Apple recently announced that beginning in spring 2024, developers of certain SDKs and apps that use those SDKs will be required to include a “Privacy Manifest,” which lists all tracking domains used in the relevant SDK or app. To determine whether this is relevant to your company, a list of SDKs that require a Privacy Manifest can be found here. Privacy Manifests are required in order to either: Submit a new app to the App Store that includes a listed SDK or Submit an app update to the App Store that adds one of the listed SDKs. If users have opted out through the App Tracking Transparency ..read more

On 11 March the Council of the EU confirmed the provisional agreement reached on the Platform Workers Directive (the Directive).  The Directive aims to improve the working conditions of those who work on platforms in the gig economy and will also regulate the use of algorithms by digital labour platforms.  Employment protection The EU suggests that there are more than 28 million people working on digital labour platforms in the EU, sometimes known as “gig economy” workers.  One of the key issues regarding these individuals is correctly determining their employment status in orde ..read more

Dealing with cert pinning and root detection The privacy area has been white-hot lately, including litigation and investigations involving VPPA; Wiretap/Pen Register/Trap and Trace; and Opt Out Compliance. Furthermore, with the HHS updates on tracking in the HIPAA context, and the new state privacy laws (such as the My Health My Data Act), we can also expect a ramped-up focus on healthcare, fitness, pharma, nutrition, and medical devices. If a company wants to beat the plaintiffs’ lawyers and regulators to the punch, it is critical that the company conduct periodic network traffic analysi ..read more

On 1 March 2024, Singapore’s Personal Data Protection Commission (PDPC) issued the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (AI Advisory Guidelines). These AI Advisory Guidelines followed a public consultation which concluded in August 2023. Our blog post on the public consultation for the draft AI Advisory Guidelines can be accessed here. Summary of the Advisory Guidelines At the outset, it should be noted that the AI Advisory Guidelines are focused on the use of personal data in AI recommendation and decision systems (AI Systems). It does not ..read more

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) issued an updated, 17-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the “Bulletin”). Our readers may recall that HHS had originally issued the Bulletin in December of 2002, which we summarized here. HHS’ changes are generally clarifications and additional examples. This post will focus on the changes to the original guidance. The original and updated guidance applies to all third-party tracking technologies, even those that are deployed to impr ..read more

On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF). The judgment of the ECJ is unsurprising given previous case law on the definitions of “personal data” and “controller” under the GDPR and the ECJ’s emphasis that the overarching objective of the GDPR is to “[ensure] a high level of protection of the fundamental rights and freedoms of natural persons”. Background The TCF is a consent framework relied upon by many organisations that participate in the online advertising ecosystem looki ..read more

Earlier this week the ICO launched a call for views on the “pay or okay” business model. By way of recap, this model gives users of online services the choice to either consent to personalised advertising using their data or to pay a fee to access an ad-free version of the service. In its blog post launching the call for views, the ICO also provided an update on its wider cookie compliance work. Key takeaways from the blog: In its emerging thinking on the “pay or okay” model, the ICO notes that data protection law does not prohibit the model in principle, which many organisations will find re ..read more

Approximately at the same time as the Executive Order that we described in Part 1 was issued, the Attorney General (AG) unofficially released 90 pages of Advanced Notice of Proposed Rulemaking (ANPRM), which will become official once published in the Federal Register.  The AG has proposed several regulations, and has solicited public comments on over 100 questions.  The public can respond within 45 days of publication in the Federal Register.  After evaluation of the responses, the AG will then propose revised regulations, which will also be subject to a public comment period.&n ..read more

On February 28, 2024, the White House issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern.  The 17-page Executive Order pointed out that “countries of concern” could use bulk sensitive data in a variety of ways that could adversely affect U.S. national security, including:  “Countries of concern can rely on advanced technologies, including artificial intelligence (AI), to analyze and manipulate bulk sensitive personal data to engage in espionage, influence, kinetic, or cyber operations or t ..read more

The authors acknowledge the assistance of Salma Khatab, paralegal, in researching and preparing some aspects of this blog The UK Department for Science, Innovation, and Technology (DSIT) has published its response to its consultation on its white paper, ‘A pro innovation approach to AI regulation’ (the Response). The Response outlines key investment initiatives and regulatory steps.  It confirms that, for the present, the UK will follow its proposed approach of setting cross-sectoral principles to be enforced by existing regulators rather than passing new legislation to regulate AI.  ..read more