto-dialer to deliver a pre-recorded message) and text messages to cellphones are not allowed without the customer's consent. The FCC allows text messages without prior consent in cases of data breach notifications, suspected fraud, or emergency messages from health care providers, as long as the customer is able to opt-out of these text alerts in the future.
- A person whose name is in the contacts list of an acquaintance’s phone does not consent to receive robocalls from third-party applications downloaded by the acquaintance.
- The FCC has given the phone companies a regulatory approval to technologically block robocalls - as well as unwanted spam text messages.
- If a phone number has been reassigned, companies must stop calling this number after one call.
- The FCC reaffirmed that consumers are entitled to the same consent-based protections for texts as they are for voice calls to wireless numbers.
|
| |
|
Subscribe
Sign up to receive
HFN's client updates,
newsletters and events
Click Here
|
|
|
|
|
|
|
|
|
|
