We saw a few developments on the privacy and security front these past few weeks, so rather than our usual approach of focusing on one issue, this post will highlight a few noteworthy stories.

Cookies

France’s data protection regulator (CNIL) slapped Google and Amazon with fines for dropping tracking cookies without users’ prior consent, as required under the ePrivacy Directive incorporated into France’s Data Protection Act. Google was fined €100 million while Amazon received a €35 million fine – both in connection with their French (.fr) domains. In investigating the websites, the CNIL found that in both instances, tracking cookies were automatically dropped when a user visited the domains in violation of the Data Protection Act. As a high-level reminder, EU law mandates that non-essential cookies not be dropped by a website operator until and unless a user consents to those cookies – meaning that having a banner merely informing visitors that they “agree to the use of cookies” is in violation of the law. Such was the case with Amazon’s banner, despite its use of tracking cookies (i.e., non-essential) cookies. Moreover, transparency is required as to the use of cookies, and in both cases, the CNIL found violations as to transparency (or lack thereof) in addition to improper consent mechanisms and implementation. Finally, with respect to Google, the CNIL also found that even when a user deactivated all personalized advertising, one remained in violation of the law, highlighting the often overlooked importance of ensuring that language (and choice) are aligned with technical implementation.
Continue Reading Cookies, Opt-Out Choices, IoT Security: Recent Developments in Data Protection

At the Worldwide Developers Conference on June 23, Apple announced an assortment of new privacy features – some quite significant for developers – that will be included as part of iOS 14. Some of the new privacy features include added protections against user tracking on apps and websites, as well as transparency measures to prevent apps from using cameras or microphones without a user’s knowledge. How location data is collected will also be impacted: iOS already enables users to block specific apps from collecting data about their location, but now users will be able to share approximate location data.

One very significant change is that app developers will now be required to disclose the types of data that their app collects, and importantly, call out specific information that could be used to track users across platforms. Inspired by nutrition labels that are typically affixed to food products, these new disclosure mandates from Apple will require developers to complete a specific form (showcased at the Worldwide Developers Conference). When users search for an app, the summary of collected data will appear alongside other information about the app.
Continue Reading Apple’s iOS 14 Transformative Privacy Announcements